Summary7 min read

CyberWire Daily – August 22, 2025

Episode Title: "A Free Speech Showdown"

Main Theme

This episode of CyberWire Daily explores the collision between global online safety regulations and American free speech law, highlights major trends in cyber threats and law enforcement responses, and features a first-person account from Brandon Karp on detecting North Korean job applicant scams targeting startups. The episode also ends with a discussion of the rise of English speakers in the cybercrime underworld.

Key Discussion Points & Insights

1. FTC Warns US Tech Firms on Foreign Censorship Compliance

[02:10 - 05:00]

The Federal Trade Commission (FTC) warns US tech companies that following foreign content moderation laws (notably the EU Digital Services Act and UK Online Safety Act) could breach American law, specifically Section 5 of the FTC Act, which prohibits unfair or deceptive practices.
FTC Chairman Andrew Ferguson cautions that “Americans do not expect platforms to restrict speech to satisfy foreign governments” and warns against any moves to weaken encryption.
Example cited: British attempts to access Apple iCloud data.
Ferguson invites tech leaders to discuss balancing global regulatory pressures with obligations to US consumers.

“Americans do not expect platforms to restrict speech to satisfy foreign governments, and any weakening of encryption would be a serious concern.”
— Andrew Ferguson, FTC Chairman [03:30]

2. Bipartisan Bill Aims to Modernize Federal Cybersecurity Hiring

[05:01 - 06:30]

The Cybersecurity Hiring Modernization Act is introduced by Representatives Nancy Mace (R-SC) and Chantel Brown (D-OH).
Goal: Reduce hiring barriers by prioritizing skills over degrees, expanding the federal workforce during a rise in cyber threats.
The bill requires tracking changes to education requirements and collecting background data on new hires but allows degree requirements where mandated or relevant.
Notable commentary:
- Mace: “The bill would cut red tape and allow skilled applicants without four year diplomas to serve.”
- Brown: “Expanding the workforce is imperative for secure systems.”

3. Murky Panda: China-Linked Espionage Group’s Advanced Tactics

[06:31 - 08:30]

CrowdStrike tracks Murky Panda, a cloud-focused, China-linked threat actor.
Targets: Government, tech, academic, legal, and professional services, particularly in North America.
Methods: Exploits “end-day” and zero-day flaws (including Citrix and Commvault), uses custom cloud malware, compromises SaaS providers to move laterally, and removes logs/timestamps to evade detection.
Assessed motivation: Espionage and intelligence collection.
Cloud-heavy organizations are especially vulnerable.

4. Hardware Security: MITRE’s Updated Weakness List

[08:31 - 09:30]

MITRE releases 2025 update to its Most Important Hardware Weaknesses list.
Focus: 11 key flaws, including 6 new ones; persistent issues with memory protection and improper debug access remain.
Top problem: Sensitive information left in resources that aren’t removed before reuse (CWE226).
Hardware weaknesses are difficult to mitigate at the software level.

5. Record Number of Device Searches at US Borders

[09:31 - 11:00]

Customs and Border Protection (CBP) conducted nearly 15,000 electronic device searches in three months—up 16.7% from the previous record.
No warrant is needed for searches; methods include basic checks and advanced forensic extraction.
Civil liberties groups warn of chilling effects on sensitive travelers.
Device searches rose from 8,500 in 2015 to over 46,000 in 2024.

6. Cybersecurity Community Fooled by Telegram Hoax

[11:01 - 12:20]

A Telegram account impersonating Europol claimed a fake $50,000 ransomware reward, which was initially picked up and reported by several researchers and journalists before being debunked.
The hoax aimed to expose poor verification and fact-checking practices within the cybersecurity community.
Takeaway: Stronger verification and closer law enforcement-researcher collaboration are required to counter misinformation.

“The incident shows how easily misinformation can spread...and the risks of relying on unverified sources.”
— Host Dave Bittner [12:10]

7. Insider Threat: Houston Man Sentenced for Sabotage

[12:21 - 13:00]

Davis Liu, a 55-year-old Houston man, is sentenced to four years for sabotaging Eaton Corporation computer systems after a job demotion.
Actions included deleting coworker profiles, causing system crashes, and deploying a "kill switch" under his own name, resulting in substantial damages.
Faces up to 10 years; plans to appeal.

