Fraud Alert: Fake recruiters on GitHub and LinkedIn
This investigation reveals a possible fraud campaign involving fake recruiters on GitHub, even using LinkedIn Premium accounts
As we know, there have been social engineering and fraud campaigns on GitHub that aim to infect, steal information and cryptocurrencies from people, particularly developer accounts in the cryptocurrency, blockchain, cybersecurity, and online gambling domains.
Considering that it is a known vector, this brief investigation only seeks to highlight a possible network of false recruiters that includes the use of social engineering on LinkedIn
Context:
This brief investigation begins with an invitation to connect with me on LinkedIn and the user was: Onder Kayabasi
Onder Kayabasi
At first his profile seems very suspicious regarding his activity in LinkedIn
Onder Kayabasi is a Premium LinkedIn Member
Searching in LinkedIn found someone who already reported this user as a fake recruiter:
In his post he mentioned to have a technical interview with him which already sound a bit off for him. He then realized it was a fake interview but continued it to gather more information from the attacker.
Note: It’s important to highlight that having a malicious
error.js
file (or any file directly in the codebase) is not necessary for an exploit. The vulnerability might originate from an npm dependency. Even more concerning, it could be embedded in a post-installation hook of a malicious npm package. In such cases, the exploit can be triggered as soon as the victim (or their development tools, like VS Code) runsnpm install
to enable features like code completion, without even needing to run the application itself.
Part 2:
Since is known this profile is targeting people and is actively “recruiting”. We will begin searching his name
In his profile in X we can see he is actively searching specially for “Smart contract Developer and “Blockchain Developers”. Also using the company Peig.io as a façade
In GitHub there is a profile which goes by: OnderKayabasi
This account is registered by: kaankayabasi9060@gmail.com
Joined on March 21, 2024
Regarding the email registered in this account: kaankayabasi9060@gmail.com
If we search “kaankayabasi” in GitHub there is one user with the same GitHub Id:
This account has some aspect in common with the one in X:
“Hello, I am a recruiter at XXX. My company needs professional Blockchain and Web 3.0 developers. I find developers here”
These accounts including the LinkedIn Profile of Onder Kayabasi seem related and share the same bio information
If we dig more into the second account that uses the name: “kaan kayabasi” he has only one follower
Part 3:
We are going to focus in this user and the only follower called: “Devmaster929”
“Devmaster929” is the in the only follower:
This account is registered by: goodfriend9290@gmail.com
Recent activity and joined GitHub on January 15, 2024
“Devmaster929” is registered by: goodfriend9290@gmail.com and with whom he shares a repository uses the GitHub id: goodfriend9290
There is a repository he shared with a user called goodfriend9290 as seen in the next image:
If we search goodfriend9290
This account is registered by: goodfriend9290@skiff.com
this account have only one follower
The user smartdev0119
He follows 5 people and here we find some accounts we before mentioned:
User called: goodman4293 — goodsuperman@skiff.com
This profile also follow other GitHub accounts that seems to be suspicious for example:
The next profile is “devmaster929” which we already mentioned to be related to these accounts
Part 4:
We are going to delve deeper in this profile called “devmaster929” who : joined GitHub — on January 15, 2024
All these profiles came under investigation because this profile is the only follower of [“kaankayabasi”], seems to be suspicious, recent, and is very active engaging with other users
Regarding this profile it have a lot of followers (850~), but the activity in the repository is linked with the profiles we already showed before
By checking who he follows, we see some accounts that seems to be fake recruiter profiles
If we check these profiles, the first one in the list is:
“LAUREN RUBY AND PHP RECRUITER”.
The GitHub profile uses legit links with some fake information, since in this case this person works as “Receptionist/office support”
The second in the list is: Javid Yusupov. They also used legit links to LinkedIn profiles but this GitHub account is fake
If we check the list of followers mentioned before one by one, we can see there are many fake profiles farming different accounts, and apparently targeting developers in GitHub
Most of these accounts are new, share the same bio and uses women pictures. We also have to bear in mind these account are followed by “devmaster929”
In this profile we found at least 250 profiles posing as recruiters, most of these accounts were created in January of 2024.
In the next image we can see, these profiles share some information in their bio wich seems related between them.
