The average resume of any person contains a significant amount of personal data that is submitted in good faith to persons and companies that we rarely know. This is especially true when applying for a position through a recruiting agency. While most agencies have strictly legal business goals, there can be some malicious or alternate motives involved. Therefore, certain amount of due diligence must be exercised before submitting your resume.
A subsidiary of Shortinfosec Democorp - Shortinfosec Human Capital publishes the following ad in the papers, on Monster.com and Linkedin.com
Shortinfosec Human Capital is evaluating applications for the position of
The Manager of Information Technology for a reputable Telco company.
The successful applicant must have at least 7 years experience in Information Technology, specifically in telco IT ops infrastructure with BSS system on Oracle Databases and IBM Storage Systems, with a minimum of 3 years experience in position in which he/she was responsible for team management.
We offer a very competitive compensation package.
This is an opportunity to which a very large number of applicants will jump to. The ad contains a filtering factor, which targets the position to a specific group - a telco company whose Billing System database system is Oracle, and the Storage System is IBM.
Within 2 weeks of the post, Shortinfosec Human Capital has a names, addresses, emails, phone numbers, entire CVs of employees of several companies who have the described infrastructure.
If Shortinfosec Human Capital is on the level, it will select a candidate and destroy all other records.
If Shortinfosec Human Capital is just a front, here are the grim options:
- The ad is a front for analysis of employees that are ready to jump ship, or to shift to a competitor. In such a case, the company that hired Shortinfosec Human Capital will receive a list of their employees that may then be subject to unfair treatment. In another scenario, Shortinfosec Human Capital may sell information to several companies about their respective employees that are prepared or preparing to leave.
- The ad is a front for a well planned security attack. With the collected information, the attacker has a list of people with knowledge of infrastructure, access to administrative privileges, and are generally trusted by the organization. They can be further targeted for blackmail, resource theft (laptop with corporate data) or can be referred to in a social engineering attack
- The ad is a front for a hacker attack on specific infrastructure, that investigates which companies have a specific infrastructure with known flaws, which can then be targeted for specific attack
Before applying for a job, especially on an Internet published ad, take a couple of hours to investigate the publisher. There is no silver bullet for total protection, but the following steps will help you to weed out most of the malicious ad publishers:
- Analyze the domain name of the publishing agency - is the registered company the same as the name in the ad?
- Check when was the domain registered and use wayback machine to check that the web site was consistent with their advertised line business for at least 2 years - be very weary of brand new companies, or companies not having a web site
- Check that they have a physical address, and that it is consistent over a longer period (again, wayback machine)
- Check the ad boards, to see whether the same companies published other ads before
- If you were contacted directly, try to find out how did they reach you/hear about you
- Look for a privacy statement on their web site, and even in the ad. - print out these pages and save them - if all else fails, they may be usable in legal actions.
- Use Linked in connections to possibly get referrals of the work of the publisher
- Be careful of PO Box addresses, if such exist, take extra care to confirm that they in the above 6 steps, and even contact the publisher via phone to again confirm the PO Box number.
Tutorial - Measures for minimizing Spear Phishing Attacks
Understanding Penetration Testing Methodology
Talkback and comments are most welcome