Malicious campaigns involving the use of deepfake technologies are a lot closer than many might assume. Furthermore, mitigation and detection of them are hard.
A new study of the use and abuse of deepfakes by cybercriminals shows that all the needed elements for widespread use of the technology are in place and readily available in underground markets and open forums. The study by Trend Micro shows that many deepfake-enabled phishing, business email compromise (BEC), and promotional scams are already happening and are quickly reshaping the threat landscape.
"From hypothetical and proof-of-concept threats, [deepfake-enabled attacks] have moved to the stage where non-mature criminals are capable of using such technologies," says Vladimir Kropotov, security researcher with Trend Micro and the main author of a report on the topic that the security vendor released this week.
'We already see how deepfakes are integrated into attacks against financial institutions, scams, and attempts to impersonate politicians," he says, adding that what's scary is that many of these attacks use identities of real people — often scraped from content they post on social media networks.
One of the main takeaways from Trend Micro's study is the ready availability of tools, images, and videos for generating deepfakes. The security vendor found, for example, that multiple forums, including GitHub, offer source code for developing deepfakes to anyone who wants it. Similarly, enough high-quality images and videos of ordinary individuals and public figures are available for bad actors to be able to create millions of fake identities or to impersonate politicians, business leaders, and other famous personalities.
Demand for deepfake services and people with expertise on the topic is also growing in underground forums. Trend Micro found ads from criminals searching for these skills to carry out cryptocurrency scams and fraud targeting individual financial accounts.
"Actors can already impersonate and steal the identities of politicians, C-level executives, and celebrities," Trend Micro said in its report. "This could significantly increase the success rate of certain attacks such as financial schemes, short-lived disinformation campaigns, public opinion manipulation, and extortion."
There's a growing risk also of stolen or recreated identities belonging to ordinary people being used to defraud the impersonated victims, or to conduct malicious activities under their identities.
In many discussion groups, Trend Micro found users actively discussing ways to use deepfakes to bypass banking and other account verification controls — especially those involving video and face-to-face verification methods.
For example, criminals could use a victim's identity and use a deepfake video of them to open bank accounts, which could later be used for money laundering activities. They can similarly hijack accounts, impersonate top-level executives at organizations to initiate fraudulent money transfer or plant fake evidence to extort individuals, Trend Micro said.
Devices like Amazon's Alexa and the iPhone, which use voice or face recognition, could soon be on the list of target devices for deepfake-based attacks, the security vendor noted.
"Since many companies are still working in remote or mixed mode, there is an increased risk of personnel impersonation in conference calls which can affect internal and external business communications and sensitive business processes and financial flows," Kropotov says.
Trend Micro isn't alone in sounding the alarm on deepfakes. A recent online survey that VMware conducted of 125 cybersecurity and incident response professionals also found that deepfake-enabled threats are not just coming — they are already here. A startling 66% — up 13% from 2021 — of the respondents said they had experienced a security incident involving deepfake use over the past 12 months.
"Examples of deepfake attacks [already] witnessed include CEO voice calls to a CFO leading to a wire transfer, as well as employee calls to IT to initiate a password reset," says Rick McElroy, VMware's principal cybersecurity strategist.
Generally speaking, these types of attacks can be effective, because no technological fixes are available yet to address the challenge, McElroy says.
"Given the rising use and sophistication in creating deepfakes, I see this as one of the biggest threats to organizations from a fraud and scam perspective moving forward," he warns.
The most effective way to mitigate the threat currently is to increase awareness of the problem among finance, executive, and IT teams who are the main targets for these social engineering attacks.
"Organizations can consider low-tech methods to break the cycle. This can include using a challenge and passphrase amongst executives when wiring money out of an organization or having a two-step and verified approval process," he says.
Gil Dabah, co-founder and CEO of Piaano, also recommends strict access control as a mitigating measure. No user should have access to big chunks of personal data and organizations need to set rate limits as well as anomaly detection, he says.
"Even systems like business intelligence, which require big data analysis, should access only masked data," Dabah notes, adding that no sensitive personal data should be kept in plaintext and data such as PII should be tokenized and protected.
Meanwhile on the detection front, developments in technologies such as AI-based Generative Adversarial Networks (GANs) have made deepfake detection harder. "That means we can't rely on content containing 'artifact' clues that there has been alteration," says Lou Steinberg, co-founder and managing partner at CTM Insights.
To detect manipulated content, organizations need fingerprints or signatures that prove something is unchanged, he adds.
"Even better is to take micro-fingerprints over portions of the content and be able to identify what's changed and what hasn't," he says. "That's very valuable when an image has been edited, but even more so when someone is trying to hide an image from detection."
Steinberg says deepfake threats fall into three broad categories. The first is disinformation campaigns mostly involving edits to legitimate content to change the meaning. As an example, Steinberg points to nation-state actors using fake news images and videos on social media or inserting someone into a photo that wasn't present originally — something that is often used for things like implied product endorsements or revenge porn.
Another category involves subtle changes to images, logos, and other content to bypass automated detection tools such as those used to detect knockoff product logos, images used in phishing campaigns or even tools for detecting child pornography.
The third category involves synthetic or composite deepfakes that are derived from a collection of originals to create something completely new, Steinberg says.
"We started seeing this with audio a few years back, using computer synthesized speech to defeat voiceprints in financial services call centers," he says. "Video is now being used for things like a modern version of business email compromise or to damage a reputation by having someone 'say' something they never said."