8. Sleep Apnea Equipment Provider Data Breach

[13:01 - 13:30]

CPAP Medical Supplies and Services (Florida) suffered a breach impacting over 90,000, including US military families.
Hackers accessed systems and possibly stole Social Security numbers and health info.
Breach lasted a week in December 2024; company reports to authorities, says no evidence of misuse.

9. Interpol Busts Pan-African Cybercrime Network

[13:31 - 15:00]

Operation Serengeti 2.0: Over 1,200 arrests, $97 million seized, 11,000+ malicious infrastructures taken down across Africa (June–August 2025).
88,000 victims, $485 million lost (ransomware, scams, BEC).
Successes: Illegal crypto mining in Angola, a $300 million scam in Zambia, and inheritance fraud in Côte d’Ivoire.
Collaboration between 18 African countries, UK, private sector, NGOs.

Feature Interview – Brandon Karp on Fake North Korean IT Worker Scams

[15:25 - 29:17]

The Experience:

Brandon Karp describes discovering not one, but two suspected North Korean IT worker scams during a brief hiring window for his small startup.
Despite a relatively small pool (200 applicants, 10 interviews), two made it to the top interview stage before being flagged.

Red Flags:

Perfect, generic resumes: Every skill required was boldly listed, little detail beyond keywords—likely AI-optimized for applicant tracking systems.
Anglicized first names and Hispanic last names: E.g., “Frank Garcia,” not matching interviewee appearance.
Deleted/absent LinkedIn profiles: Appeared online in search but gone when clicked.
Video interviews:
- Candidate appeared of Asian descent, not matching claimed identity.
- Minimal personal background revealed; refused to show real video background.
- Claimed prior residences in LA, NY, and San Antonio but couldn’t discuss any local details.
- Strong accent identified as likely Korean (drawing on Karp's personal experience).

“The resume was perfect. It was exactly what we were looking for... That should have been our first clue.”
— Brandon Karp [17:36]

“Ask specifics. What was your favorite thing to do in those cities? … This person couldn’t offer any specifics.”
— Brandon Karp [22:00]

Timing: Applications arrived almost immediately after job postings; likely automated.
Technical competence: Answers to technical questions were strong, possibly getting answers fed in real time or genuinely skilled.

Dealing with Uncertainty:

After the full hour-long interview, Karp and a colleague second-guessed themselves but, reviewing the evidence, concluded it was indeed a scam.
After a similar experience with a second candidate, they double-checked references—none of the listed employers recognized the applicants.

“When you look at the sum total of the evidence...how few specifics there were about their experiences in America… I did follow up with a couple of the companies, and none of them had ever heard of them.”
— Brandon Karp [26:52]

Recommendations for Employers:

High-touch processes: Conduct video interviews, probe for personal/local details, and look for overly perfect resumes.
Trust your gut: Accumulation of red flags is meaningful, even if no single item is definitive.
Applicant tracking caution: AI-generated, laser-targeted resumes are now common. “If you’re getting a resume that is absolutely perfect… what are the chances of that?” [28:45]
Universal advice: Getting personal in interviews not only exposes scams but also improves hiring overall.

Notable Quote Highlights

“Americans do not expect platforms to restrict speech to satisfy foreign governments.”
— FTC Chairman Andrew Ferguson [03:30]
“Ask specifics. What was your favorite thing to do in those cities?... This person couldn’t offer any specifics.”
— Brandon Karp [22:00]
“If you’re getting a resume that is absolutely perfect, everything you want—what are the chances of that?”
— Brandon Karp [28:59]

Final Segment: The Rise of Social Engineers for Hire

[31:00 - End]

Demand for English-speaking social engineers in cybercrime has skyrocketed.
“Impersonation-as-a-service” now offers scripts, coaching, and technical support to cybercriminals.
Gangs like Scattered Spider and Shiny Hunters leverage these skills to trick major brands into giving up credentials.
Phishing calls are “far beyond prank territory”—“this is workday, can I have your password?”—with more people falling victim than ever.

