MANAGER: “hey uh, my friend at a different company said you applied for a job there this week?”
EMPLOYEE: “uhhhhhh…. that was… uhhh… a deepfake who also stole my information?”
MANAGER: “oh okay. yeah of course you would never try to double/triple your salary by taking multiple remote tech jobs with zero oversight. my friend said it seemed so real haha. deepfake are so good now. im gonna report this to the FBI, people need to know.”
EMPLOYEE: “yea haha amazing. anyway i gotta get back to not-my-other-job”
I was surprised that this was a real thing when I stumbled upon the r/overemployed subreddit. Not sure how many of the folks who self-report their success in doing this are LARPers, but it's remarkable that anyone gets away with this.
I have a hard enough time attending all the meetings and completing my work in my actual job, I couldn't imagine taking on another and balancing the two somehow.
MANAGER: "okay, now we need to make sure we never hire a deepfake. all technical interviews are now proctored with identity verification and random shocks of pain. failing to react to a shock appropriately will immediately disqualify someone from the 8th round interview"
> While some of the deepfake recordings used are convincing enough, others can be easily detected due to various sync mismatches, mainly spoofing the applicants' voices.
> "Complaints report the use of voice spoofing, or potentially voice deepfakes, during online interviews of the potential applicants," the US federal law enforcement agency added.
Something about this doesn't smell right:
1) Don't video deepfakes require lots of high-quality input video (which is why they were often made of Obama)? Where would an attacker get this for some rando?
2) Why would voice deep-fakes even be necessary, given the interviewee is very unlikely to be known by the interviewer? I suppose it could be used to fake accents, but I don't think that would be an issue for a "remote tech job" -- just steal an identity that could plausibly have your accent.
Regarding 1, you setup a fake company and interview the candidate in multiple rounds. Record the interviews and then use them as input for deep fake.
Edit: you could also approach them as a love interest and get the video through chats.
I'd also be curious to see if there's an overlapping former employer between the candidates. If you found an archive of some employers zoom meetings you have all you need.
> Why would voice deep-fakes even be necessary, given the interviewee is very unlikely to be known by the interviewer? I suppose it could be used to fake accents,
You have it backwards-- the point is accent elimination. You don't need to sound like someone else, but you do need to not sound like someone of your own locale.
Regarding 1) and following 2) you only need to make realistic-enough video that it passes as a person and is similar enough to the target person. For example, you can have a pretrained model (e.g., using zero targeted data) and search for some configuration that is closest to the target person. You only need to match a few variables (e.g., ethnicity, gender, hair color, age) before the fake is plausible.
> 1) Don't video deepfakes require lots of high-quality input video (which is why they were often made of Obama)? Where would an attacker get this for some rando?
I imagine that at some point, or even now, we can use transfer learning for deep fakes and just train existing models on a limited data set for "good enough" deep fakes.
I recently had a person using my photo and work experience to get side gigs on Upwork. A customer of theirs contacted me directly for help which is how I found out about it.
Upwork removed the profile after some prodding. I feel like I should report identity theft to the police or something but I don't know if it's worth the bother?
Reporting it is only worth it to have a paper trail in case the identity theft then brings you into legal trouble such as taking out credit in your name, etc. If they’re only using publicly-available info I wouldn’t bother.
Available for anyone to take and utilize. I have a (hidden) suspicion that a greater proportion of LinkedIn's reported "active users" are, in fact, a group of people with these profile images and fraudulent profiles.
I know there is a growing movement of people who are doubling up on remote jobs, trying to work two of them (or more!) at the same time to hack the income game. Surely some of these people are using deepfakes to help avoid detection that they are doing those things.
This happened to me, twice, and my company is < 20 people. Of those 20, 2 had multiple jobs. We hired a guy who found us on HN Who's Hiring who turned out to be working 3 (THREE!!) full time jobs, each paying $140k+.
He quit when I started putting deadlines on work when he started falling behind. I got suspicious, reached out to his prior company's CEO to ask if he was still employed, and turns out he was! Then came the discovery of the 3rd company...
For hiring managers out there: make sure candidates have a linkedin profile that lists your current company as their current place of employment (both employees with 2+ jobs had their LinkedIn hidden for obvious reasons), and always run background checks that include employment verification screens.
The deepfakes and stolen PII discussed in the article are for identity theft: The candidate steals the identity of someone with an impressive LinkedIn background and then presumably hopes that the company takes their background at face value and doesn't ask too many hard questions in the interview. The company then completes reference and background checks on the victim. They might also use this identity theft to qualify for jobs that aren't available in their location due to contractual and/or legal restrictions.
