January 16, 2013
US Worker Busted Outsourcing His Own Job To Chinese Company
Michael Harper for redOrbit.com — Your Universe Online
Not long ago, one “critical infrastructure company” made a call to Verizon´s Risk Team to help them investigate what they believed was a zero-day exploit being executed by Chinese hackers on their servers. What the Risk Team found instead is making headlines around the world today in the latest unbelievable but true story to circulate in the Internet.
Verizon´s Andrew Valentine tells the story to Net-Security.org this way: "We received a request from a US-based company asking for our help in understanding some anomalous activity that they were witnessing in their VPN logs. This organization had been slowly moving toward a more telecommuting oriented workforce, and they had therefore started to allow their developers to work from home on certain days. In order to accomplish this, they´d set up a fairly standard VPN concentrator approximately two years prior to our receiving their call.”
After monitoring the VPN logs, Verizon noticed an open and active VPN connection from one employee´s workstation to another in Shenyang, China. The key to this connection could only be opened via a code found on a rotating token RSA key fob and was found going back at least six months since the investigation began. This connection was made nearly every day and was often open and active from 9 to 5. This sent the investigators to look more closely at the employee who had access to the key used to open up this connection.
After monitoring Bob for a while, the Verizon Risk Team realized that he wasn´t doing any work at all. They even released a timeline of a typical workday for Bob:
9 am – Surf Reddit for a few hours.
11:30 am – Lunch Time
1 pm – shop on Ebay for an hour
2 pm – catch up on Facebook and LinkedIn
4:30 pm – shoot off an end-of-the-day email to management
5 pm – quitting time.
"Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually," explained Valentine.
After looking through several invoice PDFs on Bob´s machine, Verizon discovered that Bob was only paying these Chinese developers about $50,000 a year, despite his six-digit paycheck.
And it was $50,000 well spent as it turns out, as the human resources department at Bob´s company consistently gave him positive reviews, saying his code was always clean and submitted on time. As it turns out, it wasn´t Bob´s code at all, and his company has since fired him.
According to the investigation, Bob went through some elaborate lengths to pull off this scam, including physically sending his rotating token RSA key fob via FedEX to the Chinese developers.
Verizon has said they´ve only released the details of this investigation because it had a “unique attack vector.” Though this wasn´t a huge threat to the company´s security, it could have been, and Verizon is now using this case to encourage other companies to check their logs more often.