Timestamps for Key Segments

FTC on Foreign Censorship & US Law – [02:10-05:00]
Federal Cyber Hiring Modernization Act – [05:01-06:30]
Murky Panda APT Group Profile – [06:31-08:30]
MITRE Hardware Weaknesses Update – [08:31-09:30]
CBP Border Device Searches Surge – [09:31-11:00]
Telegram Hoax & Cybersecurity Verification – [11:01-12:20]
Insider Sabotage Case (Houston) – [12:21-13:00]
CPAP Medical Supplies Data Breach – [13:01-13:30]
INTERPOL Serengeti 2.0 Operation – [13:31-15:00]
Feature: Brandon Karp – North Korean IT Worker Scam – [15:25-29:17]
Social Engineering Skills for Hire – [31:00-end]

Memorable Moments

The high hit-rate for foreign IT worker scams targeting even small startups.
How “perfect” resumes and deleted LinkedIn profiles can signal sophisticated fraud.
Karp’s practical advice: ask for location-based personal details in interviews.
Increasing professionalization of cybercrime: smooth-talking English speakers are now recruited as a specialized criminal workforce.

This summary captures the episode’s content, advice, and notable soundbites—preparing listeners and cybersecurity professionals for the evolving threat landscape and personnel challenges of 2025.

Loading summary

Transcript36 lines

[00:02]
A
You're listening to the Cyberwire network. Powered by N2K, the DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington, D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber innovation. Visit DMVrising.com to secure your spot. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's CyberService Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. EDU MSSI the FTC warns one industry's online safety may be another's censorship A new bipartisan bill aims to reduce barriers to federal cyber jobs. Murky Panda targets government, technology, academia, legal and professional services in North America. MITRE updates their hardware weaknesses list Customs and Border Protection conducts a record number of device searches at US borders. A recent hoax exposes weaknesses in the cybersecurity community's verification methods. A Houston man gets four years in prison for sabotaging his employer's computer system. A Florida based provider of sleep apnea equipment suffers a data breach. Interpol dismantles a vast cyber criminal network spanning Africa. Brandon Karp shares his experience with fake North Korean job applicants and being a smooth talking English speaker can land you a gig in the cybercrime underworld. It's Friday, August 22, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Happy Friday. The Federal Trade Commission warned US Tech companies that complying with European and UK online content rul could violate American law. FTC Chairman Andrew Ferguson said following foreign censorship efforts including the EU's Digital Services act and Britain's Online Safety act, may breach Section 5 of the FTC act, which prohibits unfair or deceptive practices. He argued Americans do not expect platforms to restrict speech to satisfy foreign governments and warned against weakening encryption protections. Ferguson cited British attempts to access Apple Icloud data as an example. The warning comes amid broader U.S. criticism of Europe's regulation of online speech. Ferguson invited tech executives to discuss how they'll balance global pressures with their legal obligations to American consumers. Lawmakers on the House cybersecurity subcommittee introduced the Cybersecurity Hiring Modernization act, aiming to reduce barriers to federal cyber jobs by prioritizing skills over degrees. Sponsored by Representative Nancy Mace, Republican from South Carolina, and Representative Chantel Brown, a Democrat from Ohio, the bipartisan bill seeks to expand the talent pool at a time of rising cyber threats. Mace said the bill would cut red tape and allow skilled applicants without four year diplomas to serve, while Brown called expanding the workforce imperative for secure systems. The bill directs the Office of Personnel Management to track and report changes to education requirements and collect data on new hires backgrounds. Agencies could still require degrees if mandated by law or if education is directly tied to job competencies. Since 2023, CrowdStrike has tracked murky Panda, a China linked cyber adversary targeting government, technology, academia, legal and professional services in North America. The group is highly cloud focused, conducting trusted relationship compromises and exploiting Internet facing appliances for initial access. They rapidly weaponize end day and zero day vulnerabilities including Citrix and Commvault flaws, and use tools like the Neo Rejorge, Web shell and their custom malware clouded hopefully to maintain persistence. Murky Panda has compromised SaaS, providers and Microsoft cloud solution partners to move laterally into downstream customers, often exfiltrating emails and sensitive documents. They employ strong operational security by altering logs and timestamps to avoid detection. CrowdStrike assesses their activity as espionage driven, aimed at intelligence collection, and warns that cloud heavy organizations remain especially vulnerable to these advanced operations. MITRE has released an updated CWE Most Important Hardware Weaknesses list, first published in 2021 