The "overemployed" people generally aren't performing identity theft like this. Having multiple jobs ranges anywhere from legal to fraud depending on contracts they've signed or how they've misrepresented themselves (it's not uncommon to see suggestions to take multiple hourly jobs and then exaggerate the number of hours worked, for example). However, adding identity theft on top would elevate what they're doing to a major crime, which is not something that would help them.
Some jobs seem to only want you around for your experience/expertise, like baby-sitting and preventing fires. You could theoretically make everything so stable that when something fails a secondary system kicks in, and all you do is to debug when that happens and make it even more stable. Just make sure you have an excuse to not work on site or they will keep you busy with meetings, admin, and reports. But one day there will be the the perfect storm and all systems on your 15 different full time jobs will go down. You could always call in sick that day, but then they would hire more ppl like you.
I find it amazing how many people in this community don't realize that there is a fairly large number of low income people who work two full time jobs to survive.
Sure they're typically hourly not salaried but that doesn't seem to be too major of a difference.
I don't even see what the issue is at all. If a person can get both jobs done fine, then who cares?
This seems a little bit odd. Working exactly 40 hours a week is stressful enough - is it really worth it to double both your salary and your hours? I think I'd want at least 4x the salary in order to work 80-hour weeks - or is this practice mostly done by workaholics that enjoy long hours?
What industry? Over in infosec, they seem to just do courtesy interviews to suss out if I did some ecrime the feds are sniffing about, find out they were incorrect, then not even have the common courtesy to drop the act and offer to pay me as a consultant rather than treat job interviews as fishing expeditions.
Only slightly related, but a Japanese friend of mine has a story of interviewing a few engineering candidates for their remote crypto company. They all applied under Japanese names, claiming they were Japanese citizens in Japan. When the interview came around, they all spoke English with a Korean accent, and when asked if Japanese would be better they admitted they could not speak Japanese. When my friend asked around it sounded like many founders in the space have encountered this profile of applicant, and many suspect these are people working for the North Korean state.
If this is indeed North Koreans trying to get remote jobs, I've been wondering if their game is:
- Getting a job for themselves to bring income to their own household
- Getting a job for themselves to bring income to the North Korean state.
- Getting a job in a crypto company with plans of figuring out vulnerabilities and siphoning funds to themselves/the state.
- Getting a job for others, and selling the service of passing the interview.
It's number 2 - Getting a job for themselves to bring income to the North Korean state and number 3 - Getting a job in a crypto company with plans of figuring out vulnerabilities and siphoning funds to t̶h̶e̶m̶s̶e̶l̶v̶e̶s̶/the state.
Without DeepFakes: I know several people in tech in the bay area who locally interviewed for contracts, got the job, then outsourced all tasks to eastern-eu folks whom they hired as a sub and project managed them.
Basically, hiring an consulting company masked as an individual.
from this point of view -- it says more about the "job market" and forgery-for-pay than the deepfakes .. it was one year ago I saw a video documentary on young men from various places, in the keep of handlers who charged them rent and maintenance while they applied for remote tech jobs. The handlers were show to clean-up or embellish skill sets, claim English skills or write responses for the applicants, and other fraudulent activity. Meanwhile, on the other side of that, investors have put money into hiring companies who want to follow in the Monster dot com path but more specialized skills or particular clients. The work of outsourcing is just never done it seems, and apparently pays investors and handlers well enough to do these things. Deepfakes makes it part show-business, which is not new either, really.
I was recently approached by a firm that it seems does a similar thing to what you've described. As a native english speaking tech professional, they wanted me to assist others in initial video interviews for tech positions. I don't know how any amount of spin or perspective could sell such a thing as anything but fraud. I honestly couldn't even put together how it would work long term, but I suppose with the nature of some remote work, it might be possible by a committed actor or agency. It's creepy as heck, and reminds me of that movie "Gattica."
Seems like scant evidence to conclude that you were interviewing a North Korea hacker but I guess many on blockchain twitter are more credulous than I am.
> The "Okay?" is a DEAD FUCKING GIVEAWAY this guy is Korean.
Doesn't sound like any of the techniques used in the article were used in that thread, no deep fake vide, no deep faked voice. Just some Korean person (possibly) trying to gain access via remote working policies, and not very well by the sounds of it.
