Deepfakes are perhaps the most spectacular use of GenAI so far. They’ve captured the imagination through outlandish uses, but they’re also used in more prosaic and malevolent situations.
At least one threat actor group uses some voice-changing technology in social engineering attacks.
We believe this technique will continue, so we have begun testing it ourselves.
Using openly available GenAI tools, two Unit 42 consultants created an audio deepfake of SVP Wendi Whitmore asking for a credential reset. It only took about 30 minutes and US$1 to create a convincing audio file based on publicly available clips of her speaking to the press and at events.
We assess that threat actors can already perform this kind of work using the same non-real-time tools we did. Currently, the processing time to create convincing voice files is slightly too long for real-time use. Consequently, we expect threat actors to pre-record the content they might need for helpdesk assistance and play it back.
We also believe that as real-time voice changers are developed and become widely available, attackers will move swiftly to adopt those capabilities in a similar context and manner.
In our proactive security work, we have already demonstrated these capabilities for clients. One publicly traded client asked us to create an authentic-sounding message from the CEO as part of security education.
In a few clicks, we had collected the CEO’s public appearances from several televised interviews. We then asked a GenAI application to write a security awareness message using the tone and cadence from the CEO’s public speeches. And finally, we generated an audio message with the inauthentic voice from an inauthentic text.