to reflect evolving hardware security challenges. The 2025 version highlights 11 key weaknesses, including six new entries, while retaining five persistent flaws such as improper debug access and memory protection issues. Topping the list is CWE226 sensitive information in Resource Not Removed Before Reuse, which risks exposing data if memory or resources aren't properly cleared. MITRE stresses that hardware flaws propagate upward, limiting software and firmware mitigations. Customs and Border Protection is conducting record numbers of electronic device searches at US Borders, Wired reports. Between April and June of this year, officials search just under 15,000 devices, a 16.7% increase over the previous high in early 2022. CBP can inspect phones, laptops and cameras without a warrant, with searches divided into basic manual checks and more invasive advanced forensic extractions. Civil liberties advocates warn this unchecked authority has a chilling effect on travelers, including journalists and lawyers with sensitive data. Device searches have risen steadily over the past decade, from 8,500 in 2015 to over 46,000 in 2024. While CBP stresses searches affect less than 0.01% of travelers, critics say new investments in forensic tools may expand advanced inspections, raising further privacy concerns. A recent hoax has exposed weaknesses in how the cybersecurity community verifies information. A Telegram channel impersonating Europol announced a fake $50,000 reward for details on Keelin Ransomware, Oper Hayes and Xoracle. Many researchers and journalists initially reported the claim before Europol confirmed it was false. The imposters later admitted the stunt was designed to troll the community and highlight poor fact checking. The incident shows how easily misinformation can spread on platforms like Telegram and the risks of relying on unverified sources. While Europol quickly debunked the claim, the episode underscored the need for stronger verification practices, better communication from law enforcement and closer collaboration among journalists, researchers and officials to prevent future disinformation campaigns from misleading the cybersecurity ecosystem. A Houston man, Davis Liu, age 55, was sentenced to four years in prison and three years of supervised release for sabotaging his employer's computer systems, prosecutors said. Lou, longtime employee of Eaton Corporation, deployed malicious code in 2018 through 2019 after his role was reduced. He deleted co workers profiles, caused system crashes and created a kill switch named after himself that locked out thousands of users worldwide. The sabotage caused hundreds of thousands in damages. Lou faced up to 10 years and plans to appeal. CPAP Medical Supplies and Services, a Florida based provider of sleep apnea equipment, has disclosed a data breach affecting over 90,000 people, including US military members and families. Hackers accessed its systems in December 2024 for more than a week, potentially stealing Social Security numbers and protected health information. CPAP reported the breach to state authorities and hhs, but says there's no evidence of misuse. No ransomware group has claimed responsibility, raising speculation attackers may be avoiding publicity or that CPAP paid to Prevent data leaks. Interpol's Operation Serengeti 2.0 dismantled a vast cybercriminal network spanning Africa, leading to over 1200 arrests, the seizure of $97 million and the takedown of over 11,000 malicious infrastructures running from June through August of this year. The operation involved law enforcement from 18 African nations, the UK, private cybersecurity firms and nonprofits. Authorities estimate the network defrauded nearly 88,000 victims, causing $485 million in losses through ransomware scams and business email compromise. Highlights include dismantling illegal crypto mining centers in Angola, a $300 million investment scam in Zambia, and a multimillion dollar inheritance fraud in Cote Dilvore. Interpol praised growing global cooperation, noting the operation not only disrupted cybercrime but but also boosted prevention through partnerships like the Intercop Cybercrime Prevention Network. Coming up after the break, Brandon Karp shares his experience with fake North Korean job applicants and being a smooth talking English speaker can land you a gig in the cybercrime underworld. Stay with us. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring Indeed is all you need. Stop struggling to get your job post noticed. Indeed's Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first. And it works. Sponsored jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring. And here at N2K CyberWire, many of my colleagues here came to us through Indeed plus with Sponsored jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility@indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Foreign machine identities now outnumber humans by more than 80 to 1 and without securing them trust, uptime, outages and compliance are at risk. Cyber Arc is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Arc helps modern enterprises secure their machine future. Visit cyberark.com machines to see how it is always my pleasure to welcome back to the show Brandon Karp, who used to be my boss.
