Phishing- Fake it til you Make it - Venessa Ninovic

[Music] hey hi everyone I'm Vanessa ninovich and I'll be talking about deep fake fishing attacks if you have a look here it's actually a picture of me as an 18th century Royal this was created using myheritage.com and it took about a minute to create and about nine images of me to create this so a little bit about me I'm an intelligence analyst from Sydney with a passion for all things open source intelligence I have a medium and Twitter with the handle Intel Inquirer where I write about oh symptoms and Intel and I was awarded the aipio emerging intelligence professional for this year and I spoke at the Sands Ocean Summit earlier this year as well which was pretty cool so what are deep eggs deep eggs are AI generated videos and images of Person of a person saying or doing something that they never did it comes in different forms videos images and also audio and there's various different types of deep breaks as well as quality also which I'll be going through so on the bottom left we've got a gan style image which is generative adversarial Network images it's a person that does not exist from the website this person does not exist.com and this technology has improved dramatically over the last five to ten years and in the middle we've got a face swap from Snapchat this has become very popular especially on Instagram Snapchat and it's readily available for anyone to really use um it's not that sophisticated but it's there and the technology is being used and on the right we have a deep fake of Tom Cruise you can find more on the handle deep Tom Cruise on Tick Tock and this was created by Chris umay it took hundreds of videos and photos of Tom Cruise to create a deep back of this quality and this is quite a sophisticated level deep back and very hard to detect by a human essentially yes the type of social engineering used to trick a person into providing sensitive information or deploying malicious software in 2021 83 of Australian businesses reported experiencing phishing attacks most of them were emails and phishing can be hard to detect by humans but so are deep fakes they're really hard to detect at times and this is kind of like a match made in heaven fishing and deep bakes so I did bike fishing Deep by fishing is using Ai and using defect technology in order to deploy a phishing attack it can be a video audio or image and to trick them for the same reasons as usual fishing so extracting sensitive inflammation or deploying relative software and it relies on impersonation and deep fakes are impersonation on steroids so you've got your standard fishing impersonating humans impersonating companies deep fakes are doing that also also we've got threat actors currently discussing deep bakes the current tools and techniques available online by the dark web and also the clarinet also and we've got an example here pictured on the right of a possible phishing email noting that some people do actually link their voicemails with their emails so you've got here the caller ID you've got an audio deep fake it looks quite legitimate but when you click on it you can have the latest upload for example so the current landscape I had a look at vmware's threat report for this year and two-thirds of respondents saw deep breaks used as part of an attack the majority of attacks were deep fake videos and were deployed via email followed by a text message and new platforms are increasingly being used for these attacks including third-party meeting applications a business collaboration tools also so think about slack think about Microsoft teams Skype all those kinds of softwares and 47 of attacks are good at the IIT sector a lot of you possibly working in it um this shows that deep breaks are moving from purely misinformation and disinformation to something a lot more and is of concern and there was a 30 13 increase of deep Baker tax reported so it is happening it's here it's happening now it's not something that's going to happen in 20 years time and it's something to talk about and raise awareness about there's two types of big big fishing there's real-time attacks and non-real-time attacks real-time attacks are sophisticated and if you look at real-time phishing attacks in general they rely on the sense of urgency of imaginary deadlines imaginary ramifications if you don't action it right now and we're seeing that with Deepak fishing also so think about a phone call or a video phone call a FaceTime for example they will use the same tactics for it to be effective and you've also got non-real-time attacks this is quite polished uh it can be cast to a wide net as opposed to the real-time attacks where it's like a phone call to one person um instead of doing that you can send it like you know a fake invoice to an entire Finance team and kind of hope for the best and use deep back there and it also reduces the pressure for them to respond in real time also I'll go through a few case studies with you of what's actually happened in the past in 2019 there was a high profile case where cyber security criminals um tricked the CEO of a UK company to wire 250 000 to the firm's parent company now the head of that parent company is German and they actually were able to use audio manipulation tactics to create a German accent and this was what was really effective in generating this result of actually having that money transferred and we've also got another example here Michael mcphail who is previously the US ambassador for Russia recently in October reported that there was a debake a FaceTime impersonating him where she said it actually looked and talked like him it was a debake which is quite concerning he mentioned it was a weapon of War I mean we may say we may see more of this in the future as well we've got image Daybreak fishing as well so there are actors in North Korea created several fake LinkedIn profiles and it was targeting infosec professionals so they made themselves look like an investor professional they created infosec blogs and they were Distributing this these blogs to Google employees they were targeting Google in particular and these blogs actually had malicious software and they were able to actually get access to the security researchers machine and the way they did this was they looked up the Defcon