Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Intelligence Bulletin – India Hiring Proxy
On June 4, 2018, Optiv gTIC Human Intelligence (HUMINT) cell contacted an India-based individual providing interview-proxy services for job applicants in the US and elsewhere. The individual provided details of his services, pricing structure, areas of expertise, as well as a link to his Google Drive where he stored videos of previous interviews as a “proof-of-concept” of his services. This type of service is assessed to be common practice and poses a risk to information security organizations due to the risk of unqualified candidates being improperly hired.
Threat Actor and Technical Information
Optiv gTIC’s Human Intelligence (HUMINT) reached out to a potential threat actor that was believed to be involved in providing proxy-interviewing services. Proxy-interviewing services are where a potential job candidate, usually when applying for a remote position, hires a proxy to sit through a job interview and pretend to be the candidate. This type of service is often called upon when the actual candidate does not possess the required skills for the role or does poorly during the interview process. The candidate provides the proxy with details such as the job description, their resume, date(s) of the interview, and the names of the hiring managers who will interact with the proxy. The proxy charges the candidate based on the total number of hours spent reviewing and preparing for the interview as well time spent during the actual interviews.
The initial contact took place over WhatsApp messenger when Optiv gTIC’s HUMINT representative sent a message to the proxy for details of their services. During the initial contact, gTIC’s HUMINT representative provided basic information including name, email address, location, and the name of the company with the open role.
The proxy actor’s name and phone number served as leads in follow-on research. It was determined that the proxy actor is also an online instructor for program and web application development (“dev ops”). “Corporate trainer” is assessed to be a reference to their proxy-interviewing service, according to their personal LinkedIn page.
Figure 1: Proxy Interviewee’s LinkedIn Page
During the WhatsApp conversation, the gTIC’s HUMINT representative asked about pricing, other services that could be provided, and the proxy’s skillset to ensure success in the interview. The proxy provided two URLs, one that linked to their YouCanBookMe page which included pricing information, scheduling information, and a list of skills and experiences that the proxy was familiar with and could present in interviews. The other URL was a Google Drive repository of previous interviews. The URLs for these pages were passed on to Optiv’s Malware and Countermeasures (MAC) team for further analysis as well as source of any pertinent screenshots and content. Screenshots of the YouCanBookMe page and sample interview videos were extracted from the Google Drive repository.
The proxy confirmed that the Google Drive URL was temporary and changed/updated frequently (NFI). Due to this limitation, only a handful of videos were downloaded before the URL expired and the connection was lost; however, the data collected was sufficient to observe and assess the proxy’s methods and tactics during their clients’ (candidates’) interviews. The videos obtained from the Google Drive were not labeled with any identifiable information to indicate the name of the candidate or the company with which the interview was taking place.
Figure 2: YouCanBookMe Page
Figure 3: YouCanBookMe Page, cont.
Figure 4: YouCanBookMe Page, cont.
Upon providing all pertinent information over WhatsApp messenger, the proxy attempted to call gTIC’s HUMINT representative. A gTIC HUMINT analyst answered the phone to continue to build rapport and establish confidence with the proxy actor. Based on this conversation, it was determined that the proxy was attempting to validate the trustworthiness of the analyst and to confirm identity as well as services being inquired over WhatsApp. In addition the proxy spoke to gTIC HUMINT analyst in Hindi and inquired about their place of birth, when/why they moved to the US, their current location, and current education. Proxy expressed interest in working with HUMINT analyst and was open ended in disclosing additional information as needed.
Preliminary observations of the videos pulled from the Google Drive identified the proxy actor as well as interviewing companies, which included both US and India-based companies. A large US-based cable and communications company was identified as one of the companies for which a candidate hired the proxy to sit-in for their interview.
The improper hiring/placement of job applicants by proxy services will continue to pose a threat to information security companies, as well as any organization with information technology departments, as this activity is viewed as an “accepted” type of behavior in certain communities and cultures. This type of interview-as-a-service activity is likely active and prevalent from countries other than India, which increases the landscape of this type of threat. Improper placement of candidates by these proxy interviewees can result in a reduction in productivity due to placing inexperienced or unskilled candidates into more advanced-level positions for which they are not suited. This practice also allows infiltration and access to sensitive company information and systems by insiders that may have malicious intent.
Although it is difficult to prosecute or eliminate this type of service completely due to its “acceptance” and likely prevalence in other countries, organizations are advised to:
July 29, 2016
Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.
April 19, 2018
Learn how Optiv’s Cyber Threat Intelligence as-a-Service solution provides you with an advanced "beyond the perimeter" capability as a part of your...
Remove the confusion surrounding the implementation of threat intel with a blueprint for logical progression in planning, building and running your...
Let us know what you need, and we will have an Optiv professional contact you shortly.