[15:26]
B
David, it's so great to come Back and see you on this side of the camera.
[15:31]
A
That's right. So Brandon was a colleague here at N2K Cyberwire and has moved on to do bigger and better things. And one of those bigger and better things that you were chasing after was a startup of your very own. And as part of that process, you were looking to hire some folks and had experienced an interesting turn of events. What happened, Brandon?
[15:56]
B
Yeah, I. And this should come as no surprise to folks in this industry, but, you know, hearing these stories I think is always helpful and informative, but I caught a couple North Korean IT workers running an IT worker scam.
[16:11]
A
A couple.
[16:12]
B
A couple, yes. More than. More than one. And the surprising thing here is we weren't hiring that many people and we weren't hiring for very long. So just in the short period of time about a few weeks that we were reviewing resumes, two North. What we assumed to be North Koreans ended up in my top 10 candidate list.
[16:32]
A
Well, walk us through how this came to pass.
[16:36]
B
Sure. So we, we posted some job descriptions on, you know, a few of the standard sites that you've heard of and, you know, within. And these were technical roles, core backend engineering roles for a platform. And so, you know, pretty. Pretty sophisticated and complex technical skills that we were looking to hire. And within a few days we. We had hundreds of applicants. So we shut down the. The open job wrecks and began reviewing the hundreds and narrowed probably about 200 applicants down to our top 10. And we decided we were going to interview our top 10 and ultimately hire one. And within about a week, we had that first interview. And it became quite obvious within about 5, 10 minutes of the interview that this person is not who they claim to be.
[17:33]
A
Okay, obvious how. What, what went down here, Brandon?
[17:36]
B
Yeah, well, the. I want to start actually with the resumes themselves, because the resume was perfect. It was exactly what we were looking for. It. It covered every core technology we were looking for, expertise in IT cover, amount of experience that we were looking for, all of the key technologies and platforms that we were looking for. This person to have experience with was bolded. So it was very obvious to the eye that this person had the expertise. That being said, it was a pretty simple resume. I wouldn't say that there was a lot of metrics, there was a lot of impact statements. It was simple black and white PDF, no additional colors. Not a whole lot going on there. And that should have been our first clue. But again, the resume of this first worker and actually the second worker too, covered everything we needed. So clearly that it was. It was an easy slot in. And so it seemed like they're probably using AI systems to optimize the resumes for these applicant tracking systems to hit each of the keywords.
[18:33]
A
Right. And I guess it's fair to say, contextually, you're also under an avalanche of hopeful resumes.
[18:42]
B
Right? Hundreds. And we're reviewing these, you know, quickly to see, okay, we got all the keywords, we got the right programming languages, the right platforms, the right, you know, you. We were doing some stuff with cryptography, so they needed some. Some prior experience there. And so we invited this gentleman for an interview. And in preparation for the interview, I started looking this person up online. I looked for a LinkedIn page. No LinkedIn page. Now, not totally unusual for some of these core backend engineers. However, what I noticed is when I Googled the guy's name, There was a LinkedIn page with the right location. And then when I clicked the link on Google, it went to a. This page does not exist. So there was a LinkedIn. And then the person deleted the LinkedIn, which was another clue.
[19:31]
A
Okay, so you get the person on the line. What happens next?
[19:35]
B
Red flags. So the trend we noticed was in both of these people, and I'm using one example because this is where we really discovered the trends. Had an Anglicized first name. You know, think of, like, Frank, Albert, Ian, some sort of kind of Anglicized first name, and a Hispanic last name, which fairly usual, this person said that they were living in San Antonio, Texas.
[20:02]
A
So.
[20:02]
B
Okay, makes sense to me. And when they come on the camera, they are most certainly not Hispanic, which could be. But that was kind of a little unusual. The person was clearly Asian, and they were on camera, but they were definitely not Hispanic. And so, you know, some people might be a little uncomfortable there, but some profiling does have to occur to not get trapped by these things. But it was unusual. And when I wasn't the only one on this call from the company, we surmised at the end that they were using Hispanic last names. Hoping that some Americans aren't used to distinguishing between races very well, especially through camera, because the Hispanic name was far, you know, far enough away. Our normal use, you know, thing that we're typically used to seeing that they were potentially using that to get through your initial gut check filters.
[20:58]
A
Okay, interesting.
[21:00]
B
