The case of the job applicants who weren’t

TL;DR Someone submitted two convincing, fraudulent job applications to Quantopian. Our investigation confirmed that they were fraudulent, but we were unable to identify the culprits or determine their motive. We’re publishing what we’ve learned to warn other potential victims and crowd-source additional information about what happened.

At Quantopian, one of the ways we know we’re on the right track is that we get a lot of inbound interest from people who want to come work for us. Although we do some recruiting, our most successful hiring channels have always been referrals from existing employees and unsolicited job applications from people who found Quantopian and liked what they saw. We hear from impressive, unsolicited applicants nearly every day, so we weren’t particularly surprised when we received an application from an impressive candidate on November 16. That is, not until we received another application from an equally impressive candidate less than a minute later, and things started to get weird.

Normally when someone describes two job applicants as “equally impressive,” it’s not meant to be taken literally. In this case, however, we really mean it: the two candidates were clearly designed to be equally impressive. Here, for example, is a macro view of the two résumés, side by side:

Iffy résumés, side by side, originals are here and here

If your reaction is, “Wow, those résumés look really similar!” you’re starting to catch on. Both résumés used exactly the same template, the same fonts, and the same section headers. But that’s not where the similarities ended. There was also this:

Isn’t that an amazing coincidence? The two candidates most recently worked at the two most popular ride-sharing companies’ headquarters in San Francisco, starting the same month, working on “algorithms.”

Parallels like this appeared throughout the résumés.

But that’s not all. In addition to what we already knew, i.e., two job applications came in within a minute of each other, used exactly the same résumé template, and had too many parallels between their contents to be coincidence, there were several more reasons for suspicion:

• the file names of both résumés were in the format Lastname.Firstname.pdf;
• the email addresses of both candidates were in the format firstname.lastname##@gmail.com;
• neither of the two candidates has a LinkedIn profile; and
• none of the information on either résumé could be independently verified (e.g., both candidates claimed to have won hackathons, but the winners of those hackathons were never published online).

Taking all of the above into consideration, we were fairly confident that these two applications were fraudulent. At this point we started asking, why? What was the motive behind these applications. What did the person or people who submitted them hope to accomplish?

We first considered that this might be some sort of research, similar to other research done to ferret out sex discrimination, or racial or ethnic discrimination, in hiring. However, looking at the two applications, there was nothing to support this hypothesis. There were not substantive markers for sex, race, or ethnic background in the two applications. The only substantive difference between the two applications was that one included a cover letter and the other didn’t. “Let’s find out if cover letters make a difference in job applications,” seems like a pretty weak topic to research, but maybe?

Another possible research motive was attempting to determine if résumés submitted to a private job portal somehow leaked onto job boards. Just as publishers of directories and maps include fictitious entries to help catch people copying their work, a researcher could submit résumés to job portals and then search for them on public job boards to detect leaks.

We also worried about more malicious motives. For example, what if this was an attempt to get a foot in the door for some sort of industrial espionage? These résumés really were quite good, and if we hadn’t noticed the similarities between them, we definitely would have done at least a telephone screening interview for the two “candidates.” Our screening interviews are conducted directly by our hiring managers — not by Human Resources — and we try to share a lot of information about Quantopian during interviews (we believe that our interview process is as much an opportunity for candidates to evaluate us as vice versa), so perhaps someone was trying to use our hiring process to collect competitive intelligence about us?

In short, we had some ideas about what the motive might be, but we didn’t know for certain, and we were concerned that it might post some as-yet-undetermined risk. We therefore decided to investigate further to see what else we could learn.

First, we emailed both candidates:

Subject: Your recent application to Quantopian

I am responding to the application you submitted to Quantopian on November 16.

We are curious about two aspects of your application:

1. The similarities and parallels between your resume and one submitted to us under a different name at almost exactly the same time as yours are too direct and numerous to be coincidental.

2. We were unable to find LinkedIn profiles under either your name or the name of the other applicant.

As such, it seems to us that there must be more than meets the eye to both of your applications, and we are wondering if you might be able to shed some light on this.

Thank you,

Jonathan Kamens
CISO, Quantopian Inc.

Neither candidate responded.

Next, we discussed our suspicions and concerns with Recruiterbox, the service provider that hosts our applicant tracking system, and asked them to provide us with the IP addresses from which these applications were submitted to assist us in our investigation. At first, they declined to do so, but after I pointed out to them that in their terms of use they reserve the right to disclose data about applicants to third parties “to protect the security or integrity of our Service,” and that this was such a circumstance, they agreed to provide us with the IP addresses, whence we learned that both applications were submitted from the same address.

Next, we called the phone numbers provided in the applications. The man who answered one of the two numbers claimed that we had a wrong number. The other number reached voicemail with a generic recording; we didn’t bother to leave a message.

To top off our research, we ran the bachelor’s degree listed on one of the résumés through the National Student Clearinghouse. They confirmed that the degree was bogus.

Here’s what we knew at this point:

1. These job applications were fraudulent.
2. A significant amount of effort was put into the fraudulent applications, so whoever submitted them must have had some substantive motive.
3. We didn’t understand the motive, but if it had been legitimate, then they probably would have responded to our emails about it. It’s not OK that they didn’t respond.
4. We wanted to write about this publicly, for two reasons:
5. If this was done to us, then it’s probably being done to others as well, and we should warn people.
6. By crowd-sourcing reports from others who’ve received similar applications, we might be able to identify some sort of pattern and learn more about the motive.

So, there you have it. Has this happened to you? If so, were you able to learn anything more about it than we were? Any thoughts about what motivated the perpetrator(s)? Comment here to weigh in, or feel free to send us an email.

The above content is directed toward technology professionals to provide information and promote discussion about information security. The content is prepared by Quantopian, Inc., but does not represent an attempt by the company to offer its products and services to the general public or provide investment advice. Readers interested in more information and important disclosures about Quantopian, its advisory business, and its products and services should visit www.quantopian.com.