Or...an example of someone writing a sensational, mostly invented story using classic twitter thread growth hacking techniques (ending each tweet on a cliffhanger, etc. etc).
I'm immediately skeptical of tales written by someone who works in "growth" and has 60k followers from writing twitter threads.
We've been very concerned earlier about what deepfaking a world leader might result in. Still a concern on that, but we can have endless amounts of additional fun with realistic deepfaking B- and C-list celebs and all "influencers" who have left enormous trails of audio and video.
Picture an adversary setting up a large deepfake campaign involving hundreds or thousands of fakes, esp coordinated with their use of the hundreds or thousands of curated social media profiles that have been raised on a media farm.
With social media influencers, you don't even have to worry much about the deepfakes glitching - the usage of filters is rampant enough that glitches have been completely normalized.
You could probably grow a farm of deep fakes on some social media site, talking to each other about peculiar niche things using language models, and once that farm is big enough use it to shift opinions/attack. It's scary how small groups of people, or even an individual could do that.
I've had remote candidates in India lip sync an interview, but I don't think it was deep fakes, but rather the audio was coming from someone off screen while the person on screen was trying to mimic them.
My guess is someone was trying to help them get the job, i'm not sure to what end though and regardless, we didn't hire the person.
I get tons of email like "Thanks for the application, you're the kind of person we're looking for, please come interview at such-and-such a time, and bring the following documentation..."
If I was looking for entry-level QA or IT jobs, I'd probably explore one just for laughs. I suspect it's less of a hacker/pii problem, and more my own fault for having the kind of email address that random weirdos are likely to type in when they are doing something hinky on employment websites.
Wherever the FBI announces something you have to ask what political purpose are they trying to scare people? In this case I assume to try to give justification to managers that want to bring people back to the office using the fig leaf of concern over fraud.
[+] [-] hijohnnylin|3 years ago|reply
EMPLOYEE: “uhhhhhh…. that was… uhhh… a deepfake who also stole my information?”
MANAGER: “oh okay. yeah of course you would never try to double/triple your salary by taking multiple remote tech jobs with zero oversight. my friend said it seemed so real haha. deepfake are so good now. im gonna report this to the FBI, people need to know.”
EMPLOYEE: “yea haha amazing. anyway i gotta get back to not-my-other-job”
[+] [-] spudlyo|3 years ago|reply
I have a hard enough time attending all the meetings and completing my work in my actual job, I couldn't imagine taking on another and balancing the two somehow.
[+] [-] vsareto|3 years ago|reply
[+] [-] abirch|3 years ago|reply
EMPLOYEE 1: We should hire Homer. He was at my last company and great.
EMPLOYEE 2: We had a Homer at my old company, he was great. But he and I worked together at a different company.
[+] [-] roflyear|3 years ago|reply
[+] [-] tablespoon|3 years ago|reply
> "Complaints report the use of voice spoofing, or potentially voice deepfakes, during online interviews of the potential applicants," the US federal law enforcement agency added.
Something about this doesn't smell right:
1) Don't video deepfakes require lots of high-quality input video (which is why they were often made of Obama)? Where would an attacker get this for some rando?
2) Why would voice deep-fakes even be necessary, given the interviewee is very unlikely to be known by the interviewer? I suppose it could be used to fake accents, but I don't think that would be an issue for a "remote tech job" -- just steal an identity that could plausibly have your accent.
[+] [-] chrismarlow9|3 years ago|reply
Edit: you could also approach them as a love interest and get the video through chats.
I'd also be curious to see if there's an overlapping former employer between the candidates. If you found an archive of some employers zoom meetings you have all you need.
Okay I'm gonna stop before I get paranoid.
[+] [-] jstarfish|3 years ago|reply
You have it backwards-- the point is accent elimination. You don't need to sound like someone else, but you do need to not sound like someone of your own locale.
[+] [-] mirker|3 years ago|reply
[+] [-] heavyset_go|3 years ago|reply
I imagine that at some point, or even now, we can use transfer learning for deep fakes and just train existing models on a limited data set for "good enough" deep fakes.
[+] [-] donatj|3 years ago|reply
Upwork removed the profile after some prodding. I feel like I should report identity theft to the police or something but I don't know if it's worth the bother?
https://twitter.com/donatj/status/1529266972403585024
[+] [-] __derek__|3 years ago|reply
[+] [-] Nextgrid|3 years ago|reply
[+] [-] gzer0|3 years ago|reply
Available for anyone to take and utilize. I have a (hidden) suspicion that a greater proportion of LinkedIn's reported "active users" are, in fact, a group of people with these profile images and fraudulent profiles.
