Worker’s outsourcing scam discovered.
A US programmer was allegedly caught offloading his data-sensitive job to a freelancer in China so he could spend the day surfing the web, a Verizon case study has told.
The broadband and telecommunications provider purports to have received a request from an undisclosed critical infrastructure company in late 2012 to look into a possible data breach on its network.
The US company had discovered an anomaly in its VPN logs, which showed a live, unauthorised VPN connection from Shenyang, China. Meanwhile, the developer whose credentials were being used remained in his office in the US.
The Shenyang connections were occurring almost daily and occasionally spanned the entire working day.
“Based on what information they had obtained, the company initially suspected some kind of unknown malware that was able to route traffic from a trusted internal connection to China, and then back,” Verizon explained in its case study. “What other explanation could there be?”
The truth turned out to be simpler: The employee had contracted a Chinese consulting firm to do his job for him for around one fifth of his salary.
During its investigations, Verizon uncovered hundreds of .pdf invoices from a third party contractor/developer in Shenyang, China.
It later transpired that the employee had physically FedExed his RSA token to China so the third-party contractor could log in under his credentials.
Once the evidence had mounted, investigators checked the employee’s web browsing history: a typical ‘working’ day involved surfing Reddit, eBay and Facebook between 9:00am and 5:00pm. He would then email an end-of-day update to management before clocking off for the day.
“Evidence suggested he had the same scam going across multiple companies in the area,” the Verizon case study claims. “All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about $50,000 a year.”
“Quarter after quarter, his performance review noted him as the best developer in the building,” Verizon noted.
How well do you know your staff?
Calvert Technologies provides consultancy and support to SMEs around Australia and is a Microsoft certified gold partner. CEO Dean Calvert said he expects to see more of such situations both globally and in Australia.
“I know a software development business owner who discovered after he’d split the business that one of his employees, who was also a director, had been subcontracting his work off to friends in India,” he said. “They didn’t have access into the company’s internal systems but were doing programming [for the employee].”
“As you see more of these outsourcing and low-cost services arrive, people will think how they can use it for themselves. As professionals advising businesses we have to keep one or two steps ahead of that.”
Calvert said for his clients and smaller businesses, the decision was around risk versus cost.