Dodgy IT Recruiters and Human Trafficking

Yes, I just wrote the above as a title for a post because I felt it was about as accurate as I could get in six words or less. I have written other posts on this topic and most deal with IT recruiters who are based in both the United States and in India. I guessed that there is probably a massive unexploited resource in opinions on them from India as well so I decided to look for it. Luckily English is used in India and it is used by Indians to communicate with other Indians so I searched.

This search involved a website called Desi Crunch that reviews these recruiting companies from an Indian perspective.

http://www.desicrunch.com/

When you got to the review section you will see there is a cross scripting vulnerability where someone was able to fill it up with names of people instead of companies. I figured that this was done to cover up information written there so I kept on digging. What I found was that the recruiters based in the US actually charge for H1B applications, withold payment for labor, refuse to give the worker their w-2 forms should they actually get a job in the US and sometimes even force the workers to be “housed” someplace under their control either in India and sometimes in the US.

I then took out an add on Craiglist in Hyberdabad. I got many responses and some of them were downright scarey and others were hoping I would be able to get a them a job, but I appreciate everyone who took time to e-mail me (you know who you are, because I am sending you a link to this)

This is the ad I took out.

http://hyderabad.craigslist.co.in/sad/3691485341.html

From the responses to this and from reading about things on various websites I have a good idea what happens in these cases but I still am short some evidence so I do not want to name names yet because accusations of human trafficking are pretty big and one mistake would either unfairly end someone’s legitimate business and maybe end my career, so pardon my caution.

Here is what we see in the USA.

A recruiter copies an old job description that they gleened from Dice ages ago.

They post that job as a new position (google a line in a job description and you can often see the original one it came from)

They get get resumes in word format (they either toss out pdf format resumes or they request one in MS Word)

They find a real job offered by a real recruiter in the USA.

They submit a resume sent in for the non existant job after they modified it to make the candidate unqualified and demanding too much money. They also try to claim sole representation of the client thus locking them out of the job application process.

They also submit H1B candidates to this job and try to get the company to accept the cheaper, more qualified Indian applicants.

They hope that the company recieved too many unqualified applicants from citizens and green card holders and needs to go the H1B sponsorship route.

Meanwhile back in India……

Adverts are placed offering jobs either in America or as a recruiter for a phone call center in India calling American clients. You just need a phone and access to a computer.

Since recruiting in America from an Indian call center (usually a VoIP number forwarded to their mobile phone) is slow their employer offers them a chance at “IT Training” at their “School” for a fee but promise them the opportunity to go and work in America.

So they go to School, and according to my sources that school is often 10 to 20 people crammed in one room to sleep and they are made to clean everything, often in the whole building where the “school” is located (because the Recruiters also run a cleaning service, so they get their cleaners to pay to clean and they get building managers to pay them for their cleaning services). Most of the school consists of tech lessons without a computer, sometimes just a guy reading from a book. One source told me that after cleaning the “instructor” read them “Oracle For Dummies” that was on a PDF file on his laptop.

Training like this goes on for a while. Some places give free food and others make the students pay for food but everyone agreed that the training was hardly training at all.

Next, they are told there is a position open for them that needs to be filled immediately. The company they work with in the US loves their “training program” but they need fees to expedite their visa application (an illegal demand in the USA). They are then sent home to their family with the good news and they try to come up with the money. My sources told me anywhere ranging from $50 to $1000 (approx) are then given as well as essential documents like their passports, old pay stubs, and degrees or professional certifications.

Back in the USA lets say the recruiter has shut out citizens and green card holders or convinced the employer that cheap H1B labor is the way to go and their investment will pay off. The employer may be told that the candidate is already in the USA but their visa is about to expire. So they arrange for a phone interview. Lets just say it is for a Linux and Oracle administration job.

Back in India, the H1B candidate is told the employer wants to talk to him via skype. A skype call is made and the employer is presented as another Indian. This is not the employer but usually an employee in the US office of the recruiting company. The interviewer asks the candidate questions about his life and family but not tech questions. One source told me that the skype interview was about how American women loved to date Indian men and he would have American women all over him the moment he arrived.

