Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/26/2020
10:00 AM
Jon Mendoza
Jon Mendoza
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Deep Fake: Setting the Stage for Next-Gen Social Engineering

Humans are susceptible to normalcy bias, which may leave us vulnerable to disinformation that reinforces our beliefs.

Bias and susceptibility were evident during the 2016 US Presidential election and has plagued much of President Trump's first four years in office. The term "fake news," which years ago would have been considered absurd, is now part of our cultural vernacular. Allegations against foreign-state actors interfering with US elections and conspiracy theories related to COVID-19 has divided a culture, communities, friends, and even families. Social media has become a platform that propagates both real and fake news and has confounded the next generation of fact checkers and truth seekers dedicated to vetting accurate content. 

"Deep Fake"
In recent years, the emergence of fake news has brought the concept deep fake to the public spotlight. Deep fake leverages the use of deep learning (machine learning) and artificial intelligence to create, edit, or modify content such as video, audio, or photo artifacts. The intention is to deceive the consumer of information, obfuscating the truth in order to influence behavior or opinion. 

Recent examples involve former President Barack Obama, Facebook CEO Mark Zuckerberg, and actor Tom Cruise. While some argue that these are good examples of how quickly deep fake technology has advanced, we also see the potential negative ramifications of this technology. 

Prominent female public figures — celebrities and athletes, for example — have been added to deep fake content in pornography. Potential misuse of deep fake can extend far beyond smearing one's character or reputation.  

We have also seen the rise of business email compromise (BEC) and advancement in social engineering techniques, such as spear phishing. According to the FBI, BEC scams typically run the gamut from bogus invoice schemes to C-level impersonation, account takeover, attorney impersonation, and data theft. 

These scams do not normally have attachments or even links for the user to open and activate. Instead, they prey on user's normalcy bias and the lack of security awareness. Often the request comes with a sense of urgency and a requirement for immediate, expedient action. 

It is easy to see why some people would fall victim to these types of scams, because they often include communications that appear to come from trusted or authoritative figures such as the CEO, president, or CFO of an organization. The email request might even contain specific information such as the customer's name, a valid invoice number, and the correct dollar amount. 

The credibility of the request might be enhanced further if the person soliciting has made this type of inquiry previously. These types of scenarios play out every day and almost all our technical (security) controls do not prevent these exploits from succeeding. 

Safeguarding in a New Era
In order to safeguard against BEC, we often advise our clients to validate the suspicious request by obtaining second-level validations, such as picking up the phone and calling the solicitor directly. Other means of digital communications—cellular text or instant messaging—can be utilized to ensure the validity of the transaction and are highly recommended. 

These additional validation measures would normally be enough to thwart scams. As organizations start to elevate security awareness amongst their user community, these types of tricks are becoming less effective. But threat actors are also evolving their strategy and are finding new and novel ways of improving their chances for success. This scenario might seem far-fetched or highly fictionalized, but an attack of this sophistication was executed successfully last year. Could deep fake be utilized to enhance a BEC scam? What if threat actors can gain the ability to synthesize the voice of the company's CEO? 

The scam was initially executed utilizing the synthesized voice of a company's executive, demanding the person on the other line to pay an overdue invoice. It was then followed up with an email from the fake executive with accurate financial information and a message reiterating the urgency of making a payment. The attack was successful in parting the victim from their money, and both the attackers and the fund disappeared.

Soon, the rise in scams involving deep fake and deep fraud will increase and its effectiveness will only be limited by the attacker's ingenuity and imagination. Deep fake and fake news have already caught the attention of large companies, Facebook and Google, for instance. Many organizations are joining the effort to enable technology that will detect and weed out fake content. 

Three Best Practices to Protect
In the meantime, what can we do to prepare and protect our organizations from sophisticated social engineering techniques?

  • If your organization/company has not done so already, enable and integrate single sign-on and multi-factor authentication for your critical applications and services. Review how your organization provisions and de-provisions its users.
  • Ensure that your organization has a robust password policy, one that is not so obtrusive that it is rendered ineffective but not so permissive that it is easy to nullify. Get into the habit of continuously reviewing your policies and guidelines to ensure that they match your organization's culture and users.
  • Establish protocols for urgent ad-hoc requests, perhaps requiring approval from two key approvers before a request is successfully processed. Consider out-of-band channel communications and utilizing share secret/passcode to validate the authenticity of the individual on the other end.

Introspection is helpful in improving your organization's security posture, as it almost always presents avenues for identifying and remediating gaps in strategy. The defenders are evolving but so are the hackers and the criminals. 

Deep fake is coming to an inbox near you. Are you ready?

Jon Mendoza is the CISO for Technologent. He has over 24 years of experience in Information Technology and Cybersecurity—and has created security programs for businesses and organizations, leading teams of engineers from various IT disciplines and domains. He has a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RichardM23501
50%
50%
RichardM23501,
User Rank: Apprentice
9/1/2020 | 2:14:28 PM
Social conditioning
Thankfully, a generation of users are already familiar with the maniplulations of deep fakery. The tips are valid too.
davidbenson
50%
50%
davidbenson,
User Rank: Apprentice
8/30/2020 | 6:52:35 PM
Featuring your post
Mr. Mendoza,

Excellent post. It will be featured in tomorrow's OSIRIS Brief (https://osiris.substack.com/) as a noteworthy contribution to cyberstrategy published this week. I especially appreciated the psychosocial take on how people approach fraud, which seems especially salient to online security, but recieves less attention than technological issues.

David Benson

Editor, OSIRIS Codex
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...