conference in Vegas which is very popular amongst the investor community and they photoshopped ran a person's face into that individual who went to Defcon so you've got a bloke here we're in the Defcon lanyard a Defcon shirt looks legitimate right they're creating in-person blogs but this was a fake and this technique is called cheap fakes because it's using cheap tools and techniques like Adobe or photoshop to generate these images and it's actually quite effective when miscontextualized and we have an example a video deep fake fishing attack so for those who don't know FTX is a cryptocurrency that recently collapsed I feel for anyone who lost any money in that collapse um but there was actually a deep back circulating literally last week of the founder Sam bankman Pride telling people in order to be compensated everyone can you please go on to this website import your details and you'll get some money back and um it actually looked quite legitimate I had a look at some real videos of the CEO and the audio was actually really similar to the CEO and I think it was quite a job well done um and it was posted by a verified Twitter account also so for those who don't know about the current Twitter environment um Elon Musk is the CEO and anyone can purchase a verified account for eight dollars and this is what we're currently seeing it's happening and yeah that was a malicious sight so the future of AI we've talked about what currently exists in terms of the capabilities of defects images videos audios but what's going to happen in the future So currently we're seeing a huge Trend in text to image AI generated images and we've got one picture here a photo of a dog riding a bike in Times Square wearing sunglasses and a beach hut this looks quite legitimate to me this image it looks like a photo but this was AI to a t you can type in whatever you want with restrictions and it will generate an image for you Nina Schick who is an expert in deep bikes stated that by 2030 90 of online content may be synthetic we are already seeing this with the rise of this text to image imagery and in three years time she predicted that it's possible to create Hollywood level deep bakes with a laptop so when you look at that date back of Tom Cruise I talked about earlier that was highly sophisticated it took hundreds of images and videos of Tom Cruise and there was a reason why they chose Tom Cruise for that purpose and think about in three years time someone creating a deep back of that quality with their own laptop which is quite concerning there's also going to be a trend of less photos being used to create a debake of that quality instead of hundreds it might be 50 in the future and they'll go down to 10 and then to five and if you look at that image of me in the beginning at the 18th century arrival that only took nine images of me so that's something to keep in mind no future scenarios uh there will be multiple methods used by threat actors to make deep bake fishing as effective as possible and I've got an example here Rachel Tubac who is Works in cyber security I uploaded a video on YouTube called it was easy to hack a billionaire and the method she used was she phone spoke to her phone number to look like a client of that billionaire and she used an audio debake to say can you please have a look at your emails please action as soon as possible it's really urgent he thought oh okay I'll do that right now he went on there clicked on the link in the email and it was actually malicious and she gained access to his Cloud Server and all of his personal information that was uploaded on there so that's an example of the multiple different types of methods used Beyond just for example phone calls it'll be more than that and we may also say see deep backs as a server So currently for example that Tom Cruise deep big a researcher who works in AI created that that kind of capability is kind of not available to everyone but in the future it may be and we've already talked about the fact that threat actors are talking about deep breaks on the dark net on the clear net and it's probably only a matter of time before this is offered as a service when you think about merging deep bait capabilities and social engineering and a bit of Open Source intelligence in there as well I see a lot of room for profit for a lot of their actors out there and with the metabus as well if that increases in popularity um there was a company recently that released the fact that they have generated the ability to 3D scan someone's face and upload it onto their metaverse Avatar as soon as as soon as I saw that I straight away thought about deep breaks and the fact that people may manipulate this technology to look like someone else and we already see a lot of malware a lot of fishing a lot of cryptocurrency scams in the metaverse and it's probably only a matter of time before deep bakes and those fishing campaigns on the metaverse are kind of combined and worked together to be as effective as possible not ask what is the shape fishing is zoom based deep fake attacks and experts predict that it will occur more frequently in the future and there is a case study here so in July 2022 there was a group of hackers that were able to impersonate a CEO at binance using a deep fake um in Zoom and we've got on the right here messages exchanged between two people on LinkedIn saying hey was that you and it actually wasn't it was a deep big and obviously a realistic one and on the left here we've actually got a court case that recently happened during the pandemic in Texas where a lawyer was actually didn't know how to remove the cat filter so we had to legally state I'm not a cat um but the fact that this technology already exists these filters already exist shows that there is potential for deep fakes as well in this space and you know with that cat filter the lips of the cat as well as the audio were kind of in sync as well the eyes as well like it's kind of realistic so we'll see what happens there but this is what experts predict as well the future security implications um the goal is to evade security controls we've already seen the increase of date Banks targeting the it sector in particular which is of concern and we're also seeing a rise of Biometrics and passwordless logins so when you think about face scans