[+] [-] Magi604|3 years ago|reply
[+] [-] cj|3 years ago|reply
He quit when I started putting deadlines on work when he started falling behind. I got suspicious, reached out to his prior company's CEO to ask if he was still employed, and turns out he was! Then came the discovery of the 3rd company...
For hiring managers out there: make sure candidates have a linkedin profile that lists your current company as their current place of employment (both employees with 2+ jobs had their LinkedIn hidden for obvious reasons), and always run background checks that include employment verification screens.
[+] [-] PragmaticPulp|3 years ago|reply
The "overemployed" people generally aren't performing identity theft like this. Having multiple jobs ranges anywhere from legal to fraud depending on contracts they've signed or how they've misrepresented themselves (it's not uncommon to see suggestions to take multiple hourly jobs and then exaggerate the number of hours worked, for example). However, adding identity theft on top would elevate what they're doing to a major crime, which is not something that would help them.
[+] [-] z3t4|3 years ago|reply
[+] [-] PheonixPharts|3 years ago|reply
Sure they're typically hourly not salaried but that doesn't seem to be too major of a difference.
I don't even see what the issue is at all. If a person can get both jobs done fine, then who cares?
[+] [-] throw10920|3 years ago|reply
[+] [-] lordnacho|3 years ago|reply
[+] [-] datavirtue|3 years ago|reply
Citation needed
[+] [-] moneywoes|3 years ago|reply
[+] [-] dontbenebby|3 years ago|reply
[+] [-] sun_machine|3 years ago|reply
If this is indeed North Koreans trying to get remote jobs, I've been wondering if their game is: - Getting a job for themselves to bring income to their own household - Getting a job for themselves to bring income to the North Korean state. - Getting a job in a crypto company with plans of figuring out vulnerabilities and siphoning funds to themselves/the state. - Getting a job for others, and selling the service of passing the interview.
[+] [-] gkanai|3 years ago|reply
https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
[+] [-] crumpled|3 years ago|reply
Basically, if you have the freedom to wander the internet, it's because the government provides your connection for their own government purposes.
[+] [-] astura|3 years ago|reply
The FBI has put out a warning - https://www.theguardian.com/world/2022/may/17/dont-accidenta...
Normal people are only allowed to go online in North Korea on state business.
[+] [-] samstave|3 years ago|reply
Basically, hiring an consulting company masked as an individual.
[+] [-] mistrial9|3 years ago|reply
[+] [-] goatcode|3 years ago|reply
[+] [-] Scoundreller|3 years ago|reply
https://www.theonion.com/more-american-workers-outsourcing-o...
[+] [-] taylorfinley|3 years ago|reply
[+] [-] whimsicalism|3 years ago|reply
> The "Okay?" is a DEAD FUCKING GIVEAWAY this guy is Korean.
....right.
[+] [-] deadbunny|3 years ago|reply
[+] [-] pembrook|3 years ago|reply
I'm immediately skeptical of tales written by someone who works in "growth" and has 60k followers from writing twitter threads.
[+] [-] quantified|3 years ago|reply
Picture an adversary setting up a large deepfake campaign involving hundreds or thousands of fakes, esp coordinated with their use of the hundreds or thousands of curated social media profiles that have been raised on a media farm.
[+] [-] mmebane|3 years ago|reply
[+] [-] sva_|3 years ago|reply
[+] [-] lemoncookiechip|3 years ago|reply
[+] [-] tflinton|3 years ago|reply
My guess is someone was trying to help them get the job, i'm not sure to what end though and regardless, we didn't hire the person.
[+] [-] 99_00|3 years ago|reply
2. Have low pay foreign workers work the jobs
3. Keep 50% of the salary give worker 50% and run Heath insurance scams.
[+] [-] frereubu|3 years ago|reply
Edit: and this technique is mentioned in one of the replies: https://twitter.com/staringispolite/status/15200939675592499...
[+] [-] knodi123|3 years ago|reply
If I was looking for entry-level QA or IT jobs, I'd probably explore one just for laughs. I suspect it's less of a hacker/pii problem, and more my own fault for having the kind of email address that random weirdos are likely to type in when they are doing something hinky on employment websites.
[+] [-] mauriciolange|3 years ago|reply
[+] [-] WalterBright|3 years ago|reply
[+] [-] tehjoker|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] discordance|3 years ago|reply
[+] [-] johndhi|3 years ago|reply