The job offer looks tempting: Software developer wanted for a Canadian firm. You have the qualifications required and the money looks right.
However, it might be a front for a criminal hacking organization or an unfriendly country. According to Daniel Tobok, chief executive officer of the Toronto-based data breach response company Cytelligence, there are 18 online job postings now for criminal organizations looking for would-be hackers in the country’s biggest city. His firm monitors job postings.
“They are recruiting for some Canadian organized crime groups, and there’s also recruitment for international criminals groups that could also be disguised as government organizations,” he said in an interview.
“Unfortunately, you don’t know until you’re actually in that it’s a front,” he said. “There’s a lot of layers. But we have seen foreign governments operating organizations here in Canada under the disguise of a foreign company. You get paid, you get your EI, you get your benefits, there are deductions.
“I’ll give you an example: There’s a tech company hiring security people and pen testers They have a product they’ve developed. After working for the company for six, nine months, you get promoted … and then you work for them for another three, four months, maybe a year. And then when they realize they can trust you, you have developed bonds, somebody’s going to pull you over and say, ‘Hey, we’ve got some special projects. Would you like to work on them?’
“They’re scoping you out. All the time you’re there they’re scoping you out: do you like the money, do you like the danger, do you want to be a criminal? They’re grooming you. That’s how they break you in. There are companies that have been doing this for five, six years in downtown Toronto.
What should young IT security job hunters do?
“One of the biggest questions you should ask is who is their parent company? Are they Canadian, U.S., from what country? I’m not saying every company out of Russia, China, Korea is a bad company, but those are some questions people should ask.”
Tobok emphasized that while many people think hacking groups are centred in the U.S. or Europe, there’s lots going on here.
He gave as an example Canadian Karim Baratov, who last year was sentenced to five years in prison and fined $2.25 million (U.S) by a U.S. judge for hacking 11,000 email accounts for Yahoo and other internet providers, some of which was done for Russia’s domestic intelligence service. His lawyers told the court Baratov didn’t know he was working for Russia for some of the hacks.
Tobok said he often speaks at Canadian universities to warn computer science students about the risk of cyber crime. There are only two futures, he suggested: One is you get caught and get sent to jail. As for the other, Tobok cited a bombed building in the Middle East that held “a whole bunch of hackers”.