As a developer you generally think that you’re a pretty smart person and that you’re never going to fall for one of these “dumb” social engineering schemes. The contagious interview is an attack that most never see coming. In the article below we’ll break the steps in this attack down in an understandable way.
An Innocent Job Offer
The contagious interview starts innocent enough. As a developer you get a ping on linkedin and a recruiter from an American AI startup asks if you would consider working with them. Sure you say, and ask about salary. They’re offering 210K per year which sounds pretty good to you. You’ve been doing DevOps development for an SAP consultancy for the past few years and you’re open for something new. This new opportunity is pretty lucrative. You’re a little bored and the salary would be a significant raise.
So far so good – next step in the interview process is a video interview with an HR manager from Oklahoma. You book the interview and spruce up your CV beforehand. You’re ready for anything they can throw at you including naturally a coding challenge. The day comes for the interview and you click the link for the google meet. Something strange happens though. It looks like google meet has an error. There’s a popup telling you “try fix” which you click. It then tells you to press the windows button and control+V. You’re excited to get on with the interview and annoyed at the technical problem so you press the keys as instructed.
Pwned
You don’t know it yet but that innocent click on “try fix” copied a malicious command to your clipboard from the counterfeit version of google meet that the hackers built to trick you. From there the website commands to download and install two malware packages from a North Korean Cybercrime command and control center onto your clipboard. When you pressed the windows button and “control + v” that invisible command executed. Now they’re on your machine. You’re what’s know as “pwned” within hacker circles. It means that they’ve penetrated your defenses. From there they’re going to try to move laterally through your network to exfiltrate or steal information from your colleagues and your infrastructure. Unluckily for you that means that the blast radius might include your customers operations too. As a DevOps pro you’re responsible for the keys to the infrastructure – now a bunch of that infrastructure is vulnerable. This is a real attack that’s been documented in detail here.
Steps in the Contagious Interview
The core of this hack combines a social engineering attack with malware installation.
Step 1: Hackers prey on your greed – the job offer is really attractive and looks really legit.
Step 2: Hackers manipulate you into running unknown software as part of the “interview process”
Variants on the Attack Vector
The North Korean Lazarus Group has iterated on this attack and some newer attacks involve video interviews with “prospective employers” who are actually deep fakes. The attackers look like and sound like they’re from the country they’re pretending to be. They are however using “face swapping” and “voice swapping” technology to mask their real voices and faces. This is particularly persuasive because they’re able to do a “real interview” and are able to persuade you during the interview to install “open source” software for the code interview.
Usually they’ve cloned a real open source repository such as an NPM package and contaminated it with malware. As soon as the developer installs this (usually via a curl command), the same result occurs and the malware is executed.
Many users wouldn’t even know that anything was wrong until weeks later when they find drained financial accounts, or installed ransomware locking off access to critical business data, or account takeovers across the organization.
How to Protect Yourself from the Contagious Interview
- Treat cold approaches from people you’ve never physically met as potentially malicious.
- Check the links for video calls and calendar invites by hovering over them before execution. This practice allows you to inspect the websites you’re navigating to before you navigate there.
- If link looks a bit strange it probably is – don’t click through. google.com is not the same as go0gle.com for example. If your suspicions get activated early you can stop the scam before you even get to the point where the malware comes into play.
- Last but not least – never execute any code or undertake actions that could download and execute code as part of an interview.
- This last point defeats both the variants above but it requires the awareness that “windows key & “control + v” could execute code from the clipboard.
- In the variant scenario, it requires the awareness that deepfakes exist and that “open source” software from an unknown source may contain malware.
If in Doubt: vali.now
Your best defense is healthy skepticism. If something seems just a little off or a bit too good to be true – it probably is. Your best option is to forward the details to help@vali.now. Our cybersecurity professionals have been recognizing and fighting off such attacks for decades. Your first case (up to one hour of research) on our side is free with affordable rates after that. You’ve got nothing to lose and you might just prevent catastrophic losses by reaching out.