Hacking The Recruiting Process

Scenario:

I am the evil researcher from Red Spear APT run by the Kawnajipuntata Government of Bobsildingledorf.

My task is to infiltrate as many executives of American mega-corporations with the intent to gain remote access to those systems. General Ashwensday will pay me the following amounts:

• 2.00 for every email address (of an executive)
• 2.00 for every birth date (of an executive)
• 2.00 for every city (of an executive)
• 2.00 for every school (of an executive)
• 0.50 for every phone number (of an executive)
• 0.50 for every school (of an executive)
• 2.00 for every IP address (of an executive)

So, I begin...

My focus is to pretend to be a recruiter for a mid to large size organization. Larger orgs are more difficult to attain an email address from - so I will start with social engineering a mid sized org that pays less attention to information security (presumably staffed by a younger IT department, and managed by a retirement ready tenured male).

The commitment works, and I have now attained an email from one of the numerous orgs I have emailed via a "sales person" that works there in less than 24 hours - in hopes of getting business from a newly formed 1,000 person company (it's an MSP to be honest).

Now!!! The fun begins with posting jobs for an "Emerging and Growth Accelerated Company" focused on dominating the market during the upcoming recession due to our unique go to market strategy that is "recession proof".

Job Posting:

WELCOME! We are a fast growing and expanding technology based company that has found a unique way to serve thousands of customers with a newly patent pending program. Not only is it recession proof - but we can not keep our products on the shelf.

If you would like to work in a fast moving, market driven, culturally diverse environment that rewards you just for being you EVERY SINGLE DAY: Join Us!!

We are looking for Sr. Executives to join our team ASAP! Although it is not our only needs, currently are focused on the following positions:

Chief Operations Officer (with technology experience)

Sr. Vice President of Technology for North America

Global CISO (we just entered Europe and Asia)

Senior Field Network Engineers (20 - to support our customer acquisition)

more....send us your resume, and if there is a fit - we will DEFINITELY reach out to you!

Now, all those resumes come pouring in, with almost all of the data (I use a browser based tool to find your exact birth-date based on Name and Location), then Maltego (via my free Kali system) to find all of the phone numbers.

Other recon tools I use to verify your resume are Facebook , LinkedIn , Twitter and 谷歌 - just to name a few. I LOVE all those 20 questions you answered with your friends...copy and pasting, sharing and reposting, retweeting and commenting.

From here, I simply follow my resume providing fools - where many actually get hired at fairly decent firms, a few even at places like Google, Apple and Cisco!! Score 5 points for the Bad Guys!!! w00t!

In the application forms I cleverly crafted questions to get even more information, disguised as "Interview Questions"...here are a few:

1) Tell me about a time in your past you had to overcome a conflict. What happened and what did you do? (I get the most memorable "conflicts" here - which are often used in passwords)

2) How did you come across our job posting? (this shows me where to put more effort in researching you - path of least resistance)

3) Tell me about your favorite hobby - and why you enjoy it. (hobby related passwords are very common)

4) We have a "bring your dog to work" day once a month - would you be bringing your dog - and what is their name? (pet names are often used in passwords)

5) Do you have any obligations that would be placed before your career? (looking for answers about family, religion, country)

6) We will issue you an AT&T work cell phone - are you currently with AT&T, or Verizon? (knowing who your cell phone carrier is...means less digging to find that, possibly leaving breadcrumbs - and assures I am ready to clone your phone if need be....for the 2FA your org requires /text based of course/)

Here is what I know about John Doe:

• Born January 13th, 1981 in Green Bay, Wisconsin
• Email address John.Doe @ hmail . com
• Lives at 123 45th Street, Apartment 67 - Chicago, IL
• John absolutely LOVES pizza (why he moved to Chicago 3 years ago)
• John's favorite color is Yellow (because it is the color of sunshine)
• John's first car was a 1988 Toyota Cellica - beige in color
• John's mother's maiden name (Facebook is an AMAZING website) is Smith
• John has worked for: Levits, Dillards, Target, Walmart and now: ______
• John loves to fish, mostly for crappie and bass from his kayak
• His phone number is a Verizon Galazy 33Z - 312-555-1212
• His wife has: 312-555-1313 and also a Galaxy 33Z
• His IP address at home is: WAN 105.105.8.8 || LAN 192.168.0.4 || GW: 192.168.0.1
• John has 3 kids: Jack Jim and Janet
• John's wife is: Janelle (maiden name Taylor..thanks FB)
• John posted about his previous wife on Facebook 13 years ago, who died of Cancer while pregnant with little baby Jack.
• John is a Chicago Bears fan - and boasts about it to his father when the Bears beat the Packers.
• Passwords figured out: Jane143!! / BearsForever / Password123
• PIN for his Debit Card (BofA) 12312312

About every 6 months I will send John an email asking if I can submit him to xyz position, and to review the resume "we have on file" for him - that resume is the one he sent last, but we have embedded a free tracking cookie provided by Canary Tokens. If the resume review does not work, we send other things to tempt him (picture of his wife at Cheescake Factory is always a winner).

Mind you, I am working about 150 different "candidates" with very similar results!

AFTERTHOUGHTS

While the names and information have been made up - this is actually happening. This causes so many problems with actual hiring managers and recruiters - that it makes it extremely difficult to get anyone in-front of their direct clients.

The other issue this creates, is that an employee is most likely already compromised before they even sign all the HR documents. Some of which might even become granted with a DA (Domain Administrator) account.

In a day where we have access to SO MUCH INFORMATION - we really need to pay attention to what is out there on us.

On a side note, many organizations are sorting resume's based on gender, age, sex, race and even your name - whether these are through an ATS (jury still out if ATS is at least partially to blame) or humans. Ask yourself...would you hire a Jack more often than a Jaquie?

Your resume and job application process has a TON of PII (Personally Identifiable Information), PRI (Personally Reidentifiable Information) and other sensitive information even about our family.

Recently, I created a post about my name being the reason that seemingly was passed over - so I changed my name on the resume from Sandor to Alexander. The results were astonishing, and I was not expecting that post to get even more than a couple of reactions from other in my same predicament: searching for a job, or as I like to call it: The Dating Scene.

Today, it is more difficult than ever before, to hunt for career pisitions. Products and services are making it almost too easy to become more competitive, and desirable, to hiring managers - regardless of the org type, szie and location. With the added remote options, and near no interaction 'Easy Apply' buttons on every internet based platform.

Finaly: I am not a recruiter, hiring manager, human resources professional - or in any way represent even a remote professional representation of any of those I mentioned.

I am a 30+ year experienced information security practitioner with a heavy focus on GRC, Policy, Networks and Operating Systems (mostly Linux and Windows).