sb-as logo
Story image

Safeguarding against AI-based cyber-attacks

31 Oct 2019

Article by Wontok product head Bruce Carney

Never a day goes by without headlines of yet another cyber-attack, data breach or identity theft - even boardrooms have finally become familiar with terms like "ransomware" - an alien concept in the past that belonged to the "geeks in IT".

Businesses, education institutions, and indeed all levels of government have become more aware of the damage such actions can inflict.

Criminals continue to use old-school methods such as phishing scams to lure their victims but they also have a keen eye on the next technological step where more sophisticated tools and techniques are employed to dupe people.

We've now seen the advent of artificial intelligence being used for cybercrime, with a recent widely reported case a flavour of what's to come.

In March, the CEO of a UK-based energy firm received a phone call from his "boss" - or so he thought - who runs its German parent company.

His "boss" instructed him to transfer €220,000 to a Hungarian supplier, saying it was urgent and needed to be done in an hour.

The UK chief executive had no reason to question the authenticity of the call as he recognised his boss's slight German accent and tone of voice, the company’s insurance firm, Euler Hermes Group SA revealed.

He had no reason to believe it was all a hoax, and could well be one of the first voice-spoofing cybercrimes using AI-based software.

Does this sound familiar?

Remember world-renowned hacker Kevin Mitnick? He gained notoriety after his social engineering skills landed him behind bars.

Mitnick would call big US corporations and obtain key information by gaining the trust of employees.

In fact, when he was a teenager, he once phoned the system manager at Digital Equipment and posed as "Anton Chernoff", one of DEC's lead developers.

"Anton" told the manager he had trouble logging in to the company's dial-up modem (Mitnick's friends found an old, discarded unit) and was immediately provided with login details and high-level access to DEC's internal systems.

Voice phishing or using social engineering over the phone to gain personal and financial information isn't new, and criminals use modern tools and technologies such as caller ID spoofing to hide their true location (and identity).

Fraudsters using AI to mimic voices - as per the European energy firm case - is just an evolution in technology: it's akin to how modern-day layby services such as Afterpay and Zip have gained overnight popularity.

The layby or buy now, pay later concept isn't new but these startups have used new technology - combining online, mobile apps and a great interface and user experience - to completely reinvent the way goods and services are purchased.

Nothing much has changed since Mitnick conned DEC some 40-odd years ago when he was 16: humans can still be gullible in this day and age.

Another information-gathering technique has been to call and hang up when a person answers - purportedly to build a voice/biometric profile for identity theft.

Some organisations offer voice as a replacement for passwords to confirm a customer's identity by relying on hundreds of unique characteristics.

ANZ Bank's app, for example, allows customers to pay anyone over $1000 and make BPAY payments of more than $10,000 by using the phrase "my voice confirms my identity".

While there haven't been widespread reports of voice phishing or deepfakes locally, criminals thrive on being ahead of the game and AI is just one of many tools in their arsenal. We cannot fight against this tide but need to urgently adopt a "trust but verify" mindset and approach.

We can trust but always verify a request - whether its someone on the other line, a friend or contact who sends through a link to click on or a text message with a call to action.

We can only manage and control our own behaviour and how we react to and protect from these scams.

Bruce Carney is the newly appointed product head at global cybersecurity firm Wontok.

He started his career as a Research Engineer at the University of Newcastle, and has had senior roles at Atlassian, Telstra and Nokia in Australia, the US and UK.

Story image
5G network security a US$9 billion dollar opportunity - report
The cloud-native nature of 5G networks will have a disruptive and positive impact on the cybersecurity industry in the next few years, with 5G network security presenting a US$9 billion enterprise market opportunity by 2025.More
Story image
Hybrid IAM solutions are the way of the future, study states
“As this first-of-its-kind research shows, while IT leaders are faced with unique criteria and conditions that shape their IT strategy, hybrid IAM has emerged as a necessity."More
Story image
Kasada launches new defenses against bot attacks
Kasada has announced the general availability of its new V2 platform in a bid to address the increasing sophistication of bot attacks.More
Story image
Enterprises underutilising security tools, causing teams to burn out
The report unveiled a lack of meaningful ROI metrics when reporting on security progress, as well as disparate opinions on objectives, tool effectiveness and security awareness amongst the organisation between executives and operations on security teams.More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More