Wednesday, 27 February 2013

Social Engineering of Universal Job Match

by: anonymous 27.2.13

Well this paper is on the use of universal job match and its fail against most basic security for thousands of jobseekers forced to use this service although to date 27.2.13 is not Mandatory and no mandate has been set to make this compulsory.

The JCP staff are stating this is compulsory. (Lies) as a test I challenged this.

26.2.13 a guy by the name of Dave (JCP) was my target. After stating that my job search was not up to standard

(on purpose of course) I stated that JCP staff are not allowed to state to a jobseeker how he conducts his/her job search, I was challenged as I'm seen as a scummy dimwit who can't find a job and told we set the rules. Errr! Within the Law Dave?.

[“The UJ Jobmatch toolkit chapter 3, paragraph 50, states: “You cannot issue a Jobseeker’s Direction to either require a claimant to create a profile and CV in Universal Jobmatch or to mandate a claimant to give us access to their account – this is their decision not ours.” Paragraph 52 also states that “We cannot specify to a JSA claimant how they provide us with records of their jobsearch activity and Universal Jobmatch will not change this.”

"Oh ok" States Dave... "well it will be compulsory in March".. Yeah well Dave its fucking Febuary and as of now it's not. (Lies)

On that note he wanted rid of me... come on Dave so soon in our relationship, I felt a bro-mance on the horizon...

I also stated to Dave that the universal job match was plagued with identity fraudsters (more on that later on) spamming and fake job postings as well as cookie privacy issues. Dave said "is that all I can help you with"... Erm Dave you did fuck all to help me. With that I set about proving this is a joke and an identity fraudsters heaven. How? read on....

I set about proving this by posting a fake job posting as an ID fraudster would and see the CVs and personal info flying in.

After a few 503 errors (typical for this mob) I managed to post a job using a company not registered at companies house

with an address plucked out of thin air but with matching postcode (so it passed the checks lol) and well at first it told me the address wasn't a valid uk address, but it I tried another and boom job done. Pictures of the process below.

Note: one of the security questions that could be obtained from social networking sites, online searches or indeed my CV.

 Account Created as an Employer

Now the job details are input

Job Description Details

Job Details Cont.

Live Job Vacancy now online on Universal Job  Match.

Email Confirmation from UJM

I posted my CV to apply and the company received it . I proved my point Dave....

This was a job description purposely detailed to look fake, imagine how legit fraudsters could make the posting look!

There are lots more lies, too many for this paper but have been noted and recorded for next time.

That's it for part one of this debacle. 

Disclaimer: This job posting is/was in no way used for the purpose of harvesting personal information from any third party and is not to be used for any other purpose than for proof of concept that the Universal Job Matching Site is flawed and needs revision.