Ramblings of a Tampa engineer

On September 14, 2022 I got an email from someone that reeked eerily of a scam, but it turned out to be quite real. The full text is below.

Hi Connor,
A few days ago, this person named Maris [redacted] found me on GitHub and reached out and asked me to be his senior software engineer where my priorities will be communicating with clients. I thought it was a tiny bit strange since I'm a college junior having a hard time to land a SWE intern offer. But I took it, I knew what I was capable of.

Ah, this is what he was doing: He finds contracting positions, pretends to be a real developer with experience matching that position, and wants me to interview as that real developer. In this case, he found a Laravel/React contracting position, researched and decided to become you. Furthermore, he sets up a fake email similar to yours (as attached in the document) for communicating with the client.

I doubt this happens very often since he pretends to be different developers most suited for the job. But, perhaps you should let [redacted] know what's going on (the client).

Take care, Andrew

So I was about to toss this in the trash, but it had a word document attached. Thankfully I'm not sitting on a Windows machine and can just preview the document via Google without a fear of infecting myself.

So I previewed the document and it was scary. It was a document intended for someone to have a cheat sheet for an interview on how to act as me.

  • It included a subset of my personal information.
  • It included my education history.
  • It included my employment history.
  • It included my certifications.
  • It included a fake cover letter.
  • It included a fake email/address that was "near" mine.
  • It included information about the company interviewing for.

The more I read this document - the more creepy it felt. Someone went to the effort to extract tons of true information from my available sources and build a fake profile of me.

  • They created an email that just tossed a 2 at the end of my legitimate one.
  • They picked an address of a house that is for sale in Tampa.

So I emailed the guy back that sent this to ask for more information. The exchange went like:

Me: This behavior seems odd - you are reached out by a party and asked to fake your identity for a job, which in this random case was me?
Them: Yup, and they asked me to fake it because they aren't that fluent in English. Doing a voice call interview with a client will certainly expose them.

So I had all information to join this interview that the fake Connor Tumbleson would have joined. So I did.


The Zoom Interview

I joined the Zoom call early and the client thankfully admitted me quickly. I explained as quick as possible that while I was the real Connor - I was not applying for this job.

I tried to explain how the individual who was hired to impersonate me had a great set of morals and forwarded this all to me. I was asking for all the information this employer had on the fake me when the story got even weirder.

Another Connor Tumbleson joined the call and was stuck in the meeting room. The gentleman of this company was frankly amazing and allowed me to change my name, turn off my video and tweak my avatar and stay on the call.

So the interviewer admitted entry to a new person who then spoke with an accent I could not place. The interviewer kicked off the interview and asked this individual to explain a bit about himself.

This imposter for the next 2 minutes proceeded to read the same document, that I was leaked, saying things word for word as well as saying his name was Connor Tumbleson. This was a different person hired to impersonate me than who reached out to me. My guess the original person declined and this just got passed to a different person.

I could not stand this anymore listening to someone legitimately claim they were me while using my photo, name and hard earned achievements. So I turned on my camera, renamed myself back and asked the individual what the hell they were doing.

The fake Connor Tumbleson immediately left the Zoom call.

So I spoke a few more minutes with this interviewer thanking him for going along with it. I then learned this was a interviewee discovered through Upwork - so I asked for all the proof and continued my investigation.


The company who my impersonator applied at reached out and provided all the images above as well as reporting this account to Upwork.

So with this discovery - I found the fake Upwork of myself. This was creepy as it included some jobs I worked and some that were made up. It was like my actual resume with some made up boosted traits. It did have my real Laravel certification so my guess is someone just exported a data-set of me from LinkedIn.

So it seemed like I was starting to understand the picture now.

  • A person/company sets up fake Upwork profiles of real people.
  • They apply to jobs in hopes to get an interview using that fake profile.
  • They find suspecting victims on GitHub who are willing to go along with this.
  • That person uses the identity of someone else to land the job.

I'm not sure how this actually pans out if it works. Can you really refuse to use video for the entire contract of the job? How do you get paid if you need to submit tax documents? Do you pretend to be me forever?

So it was time to investigate further. Who or what was behind this profile?


However, before I did that. I wanted to childishly email the address of the person impersonating me.

Email from me to fake Connor.

The response I got I'm not sure how to react - an apology for assuming my identity which is absolutely insane. You could just make up profiles and use AI generated images, but using my real photo and information and GitHub is far beyond "sorry".

