[Eye Opener] The FBI Warns Against a New Cyber Attack Vector Called Business Identity Compromise (BIC)
Shared from CyberheistNews Vol 12 #40, October 4th, 2022
The FBI warns that synthetic content may be used in a “newly defined cyber attack vector” called Business Identity Compromise (BIC).
Imagine you’re on a conference call with your colleagues. Discussing the latest sales numbers. Information that your competitors would love to get a hold of.
All of a sudden, your colleague Steve’s image flickers somewhat. It draws your attention. And when you look at it, you notice something odd. Steve’s image doesn’t look exactly right. It looks like Steve, it sounds like him, but something appears to be off about him. Upon a closer look you see that the area around his face looks like it is shimmering and the lines appear blurry.
You write it off as a technical glitch and continue the meeting as normal. Only to find out a week later that your organization suffered a data leak and the information you discussed during the meeting is now in the hands of your biggest competitor.
Ok, granted, this sounds like a plot from a bad Hollywood movie. But with today’s advancements in technology like artificial intelligence and deepfakes, it could actually happen.
Deepfakes (a blend of “deep learning” and “fake”) can be videos, images, or audio. They are created by an artificial intelligence through a complex machine learning algorithm. This deep learning technique called Generative Adversarial Networks (GAN) is used to superimpose synthesized content over real ones or create entirely new highly realistic content.
And with the increasing sophistication of GANs, deepfakes can be incredibly realistic and convincing. Designed to deceive their audience, they are often used by bad actors to be used in cyber attacks, fraud, extortion, and other scams.
Mind you, deepfakes also have more positive applications. Like this video of President of Obama which was created to warn viewers about fake news online. Or this one of Mark Zuckerberg created to bring awareness to Facebook’s lack of action in removing deepfakes from its platform.
The technology has been around for a couple of years and was already used to create fake graphic content featuring famous celebrities. Initially it was a complicated endeavor to create a deepfake. You needed hours and hours of existing material. But it has now advanced to the point where everyone, without much technical knowledge, can use it.
Anyone with a powerful computer can use programs like DeepFaceLive and NVIDIA’s Maxine to fake their identity in real time. And for audio you can use programs like Adobe VoCo (popularized back in 2016), which is capable of imitating someone’s voice very well. This means that you can go on a Zoom or Teams meeting and look and sound like almost anyone. Install the program, configure it and you are done. Choose any of the pre-generated identities or input one you created yourself and you are good to go. It really is that simple.
That is one of the reasons organizations are so wary of deepfakes. The ease of use. Combine that with the realistic content and it can become scary, very fast. How would you like it if a scammer used your identity in a deepfake? In today’s digital age where business is just as easily done though a phone or video call, who can you trust?
And this is one of the fundamental dangers of deepfakes. When used in an enhanced social engineering attack, they are intended to instill a level of trust in the victim. It is because of this danger that the FBI has a sent out a Public Service Announcement and issued a warning about the rising threat of synthetic content, even going as far as giving these attacks a new name: Business Identity Compromise (BIC).
So, what can you do to protect yourself from deepfakes? Can you actually defend against a form of attack that is specifically designed to fool us? Yes, you can, but with the pace of the advances in the technology, it isn’t easy. Things that are designed to fool your senses, generally succeed.
[CONTINUED] with tons of links and Top 5 Deepfake Defenses at the KnowBe4 Blog: