Beyond the Background Check: How Synthetic Identities Infiltrate Engineering Teams

TLDR: Malicious actors are bypassing standard hiring processes by using synthetic identities and stolen credentials to land remote engineering roles. These attackers leverage AI-generated resumes and coordinated networks to pass technical interviews before deploying malware and exfiltrating sensitive data. Security teams must move beyond basic identity verification and implement rigorous, cross-departmental monitoring for new hires to detect these sophisticated insider threats.

Traditional hiring pipelines are built on a foundation of trust that no longer holds up against modern, well-funded adversaries. While most security programs focus on external perimeter defense, the most dangerous threat is often the one that just passed a background check and received a company-issued laptop. Recent campaigns, including those targeting KnowBe4, demonstrate that attackers are successfully infiltrating organizations by posing as remote IT and software engineers. This is not a theoretical risk; it is an active, ongoing campaign that exploits the inherent weaknesses in remote onboarding and identity verification.

The Mechanics of the Synthetic Hire

Attackers do not just send a generic phishing email; they build a full-scale, persistent identity. The lifecycle of these campaigns typically follows a predictable, yet highly effective, pattern. First, the adversary establishes a synthetic identity. This often involves purchasing stolen U.S. citizen identities to bypass standard background checks. They then populate this identity with a professional-looking LinkedIn profile, a GitHub account with a history of commits, and a personal website.

The technical interview process is where the deception becomes most dangerous. Attackers often use a "proxy" candidate—a legitimate, skilled developer who performs the technical assessment and interview rounds on behalf of the malicious actor. Once the offer is accepted and the laptop arrives, the proxy is swapped out for the actual threat actor, who then begins the process of establishing a foothold in the environment.

Identifying the Anomalies

Detecting these threats requires looking for behavioral patterns that deviate from a standard new hire. During the interview process, watch for candidates who refuse to appear on camera, or who have significant, consistent latency in their video feed. This is often a sign that the candidate is using a remote desktop or a virtual machine to hide their true location or to allow a proxy to feed them answers.

Excessive background noise is another red flag. If a candidate is constantly surrounded by other voices or sounds that suggest a "laptop farm" environment, it is a strong indicator that they are part of a coordinated operation.

From a technical perspective, the most reliable detection method is monitoring the infrastructure used during the interview and onboarding. If you are using Zoom for interviews, analyze the connection logs. Attackers often use VPNs to mask their location, but they frequently fail to account for the IP reputation of the exit nodes they choose. If a candidate claims to be based in the U.S. but their connection originates from a known high-risk IP range in a different country, that is an immediate, non-negotiable reason to pause the process.

The Role of Third-Party Integrations

Many organizations rely on third-party platforms like Greenhouse to manage their recruiting pipeline. These integrations are a massive, often overlooked, attack surface. Attackers know which platforms are most popular and will specifically target them to gain access to internal communications or to manipulate the candidate data.

If you are a security researcher or a pentester, look at how your organization handles these integrations. Are they using the principle of least privilege? Are there audit logs for every change made to a candidate's profile? In one recent case, an organization discovered that a large percentage of their "fake" candidates were arriving through a single, specific third-party sourcing integration. By removing that integration, they effectively cut off the primary channel for these malicious applications.

Defensive Strategies for the Modern Enterprise

Defending against this requires a shift in how we view the onboarding process. First, stop relying solely on automated background checks. They are designed to catch criminal history, not synthetic identities. Implement a mandatory, in-person or high-fidelity video verification step for all new hires. If you are shipping hardware, reconcile the shipping address with the candidate's stated location. If a candidate suddenly needs their laptop shipped to a different address or a local delivery service, that is a critical warning sign.

Finally, empower your interviewers. They are your first line of defense. Give them the authority to end a call if they feel something is off. They do not need to confront the candidate; they just need to know that they have the backing of the security and HR teams to flag the interaction for further investigation.

The threat of the "fake hire" is a direct challenge to the way we build and scale engineering teams. It forces us to acknowledge that our trust-based systems are vulnerable. By tightening our verification processes and fostering better communication between security, HR, and engineering, we can make it significantly harder for these actors to gain a foothold. The goal is not to create a culture of suspicion, but to ensure that the people we bring into our environments are exactly who they claim to be.