This next part of this post is all in part thanks to the individual who passed on the details to me and it only gets crazier. I got written approval from Andrew (The Individual) to show his name/photo unredacted. He blogs at unfooling.com and may have a post up about this as well.

If you put on the shoes of Andrew. You would have been reached out to by a person using a fake profile, name and email. They would be looking for a business partner with a very generic document in hopes to attract you to join after a bit of small talk.

Hope you're doing well.
I just came across your GitHub profile. Looks like you've got a lot of experience in software development. So, I just wanted to reach out to you and see if you're available for a part-time role

I'm currently looking for a senior software engineer who can work with me as a business partner and it will be fantastic if we can work together.

A bit about me... I have a remote development team and we mostly work with clients from North America.

We provide web and mobile app development services. Most of our team members are not native English speakers and we often face communication problems.

So, we need a native English speaker with software development experience to help us with client communications. The rate is between $60 and $80/hr depending on your experience.

The main responsibility will be taking job interviews on our behalf and talking to our potential clients.
Please shoot me a message if you're interested in further discussion.

This individual was interested and that led to a document being sent along after considering to accept this position.

This document spells out some weird behavior between the lines and lacks any official business domain, email or logo. Especially paired with a generic Google email address and a phone number that resolves to the Embassy in Panama does not seem right.

So Andrew like most potential hires has some valid questions before jumping into this opportunity.

A potential "fake" Connor talking to the presumed leader.

I'm redacting the sites provided for the sole reason that I can't confirm if they were actually developed by this company and don't want to loop them into something incorrectly.

Reached out to one client who PND claimed they built.

1/3 of the companies responded and claimed PND did not build their website nor had they ever heard of them. So I believe this is a never ending web of lies.

What we do learn from this email is the website of the company itself - PND Design. So we take a look at their website and it doesn't appear to look that great.

pnddesign (d0t) com

So I continue to go back in history on Archive Machine until I find a change to the site design.

December 2020 of pnddesign (d0t) com

This gives me an older company name of "PND Developing" which finally gets me some results on the web. It seems because the website says Madison, Wisconsin and so does the LinkedIn page and the domain matches - we found the right page.

https://www.linkedin.com/company/pnd-developing/about/

So recapping - we have a business in Wisconsin, a phone number in Panama with a generic Gmail. However, we do have a profile associated with this company and that led on quite the discovery mission.

We can find Plamen Dimitrov who appears associated with PND Design on LinkedIn and the name of this individual looks pretty close initial wise with PND. This entire thing could be lies on lies - so maybe even that can't be trusted. However with the initials in the Slack channel being PND we might as well investigate. This individual has a website associated with himself and this leads me to see an eerily relation between the sites.

0:00
/
Same "No Right Click" on all the sites.

This individual is associated with a personal site and a company site that uses the services of two other sites that all act with similar features and broken designs. It looks like the security enhancements of web browsers in the past few years have not been patched on these websites.

So we now have the following sites associated with this and I can say with pretty good gut certainty these are built/hosted/controlled by the same party.

You can reverse those sites to find a couple hundred of domains on that IP, then cross-check the list against matching Google Analytics IDs and find almost 50 domains.

I clicked on one of the domains and it actually loaded - which was a surprise after the four sites above not really doing too well.

The "Anti Right Click" is back again.

It seems I've found the pattern of installing WordPress with an odd set of plugins. I'm not sure what the obsession with no right clicking is. So now we can continue to find more websites built by this company.

  • pdrecipes (d0t) com
  • pndstore (d0t) com
  • acupunctureherbalmd (d0t) com
  • francelavindesign (d0t) com
  • maacupuncture (d0t) com
  • onsitepromassage (d0t) com
  • recipeswise (d0t) com
  • studiozmadison (d0t) com
  • thesmoothierecipes (d0t) com
  • tryveganrecipes (d0t) com
  • acupressureschool (d0t) com
  • acupunctureschoolusa (d0t) com
  • freshmartmadison (d0t) com

(44 more....)


If we jump back to my situation with this - we can look back at the individual Andrew stuck in the middle of this who still had some doubts with this job. He proceeds to ask another question.

Last question: What's the rationale of me pretending to be one of your developers?

Getting a response from "Maris" of:

Hi Andrew, we're not a grownup company. So we still get jobs from various job board websites as individuals. Actually, we managed to sign up on several platforms. That's why you should talk to the client as an individual. Hope this answers your question.

