Rich PII enables sophisticated impersonation attacks

As companies ramp up protections against account takeovers, spearphishing and other impersonation attacks, attackers are upping their game by collecting more and richer personally identifiable information (PII). Unfortunately for defenders, this information is often easily available through public sources, leaked databases and black markets. That’s enabling more sophisticated business executive compromise attacks.

Voice deepfakes prove effective

Companies often post recordings of earning calls online, making it easy for attackers to find examples of the target’s actual voice, says Merritt Maxim, vice president and research director at Forrester Research. “You can then use those audio files to create the equivalent of a fake recording from the CEO,” he says. “‘Please transfer money to this person, it’s urgent.’ We’re going to see more of that scenario.”

The technology is getting better and easier by the day. To see this technology in action, check out a demo by artificial intelligence (AI) firm Dessa, in which they recreated podcaster Joe Rogan’s voice using a text-to-speech deep learning system they developed.

According to Symantec CTO Hugh Thompson, at least three recent attacks using deepfake voices have cost companies millions of dollars in losses. What happened in these cases is that someone in the finance department gets a deepfake, interactive phone call from someone who sounds just like the CEO, says Thompson. “The ‘CEO’ says something to the effect of, ‘It’s the end of our quarter. We need a wire transfer to go out within the next hour. It is critical, we have to pay this supplier and it has to happen before our quarter closes,’” In one case, says Thompson, a company employee wired $10 million to the scammers.

Video deepfakes within reach of attackers

Next, expect to see attacks using live video calls where the video is generated by AI. “I saw a presentation last week about romance scams,” says Scott Keoseyan, managing director for Deloitte Cyber at Deloitte & Touche LLP. “This guy was pushing a button, and the girl would smile. He wants to make the girl wink, and she’d wink. While he was talking, his voice was changing into the woman’s voice and matching the video. The victim really thought they were talking to a live female, but it was a guy running the whole thing. It looked absolutely real, but it was completely fake.”

Deeper insight into individuals aids BEC scams

These kinds of attacks are the logical evolution of the business email compromise (BEC) scam. Attackers trick company employees into sending them money by impersonating company executives. According to the FBI, BEC attacks have cost businesses more than $26 billion over the past three years, with about half of those losses taking place in the past year.

BEC fraud, as well as other kinds of spearphishing attacks, is more successful when the attackers have insight into the individual they’re trying to impersonate, says Scott Keoseyan, managing director for Deloitte Cyber at Deloitte. “We’re legitimizing ourselves because we know something about the person we’re trying to impersonate,” he says. “We know they’re traveling. We know things about their family, their business relationships, their direct reports and subordinates.”

Hackers can easily get access to a lot of information, he says. That includes details about the target’s family, address history, street they grew up on, mother’s maiden name — data needed to security questions.

Criminal markets sell rich technical data

What’s harder to find, says Keoseyan, is detailed technical data about the users. Companies increasingly use device fingerprints and behavioral analytics to spot suspicious access to bank accounts or corporate systems. It takes some technical skill to infiltrate a user’s computer and collect this information.

However, this segment of the criminal ecosystem has been evolving, he says, with new providers offering rich technical PII as a service. “We saw this approach evolve out of the ransomware space,” he says. “I don’t need to be a programming expert anymore. I can buy a kit, or I can buy the information, or I can buy access. All I need to do is execute my scheme — someone else is providing the crime technology as a service.”

According to threat intelligence provider IntSights, the two leading providers in the digital identity space are Richlogs and Genesis. Genesis is the older of the two, says Ariel Ainhoren, IntSights’ head of research. The market first appeared last fall, offering a full set of people’s digital fingerprint, including browser and computer characteristics. When it launched, it had just a couple of hundred user profiles for sale, he says, but it now has more than 100,000.

Richlogs hit the scene this past April and has about 6,000 user profiles for sale. “But it’s still been in beta for the last couple of months,” says Ainhoren. “And it’s growing every day.”

Richlogs also offers direct access to victims whose computers have been compromised by the company’s botnet. In some cases, customers can look over users’ shoulders and watch what they do. “It’s like keylogging on steroids,” he says. In other cases, depending on the level of infiltration, Richlog’s customers may have remote access to the machine.

For both markets, no technical knowledge is required, he says. “You don’t have to be able to use sophistical tools or controllers,” Ainhoren says. “Just go and buy some tutorials. It tells you how to use it, and then you can do what you like with the victim details.”

For example, there’s an add-on that lets criminals mimic a victim’s website session. The customers don’t even have to know how to access the dark web to get to these sites, Ainhoren says. “Those sites are just out there. You don’t need TOR to access them.”

The sites are also adding new features all the time, he says. For example, criminals can filter for the presence of Bitcoin wallets, or for a history of accessing banking sites, or geographical location. The primary use case is to take over accounts on big consumer-oriented platforms such as eBay, PayPal and major banks. “But if people access corporate networks from their home computers, you can see that as well,” Ainhoren says, adding that there’s no way for criminals to ask Richlogs or Genesis for profiles that access corporate networks or systems. “But they add stuff all the time.”

According to Christian Lees, CTO and chief intelligence officer at cybersecurity research firm Vigilante, criminals will charge more for user profiles that have value. “Say, for example, an Azure admin or something like that.” Prices range from a few dollars to thousands of dollars per profile, he says.

Defensive measures to counter use of rich PII

Companies should have basic hygiene in place to protect their users’ computers, including personal devices that they use at home to access corporate systems. Two-factor authentication can also dramatically lower risks.

However, if they can mimic a real user well enough, attackers might be able to avoid triggering the second-factor authentication step. “For example, if you were to log into your financial institution, the financial institution will look at your last login, at variables in your environment such as cookies or even the resolution on your computer screen,” he says. If that all looks right, the bank might not, say, send a one-time access code to the user’s phone.

Many financial institutions are recognizing the problem and will trigger the second-factor authentication step for any sensitive transaction, such as changing contact information or sending money to a new payee. Similarly, on the enterprise side, companies can look beyond checking if the employee is accessing their account from a familiar device and adding behavioral analytics and two-factor authentication for additional layers of security. Virtual desktop tools are available that can isolate the corporate environment from a user’s machine, which is helpful if they’re logging in from a home computer.

Employees and executives can also take some common-sense measures to keep their personal information private. “I’m a huge advocate of reducing our digital footprint,” says Lees. “Let’s just not share everything we do.”

On a slightly more proactive note, companies can use services to find out if their customers’ or employee’s information is on the dark web, says Forrester’s Maxim. “We refer to it as digital risk protection,” he says. “Companies can go out and look and see if there’s information out there.” Vendors in this space look for leaked and stolen information, as well as for other brand risks such as fake brand sites or social media accounts.

Another proactive step that companies can take is to go out and get the tools the attackers are using, says Alex Heid, chief research officer at SecurityScorecard. That can lead to ways to detect and mitigate potential attacks, he says.

For the most high-value attacks, such as the multi-million-dollar BEC scams, the solution isn’t as much technological as it is about fixing business processes. Dual custody is one of the most effective controls that companies can put in place to defend against BEC, says Deloitte’s Keoseyan. “It’s also the hardest control to implement in an institution that wants to move quickly,” he added.

The way it works is that for transactions above a certain size, two or three different people need to sign off on it. “Make it whatever the threshold needs to be to meet your risk tolerance,” he says. “But if it’s over a certain amount, I would feel much more comfortable, if I was going to transfer all of my money out of my account, that we talk to the CFO at the same time.”