Back in America, The recruiter just finished pretending he was the employer interviewing the candidate. He will interview every candidate in India the same way because there is more money to be made off of them by giving them hope. But now he arranges for a phone interview with the real people offering the job. They have not spoken to him before, only the other partner or perhaps they spoke to him when he used his “American Name”. So they call and ask him questions about Linux and Oracle. Since he also works as a sysadmin he can answer the questions correctly. He knows what questions to ask them as well. He does good in the initial phone screen. If it would be for a job he is not familiar with he will take out a classified ad or use one of his contacts on Orkut to have them do the phone screen with the company pretending to be the candidate.

Back in India, all Candidates are told they have the job but now they must get money very quickly to fly to America. Those that cannot come up with the money are thrown back into useless phone work for commission or just tossed out. Those that remain are told to give the money to the recruiter so he can buy the tickets for them. Many of these people are from the lower classes and have no idea what is entailed in things like Visas, international air travel or whatnot. The more generous ones will now allow them to get free meals while waiting, maybe out of “generosity” or maybe just to discourage them from leaving when there may be more money to be made from them. There may be 10 or more Candidates giving airfare to the US (likely inflated) to the recruiter at this point (the cheapest from Hyderabad to Chicago is about $1200 one way).

Back in the USA, the employers want an interview with the candidate that they think is in America. The recruiter tries to stall them long enough to make sure they get the guy over there. It is very rare to get to this point so they have to get the India side to hurry up and the American side must delay without offending the recruiter. Most of the time it is a “sick relative” and the candidate had to return to India, but they are on their way back now because they want to interview (this makes it so the employer might feel bad for the candidate too). Candidates told me how they often had to make up how a relative had died and that was why they were returning tto India.

Back in India the Candidate chosen is now rushed off to the airport if everything is in order. The other Candidates are told their time will come too, or told that this person got to fly to America first because they paid a special fee and the recruiters would be happy to pay a fee for them as well if they can get more money together.

In America the candidate is met at the airport by the US recruiter and taken for intensive coaching for the interview. Most likely the interview fails. It is hard to have someone with no IT skill to fake a real face to face interview. When this happens the candidate is told he must pay for housing in America and get his family to pay for a return plane ticket. He thought he was coming to America to get the job, but often had no idea it was just for an interview. If he cannot get the plane ticket the recruiter will call the INS on him and get him deported. He is told that he could be sent to jail forever in America for any infraction against the recruiter so his family had better pay up. Most of the time a whole family has gone broke sending a member to America and then getting them to return.

On the off chance the candidate is hired, the recruiter will be paid by the employer and then pay the candidate. It is here that the Candidate finds out that the recruiter may hold his entire paycheck or at least take 50% of it. He is then threatened with deportation at every infraction against the recruiter and if the employer realizes they have hired an inexperienced person they will fire them, and then the recruiter will hold the whole paycheck (sometimes only 50%) as a “penalty” and still demand they get their family to pay for their flight home.

During this whole time the recruiting company is sending out fake job notices and collecting resumes and they may even be benifiting from women and minority owned business preferences in Federal and Local government contracts.

Back in India, the crowd of IT and H1B visa hopefulls is out of money and getting angry at having to pay to be janitors while waiting for their jobs to start. At some point an excuse to get them all out of the building is given like for repainting or something and the company vanishes leaving them broke and unable to get any of their money back. Most of the time it just moves accross town but since internet cafes cost money and mobile phones do as well and they often never know what legal path to take in their own country to try to get restitution. Perhaps they know that the court would favor a higher caste over the lower ones anyway?

So that is the run down of examples I have gleaned from comments and some of the victims. I find it shocking that companies operating in the US often have their “offshore” wing charging people to work for them and keeping them in poor living conditions. I am going to try to find more solid proof and name some real names here in the US.

How to Thwart Chinese Hackers

I enjoy being wrong.

The most I have ever learned has always been from the realization that something I believed was really not true at all.  It always causes evaluation and introspection which is needed so as to not become an “Archie Bunker” like character as years go by.