being used to log in or audio think about how that can be manipulated with deep bikes and it's not that difficult to do either with real-time deep back fishing attacks um vpns are going to save you from a deep fake phone call a FaceTime or an audio phone call as well so that's something to keep in mind it relies on that human error and those urgent deadlines and um ramifications as well and with non-real-time fishing I was stated as well it can be passed to a wide net of people so not just one or two people it can be sent to an entire team which is of concern and with the increase of work from home the use of Zoom Microsoft teams TeamViewer slack all these platforms um we may see Rises of those being exploited with these deep big fishing attacks also and we're seeing the rise of Insider threats and how important that is to manage as well in terms of employees contractors partners and the possibility of them being black males with a deep back of them doing something potentially illicit or a moral and then potentially losing their job if that's distributed so something to keep in mind through some methods of detection unfortunately there are no tools out there that can 100 accurately determine a deep fake this defect technology is constantly involving it's constantly improving but the tools are also evolving as well so the ones that I mentioned today in a year's time they might not exist or they might not work as well as other ones that are available in a year so we've got fake profile detector which is pictured on the top left here and it's a Google Chrome extension and it claims to detect AI generated images of people who don't exist in particular those Gan style images that I talked about earlier but it's good to note as well that there are other websites where you can generate deep wakes and it may not be as effective for those other websites on the top right here we've got a technique coined by the handlebendo brown uh Benjamin strick on Twitter who stated that the eyes perfectly align for every single deep fake on the person this on the website this person does not exist.com so that's something to keep I highly suggest people go onto that website and have a look at the individuals on there every time you refresh the website it generates a new fix so there's like a thousand faces there and when you go through that you can actually see the things that you can look out for so for example misflash is or weird eyes or hairline that doesn't quite match um that kind of thing we've also got tools such as ffmpeg which is a Linux based tool as well as the website watchframebyframe.com and other sites like that which offer the ability to actually view a video frame by frame so you can actually look at it in detail which is perfect for those non-real-time attacks um which may occur and you might receive a catcher as well this was only recently introduced and created by Intel it was probably released about two weeks ago but they claim to detect 96 of all deep Banks looking at the blood flow of people which deep bakes don't have which I thought was really fascinating but it's unfortunately are a cat and mouse game so when deep bakes first emerged researchers found out that they weren't blinking very much and everyone thought yeah that's great oh my gosh we know how to detect a deep back everyone they don't blink as much we're all good to go well uh in a couple of months time they started to Blink a lot more so in terms of you know fake catcher for example my guess is in about a year's time somehow deep baits will cover blood flow don't know how but this is how it's constantly evolving it's a cut and Mouse game and it's quite difficult to detect I'm a firm believer in practice makes perfect we've got two websites here that I recommend to detectfakes.com which provides both audio video images of deep fakes where you can determine whether it's real or fake and on the right here you've got which face is real.com which is perfect as to practice those Gan style images of people who don't exist now opsec is actually quite important um there's a reason why politicians or celebrities are the main targets for deep fakes right now and that's because if you look at that deep back of Tom Cruise you needed hundreds of images and videos for that to be as good as it is right um so my thoughts is in the next couple of years influences and content creators and CEOs will be the next targets because it's their job to kind of get out there talk to people talk at conferences post things post photos and unfortunately the more you have online you may be a victim of a deep back attack if you have this amount of content out there so I think obsec is really important your privacy is really important on your social media but at the same time it's important to keep in mind that open source intelligence is constantly improving and there's constantly new tools out there as well and with that even though you've got everything on private for example your aunt who attended Christmas with you last year might have uploaded 100 photos of you and that can be found so like just keeping that in mind as well and how to detect your business from date bags so looking around I assume all of you know some methods to detect a phishing attack a phishing attack you're looking for spelling errors you're looking for emails that aren't exactly the same one as what you got a month ago you're scanning your URLs but how many of you know how to detect a deep Bank see what I mean so like awareness needs to be raised because if deep bakes and fishing are merged into one this is something this is a capability that needs to be known about people need to start talking about deep fakes knowing about the current capabilities and potentially how to detect them so highly recommend raising awareness training employees and establishing the relevant security protocols for example stronger authentication for money transfers or second-hand communication channels talking in different channels as well asking security questions making sure you don't give the answer to them is really important um and being aware of the things to look out for in deep bass as well and here is my resources diet that I use to create this talk thank you besides so much for the opportunity and thank everyone for listening hope everyone's brother [Music]