In May 2022, the FTC put out a warning to job applicants about job scams. First, let me say job scams are real. I’d like to share the Graylog experience with job scams.
What Happened
It started when the Graylog HR team alerted our security team, which I oversee, about a ticket that came through our CMS from a person who had received a job offer from Graylog via email. Note that we had not recruited this person in any way.
After some investigation, it was determined that somebody registered the domain GRAYLLOG.ORG, created an Office 365 tenant, and set up an email address that looked very similar to one of a member of the Graylog people team. The malicious actor then used this email address and a phone number to solicit resumes from recruiting firms and online job boards. While reliable firms should not fall prey to these sorts of solicitations, some less reputable ones don’t care and are simply looking for a quick payday. There was also a website at the domain that redirected to our legitimate site. The member of our people team got more details, including a phone number from one recruiter that was solicited (they did not disclose any data).
The malicious actor then used the acquired resumes to contact “applicants,” providing them with an “Offer letter” and “Benefits” package. Once the recipient contacts the malicious actor, they are asked to provide an address for the delivery of a check to pay for office equipment. Upon receiving the check (which is fake) the victim is told to deposit the check and immediately use Zelle to send payment to multiple vendors. Those “vendors” are really scammers.
We were able to stop this by doing the following:
- Contacting the domain registrar and having them suspend domain services effectively blocking DNS and email
- Submitting an abuse complaint with the domain registrar’s legal department
- Submitting the fraudulent documents to Microsoft for analysis. Documents created in Office 365 have a UUDI in their metadata that can be linked to the tenant that created the document.
- Reviewing the document metadata for clues
- Calling the phone number provided and engaging in a productive discourse with the malicious actor followed by a gentle notification that we had enough data to stop their scam and a request for them to stop immediately.
Our Investigation
We could determine that the activity is likely being conducted by a group of malicious scammers. They are likely doing this to multiple companies, as the person I talked to answered the phone in a very generic manner and would not identify themselves until I specifically asked for the HR person at Graylog.
Concerning Graylog, the scammers were using our corporate name Graylog, Inc., as well as the names of several current employees, to lend credibility to their operation.
The scammers were likely operating out of several international locations. They found victims by placing fake position announcements on social media and other places with websites. When the victim “applied,” they were granted an interview via Skype chat with who the victim believed to be the HR person at Graylog. There was no video. The chat was mainly cut and pasted from actual Graylog job descriptions. After the interview, the victim was provided with a fake offer letter and benefits package. These documents were created in Office 365 and had identifying information that tied the document back to the Office 365 tenant. Once the victim returns the fake offer, they were contacted via text from one of these numbers:
(214) 432-5656 – Carrier is Lumen Technologies
(214) 764-1599 – Carrier is Lumen Technologies
(450) 234-7081 – Carrier is Iristel
(214) 256-3816 – Carrier is Lumen Technologies
(214) 764-2680 – Carrier is Lumen Technologies
The victim was told they would receive a check the next day for office supplies and a $200 signing bonus, with instructions to deposit the check into their bank and immediately transfer funds to a couple of Zelle accounts. These accounts are supposedly the accounts of the vendors supplying the office gear. Here is one of the fake checks below. The checks were being sent from an accounting firm in New Jersey.
I contacted the accounting firm, which was coincidently contacted by FedEx, wondering why they had requested 350 mailer envelopes be shipped to a location in New York City. It turns out that the accounting firm’s account was compromised and used to send these fake checks to the scam victims. The checks were fake and had the address of a global company located in Florida. This company manufactures equipment for food production lines.
So far, we have succeeded in having two different domains used by the scammers shut down. We have contacted all the victims that contacted us, gathered evidence from them, and asked them to submit a complaint with the Federal Bureau of Investigation (FBI). Additionally, FedEx has been contacted and has engaged their fraud department. They have intercepted several outbound packages, located the exact address of a drop site in New York City, and stopped the delivery of the requested 350 envelopes.
Graylog has opened a case with the Federal Bureau of Investigation (FBI), contacted the Canadian telephone provider, reached out to all the victims we are aware of, and is communicating with Google to have Gmail accounts involved in the scam shut down.
Those numbers above are all still active. One of them even has a voice mail system that answers with “Thank you for calling Graylog.”
We have more steps we can take to make life difficult for these scammers. While we realize that we are not obligated to investigate to this degree, we are heartbroken that people are being victimized and that people in our company are having their reputations tarnished. Crimes like this continue because it’s difficult to get providers to do simple things like disabling an account, investigating related phone numbers or domain names held by the same entity, or acting quickly to prevent fraud. Victims often don’t want to be bothered reporting the crime. We have to do better.
Just know that no reputable company will conduct an interview solely via chat, nor will they ask you to cash a check on their behalf and transfer those funds to anyone. If a job offer seems too good to be true, alarm bells should go off.
Graylog has a very structured process we take candidates through, as do most upstanding businesses. Don’t be fooled. If you have more insight into these scammers’ operations, please let us know. Stay safe out there!