This is a valid question with a non answer. No where in this response do I see why you have to pretend to be another developer in order to do your job. There are plenty of businesses that have a project manager in the states that simply act as the communication layer between an offshore development team and that could have been an acceptable business model.

My guess is this becomes the difference of hiring a person instead of a company. Perhaps the contract jobs on Upwork are easier to obtain with one singular person masquerading as an entity than an entire company applying to handle some contract job.

So Andrew decides to go forward with this and obtains an invite to a Slack channel where we immediately see how crazy this story gets.

PND = "Maris" ?

We can see PND is talking and showing an example of what Andrew might have to do. The link was active at the time of my research and this interview occurred on February 28, 2022.

The initial reach out to this individual came from Maris. So this is crazy - PND creates emails impersonating engineers then uses those emails to attract more folks to join their company. I do wonder why Andrew didn't immediately bounce at multiple points during this, especially when you realize the person you were recruited by gave you a fake name.

So am I expected to believe this company is using my name and fake email to attract more individuals? I attempted to get this email account removed, but then I realized that was a useless endeavor - no way Google would get involved in the drama of deciding what is impersonation or not.

https://support.google.com/mail/answer/56256

So if we look at timestamps - Andrew joined the Slack channel around 9am on September 14, 2022. Around lunch the assumed leader known as "PND" begins to ask this individual if he is willing to take the interview as fake me that same day. This is the same interview I ended up joining for real alongside an impostor.

It appears this job ended for Andrew. While he thought he was being brought on to develop - he was just going to be an English speaking individual to assume identities & roles of others.

This is a direct lie from what we saw in the initial email from PND. It was explained that you would "assume the role of our developers". The important word is here "our" - I am not a developer with this company, yet my profile was being used.

A fake Connor did end up joining the interview, albeit late, who was not the individual pictured above. So my guess between 1:23pm and 5pm PND got to work to find an alternative person to assume my identity which was probably someone in that Slack team.

Unfortunately for us the individual who joined the Zoom interview impersonating me left immediately when confronted about lying, so nothing else could be learned from this.


Individuals in this Slack team.

So we can see the 35 members in this Slack, but I don't feel comfortable posting that list. I have no idea who is real or fake and who may be working for this company unaware of what is actually happening.

So I sent an email to two of them after I found them on LinkedIn to further help investigate this. One immediately responded unaware of this behavior occurring and left the group.

I do know there is an extreme amount of care from the assumed leader "PND" to not expose themselves who has not once used a real set of information or documents when talking to Andrew.

All parties are given only the information to complete their part of this scheme. I say this because you don't even know the company you are interviewing with - PND only gives you the name of the interviewer. Thankfully the Zoom link in the fake Connor Tumbleson interview leaked the company involved.

This helps piece together those odd interviews some coworkers described to me when the interviewee has no idea what the purpose of the meeting is or company. I'm starting to piece together a huge scheme that probably occurs in way more places than this Slack.

It appears Maris was in Notion instead of Google Docs and I can not find the client associated with that interview. I only have a generic interviewer name to go from. So if you hired a Maris in February 2022 - you may want to double check who you actually hired.

My guess since "PND" holds the fake Gmail addresses - they may orchestrate everything between Upwork, fake person and the client while the hired hand just attends meetings to be a voice.

So at least two people had their identity assumed in hopes to obtain a job in my brief research. At this point I did the following:

  • I emailed the individual who provided these photos/research asking for permission to post this with name.
  • I emailed all three businesses this company claimed they built to obtain more information.
  • I emailed two users from the Slack who I guessed may be in a similar situation after finding on LinkedIn.
  • I emailed the real Maris to loop them into this situation.
  • I emailed the fake Connor Tumbleson.
  • I reported the fake Upwork of me.
  • I called the assumed owner of PND Design and left a voicemail after no one picked up.

Who knows how many jobs out there were obtained from an individual impersonating someone else. It seems scary still to think that someone is using my name, profile and achievements to convince companies to hire a fake iteration of me. For that sole reason - I will not give up on my research.


Updates

  • September 14, 2022 - Draft written.
  • September 15, 2022 - Upwork removes the impersonator of me.
  • September 15, 2022 - Fake Connor Tumbleson responds.
  • September 16, 2022 - Person from Slack team I emailed responds and announces "leaving the slack".
You’ve successfully subscribed to Connor Tumbleson
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.