Most of these accounts are created in 2024 and there is no activity in repositories but some of them are linked to legit LinkedIn profiles and other linked to suspicious Premiun Linkedin Accounts with low social activity and only repost activity
Also most of these accounts are been followed by two users
The list with some of the GitHub user who are followed by these 2 accounts can be downloaded here: https://smallpdf.com/file#s=6f700ad0-eebe-4d64-8bbe-f8349dc168f6
There are at least 250 accounts with suspicious activity related to recruiters.
Part 5:
“devmaster929” and “sammorozov” are following most of these recruiter accounts and follow real people in GitHub
Regarding the user “Sam Morozov” he is following 295k profiles which is actually a bit off
sammorozov
When checking some new GitHub accounts created we see the same pattern. Where fresh “recruitment” accounts are only followed by these two accounts mentioned
For example in this image we can see some user and all of them are fake accounts followed by“sammorozov”:
For example the last account is a fake profile with legit links to a LinkedIn profile, and the account is followed by both accounts
If we check the accounts that are on this list, we can see some resemblance and see that both accounts follow these fake profiles:
Thus, we must mention that being followed by these 2 accounts doesn´t mean they are all bots. But most of these new accounts are a network of fake recruiters
Regarding the profiles we have to mention:
-Some recent profiles followed by user Sam morozov are pretending to be recruiters from brazil
-There are fake GitHub profiles who link to real LinkedIn profiles
-These accounts are following “fresh” recruitment profiles
-Some of these “fresh” recruitment accounts are only followed by these 2 “devmaster929” and “sammorozov”
-Being followed by both users doesn´t mean the account is fake
-It seems “devmaster929” and “sammorozov” are following some fake accounts, since we cannot confirm they are the owners. But since there are patterns followed in all of these account we could say they are related to both GitHub users.
Part 6:
This is a visual of how this network of GitHub accounts could be seen connected
Download image: https://smallpdf.com/file#s=c6758c8c-bb16-41bd-858e-af90138c9616
Regarding the graph, the central point is “devmaster929” and the second on top is “sammorozov”.
There is also a small network where we began and is located on the left, where we can find Onder Kayabasi and Kaan Kayabasi.
Download image: https://smallpdf.com/file#s=1c825f3a-22d8-441f-99f6-001e3f70bc2e
Conclusion:
- User “Onder Kayabasi” is Premiun in LinkedIn and is actively sending malware using his facade as recruiter
- We could see some new recruitment accounts which are only followed by 2 accounts “devmaster929” and “sammorozov”
- We don´t know why “Devmaster929” and Sam Morozov are following that big amount of accounts and why.
- We don’t understand the reasons behind “Devmaster929” and “Sam Morozov” following such a large number of accounts.
- It is not a crime to follow accounts on GitHub; however, the number of accounts followed that are related to recruiters, with accounts less than 6 months old, only 2 followers, similar descriptions, no repositories, mostly female profiles, users with fake and some real links, is not a coincidence.
- There are accounts who mixed real links with fake information
- There are GitHub accounts linked to weird LinkedIn profiles with only “repost” acvitity
- There are more new accounts in GitHub and most of them follow the same pattern of Bio, creation date, followed by, job as recruiters, LinkedIn link, and other things that are not a coincidence.
- The excel list shared here, are user who follow certain pattern regarding what seems to be suspicious, howevere there a few accounts that we cannot determine if they are fake or real.
- GitHub recently issued a security alert warning of a social engineering campaign targeting developer accounts in the cryptocurrency, blockchain, cybersecurity, and online gambling domains.
Links:
https://www.linkedin.com/in/onder-kayabasi-772a33302/
https://x.com/OnderKayabasi
https://github.com/OnderKayabasi
https://github.com/KaanKayabasi
https://github.com/goodfriend9290
https://github.com/smartdev0119
https://github.com/WebWizard109707
https://github.com/devmaster929
https://github.com/laurenninedots
https://github.com/Bionicle18
https://smallpdf.com/file#s=6f700ad0-eebe-4d64-8bbe-f8349dc168f6
https://github.com/sammorozov
https://github.com/luisapogozelski?tab=followers
https://smallpdf.com/file#s=c6758c8c-bb16-41bd-858e-af90138c9616
https://smallpdf.com/file#s=1c825f3a-22d8-441f-99f6-001e3f70bc2e