Social engineering attacks have become more complex with the integration of artificial intelligence. Malicious actors are leveraging AI, resulting in social engineering attacks that are increasingly cunning and difficult to detect. We are also seeing a new social engineering attack that deploys malware for the purpose of harvesting videos to create deepfakes. The following news articles serve as critical reminders for all employers/employees about the importance of security awareness education and testing.
Phishing Email and Deepfake Video Call
An AI assisted social engineering attack tricked a finance worker in a multinational firm into paying out $200 million Hong Kong dollars – about $25.6 million American dollars.
This elaborate attack started with an email. A finance worker received an email, purportedly from the firm’s UK-based Chief Financial Officer (CFO), requesting a secret financial transaction. The finance worker suspected the email was a phishing attempt because of the request for the secret transaction. However, the finance worker’s suspicions were allayed after a video call from the purported CFO. What allayed his doubts? The people in attendance on the video call looked and sounded like colleagues the finance worker recognized. The finance worker believed everyone on the call was real. So, having what he believed to be visual confirmation, the finance worker agreed to make the payout.
However, EVERY PERSON the finance worker saw in the multi-person video conference was FAKE.
Listen to Chris Hadnagy, CEO at Social-Engineer, LLC discuss this attack on the Social-Engineer Podcast: The SE Etc. Series – Episode 248.
Mobile Banking Malware That Captures Facial Data
A new type of trojan malware uncovered by cybersecurity firm Group-IB is the first of its kind to capture facial data for the purpose of breaking into bank accounts. The malware, called GoldPickaxe, is capable of harvesting identity documents, facial recognition data, and intercepting SMS.
Social engineering campaigns that distribute GoldPickaxe malware are targeting Asia-Pacific. Prospective targets are sent phishing or smishing messages, written in their local language, impersonating government authorities or services through the LINE app (a messenger app). The messages try to trick them into installing fraudulent apps, such as a phony ‘Digital Pension’ app hosted on websites posing as Google Play. Security researchers at IB-Group report that if the phony app is downloaded, GoldPickaxe prompts the victim to record a video as a confirmation method in the fake application. The recorded video is then used as raw material for the creation of deepfake videos facilitated by face-swapping artificial intelligence services.
Test. Educate. Protect.
As technology advances, so do the tactics of malicious actors. We are now seeing sophisticated social engineering attacks that combine traditional methods like phishing with AI technology. It’s crucial for individuals and organizations to stay vigilant and initiate security measures to protect against these hybrid attacks. Our managed service programs, Vishing, Phishing, SMiShing, and Security Assessments, will Test, Educate, and Protect, your company’s first line of defense – your employees. We apply scientifically proven methodologies to uncover vulnerabilities, define risk, and provide remediation. Engagements focus on the simulation of social engineering attacks and determine the potential for corporate assets being breached and compromised.
Partner with us and fortify your security posture. Please contact us today for a consultation.