So the other red flag was this person wasn't showing their background, which was. Okay, you know, not everyone chose their background. But that's just kind of. As these things start to stack, it gets more and more unusual. Okay, can't find this guy online. Has a name that doesn't actually match his ethnicity. He's not showing his background, very thick accent. And something that is unique to me is I grew up with folks from South Korea. I went to school with a whole bunch of folks from South Korea, and it sounded to me like a native Korean speaker trying to speak English.
[21:34]
A
Oh, interesting. Okay, so just by pure luck of the draw, you had a little background expertise or at least experience on this sort of regional accent.
[21:46]
B
Right. And I've traveled to Korea as well, and I have a number of friends from high school and college from Korea. So I was kind of used to this, just what Korean speakers sound like when they're speaking English. And it sounded like, like that region of. Of. Of East Asia to me. The other. And this. The other red flag as we got into the interview was this person said that they had lived in la. This person said that they had lived in New York, that they currently live in San Antonio. Myself and the other person on the interview have spent both of us a good amount of time in each of those places. And so as we're getting to know this person, we want to kind of reminisce about some of our favorite places in each of those regions. And the candidate couldn't offer any specific details about any of those regions. And so kind of one lesson learned, I think, for folks listening to this is get into the personal side a little bit. Right. Ask specifics. What was your favorite thing to do in those, you know, cities or, you know, where. Where. Where'd you like to go eat? You know, I love restaurants. I have some favorites in la. What are some of the. Your favorites from that region? And this person couldn't offer any specifics.
[22:53]
A
Hmm. It's interesting to me, the high number, you know, relatively speaking, 2 out of 10. And as you said at the outset, this was not a huge dragnet for folks to be hired. This is a small startup. You're looking to hire one person. And I wouldn't have thought that the odds would have been in your favor of scooping up one, much less two of these folks.
[23:25]
B
And not only that, the startup itself doesn't have much of a presence online. And so that was a little unusual. And then when we were looking at the timestamps of when these folks actually applied, they applied almost immediately. So they have some system that is ready to go as soon as these things align. The other element that I would note, though, is we did conduct the technical interview. We did go through the interview. This person knew Their stuff, they were actually answering quite well, some pretty technical, deep questions around cryptography and core backend systems, especially in the networking stack. And so either in real time, this person was getting fed answers, or they actually do have the knowledge to do the job, which we found fascinating.
[24:12]
A
Was the story pretty much the same with the second candidate?
[24:15]
B
Yeah. So after that first candidate and after we got off the call and we said, yeah, that, that definitely was not what we thought it was. That was a IT worker scam. And, and we actually did challenge him a little bit on where he's from. And he said, oh, I'm. I'm from the Philippines. And again, the accent wasn't Filipino. I spent a lot of time in the Navy. There's a lot of Filipinos in the Navy. Again, I know what that accent sounds like. But we said, okay, let's re. Let's look at the 10 candidates we've invited to interview again. And we found another candidate with the exact same model, the resume, Very similar format, right? Simple black and white format, Very simple outline, all of the key words from our job opening, bolded, covered everything we needed in a similar way, but not exactly the same way. The name, Anglicized first name, Hispanic last name. The LinkedIn profile, exactly the same situation where I looked up this person on LinkedIn, Google said there was a profile. I clicked it, it said, that profile no longer exists. They get on the call, same game, right. Gentleman who looked Asian had a Hispanic last name. The background looked like a beach scene or something like that, but it was one of the fake backgrounds. And within five minutes, similar accent. We said, we're going to actually end the interview and move on. But it was it. It checked each of those boxes.
[25:50]
A
Did you and your colleagues at any point doubt yourselves and wonder like, you know, is this really what's happening here? Or, you know, a little healthy skepticism of your own senses?
[26:03]
B
Totally. And I think that's why we went through the entire first interview, you know, a full hour with this person, you know, myself and my colleague jumped on a call right afterwards, and he kind of looked at me and said, is that what I think it was? And I said, I think it might be. And then we started running through the experience again, and we got more and more sure that what we had experienced was one of these IT worker scams. Now, we second guessed ourselves as someone who's sensitive culturally. You don't want to profile. You don't want to do things that. That, you know, necessarily maybe rejects a good qualified candidate. But at the end of the Day, when you're looking at the sum total of the evidence, how uncomfortable we were, how few specifics there were about, you know, their experiences in America. I actually did follow up with a couple of the companies on his resume that he said he worked at, and none of them had ever heard of them. And so I, I did that, though, you know, weeks after, just. It was bothering me and I wanted to double check.
[27:06]
A
So what are your recommendations then? I mean, if this really is that rampant. Have you been thinking about this? Have you thought of any shortcuts to weed these folks out?
[27:18]
B
Yeah, practically speaking. And this is hard at scale, but it has to come from that high touch, face to face, at least through a video camera, of getting into the personal specifics of, oh, I see you worked at this company. Give us some specific examples and. And the less specific they can get, the more red flags there are. Now, of course, people can make things up, so that's not a panacea. It's not a perfect solution. But that's the area. That's when we really started getting uncomfortable on the calls, when we started asking specifics, digging into this person's story, oh, why did they move to New York? Why did they move to la? What took them to San Antonio? What took. What other things outside of work were you doing at those places? What are some of your favorite things in those places? Kind of getting to know the candidate. I think universally that'll actually make you hire better candidates in general because, you know, these are your colleagues, hopefully, and so you get to know them. But at the same time, it also will demonstrate if someone really does not know what they're talking, if someone's really from a foreign country, especially a North Korean, you know, type person who genuinely wouldn't have the cultural awareness to talk about it. Trust. Trust your gut there. That's kind of the first. The second is these automated applicant review systems at scale, people have to use them. But it's very easy now with Gen AI to build a model that is just going to send out the perfect resume. And that's what we saw. These were literally the perfect resumes. That actually could also be a signal that this isn't quite right. If you're getting a resume that is absolutely perfect, everything you want, what are the chances of that?
[28:59]
A
Right, Right. All right, well, Brandon, thank you for sharing your experience with us. Brandon Karp is my former colleague here at N2K Cyberwire and has since moved on to bigger and better things that we will talk about in the future. Looking forward to having you back, Brandon. Thanks for taking taking the time for us.
[29:18]
B
Thanks, Dave.
[29:30]
A
You hear from us here at the Cyberwire daily every single day now. We'd love to hear from you. Your voice can help shape the future of N2K networks. Tell us what matters most to you by completing our annual audience survey. Your insights help us grow to better meet your needs. There's a link to the survey in our show notes. We're collecting your comments through August 31st. Thanks. And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allow Listing is a deny by default software software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.
[30:34]
B
Shh. Hear that? Big waves are calling. Dive into refreshment with Kona Big Wave Tropical flavor and the taste of aloha in every drop this summer.
[30:46]
A
Don't just listen.
[30:47]
B
Join Kona on the Big Wave Bonfire tour. More information@konabigwave.com BigWaveMusic Kona Big Waif Liquid Aloha Copyright 2025 Kona Brewing Co. St. Louis, MO.
[31:00]
A
Mahalo for enjoying responsibly. And finally, it turns out that being a smooth talking English speaker can now land you a gig in the cybercrime underworld. No resume required, just a knack for sounding like it. Support ReliaQuest says demand for English language social engineering has more than doubled since last year with job ads hawking impersonation as a service, packages, coaching scripts, even tech support for your scams. Gangs like Scattered Spider and Shiny Hunters have been perfecting the art, tricking DeOrr, Chanel, Google and others into handing over Salesforce credentials with AI lending crooks, superpowers and nation state tactics trickling down to the masses. Phishing calls have evolved far beyond prank territory. Instead of that old chestnut, is your refrigerator running? It's more like this is workday. It's more like this is workday. It Can I have your password? Unfortunately, people keep saying yes. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting our insights through the end of August. There's a link in the Show Notes. Please take a moment and check it out. Be sure to check out this weekend's research Saturday and my conversation with Dr. Renee Burton, VP of Infoblox Threat Intel. We're discussing their work on Vextrio, a notorious traffic distribution system involved in digital fraud. That's research Saturday. Check it out. N2K's senior producer is Alice Carouse. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.
[33:50]
B
Sam.