I had a moment like this a while back sometime after my Dear Abby parody post, and that was that the Chinese Government is Really attacking Government and business networks and websites.  I know most of you are thinking “Just now?  Its been all over the news for years”  I know this, but the fact was I did not really believe it then because I saw Spammers based in China doing scripted attacks in order to get an unwilling machine to host a website selling pills or providing backlinks to “SEO” nonsense that complimented their message board and social media SPAM posts.  So I had good reason to believe others were misidentifying the pattern that I had correctly identified.

Until I started seeing patterns myself.

The first patterns I saw were coming from 210.75.192.0 – 210.75.223.255 owned by the Beijing Information Highway Corp (love that name) but they followed the ones I see from all over the world; random times, pointless visits and attempts to register and attempts to post.  Successful posts are done in poor English and it is clearly the model of spammers using compromised computers that likely have pirated software installed on them so they never have security patches.  This is what made me believe that there was no Chinese Government conspiracy.  Then from the same IP blocks I started seeing things differently.  I still saw the spammers but I also saw attempted logins to ssh, ftp and telnet.  I even saw port 25 get lots of VRFY attempts.  The pages searched for on port 80 and port 443 involved wp-admin and another for chef/common.rb and chef/cookbook/cookbook.rb which seemed to be a directory traversal attempt or perhaps looking for an error message.  What was odd about these attacks was that they started at about 8:30pm EST and ended  about 4:30am EST.  I blocked one particularly annoying IP that was doing the weird directory traversal thing looking for Chef Configuration Management software (I suspect one would really like to get a hold of configuration management software to configure your own compromised machines) and trying MySQL injection with attempts like '1'='1-- and admin'/* and as soon as I did that the same stuff appeared again from an IP in Bogota Colombia that turned out to have been an Adtran 904 that had a default setting of admin and password for its security credentials and a VPN to the IP in China I had just blocked and a few others on the same Beijing IP block as well.

So I did what any sane person would do and didn’t touch anything and instead blocked the Colombian IP (I was very tempted to remove all VPN configurations and change the password but I did not).  After that I just got the same old spammy probes from China and visitors to index.html that just hung around until their sessions timed out.

What I checked out later is that Beijing switched government hours from 8:30 to 5:30 to 9am to 6pm.  This, to me, meant that people showed up for work 13 hours ahead of EST in Beijing, checked e-mail and assignments for maybe 30 minutes and then started working on their 9 hour day and then around 30 minutes before leaving they stopped working and perhaps wrote summaries of their day and went home.  What is odd is that I did not see what appeared to be a “lunch” hour.  This tells me they are either being worked very hard or (more probably) love their jobs attempting to break into stuff.

I wish I had more IP addresses to fool around with.  I could then make a virtual machine as a honeypot but really customize it.  Maybe with some poorly written php that would make MySQL vulnerable and a separate virtual machine for logging.  But I do not have those kind of resources.

I would really like to write a script to focus on timestamps between commands and see what commands are made when they do get in. I could then judge whether they are using a script like Metasploit or perhaps even have to get approval from a supervisor before privilege escalation and even be able to judge their language proficiency based on spelling and grammar mistakes.  In a way I am not sure why we are afraid of them when we can use them to actually understand them since they do not really hide (or not the one’s I saw anyway).

Now..How to Thwart them.   I do not know why they use directory traversal maybe just testing to see if a web application forgot to check for ../../ and unicode type strings or maybe there is another vulnerability out there?   But I think I would avoid writing my own web applications to go live right away for a while especially when so many more secure CMS exist today.

I also would make it so Configuration Management Software such as Puppet or Chef is never available to remote administration (that could be one of those disasters no one knows about until it is too late).

The other steps are normal security best practices like good passwords, never putting in a DVD or pen drive that you find just laying around somewhere.

I believe the main key to thwarting hackers from China (I really should not say “Chinese hackers but you all know that I mean “Sponsored and employed by the government of China” when I say that) is studying their bureaucracy from what clues they give us by their online presence.  Right now I know from my experience with them is that they show up for work, put in about 8 hours and then stop working.  I also am pretty sure they are based in Beijing and they attacked routers in countries other than the nation where their target exists. (perhaps we have compromised Adtran Routers here in the US that are used to attack Iran, Venezuela or Russia).

More exploration is needed and I am quite sure this is what they are saying about us as well.