Social-Engineer Newsletter Vol 07 – Issue 88

 

Vol 07 Issue 88
January 2017

In This Issue

  • Please Don’t Put Words In My Mouth
  • Social-Engineer News
  • Upcoming classes

THE NEWS


As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.


Check out the schedule of upcoming training on Social-Engineer.com

2016 Schedule

If you want to ensure your spot on the list register now – Classes are filling up fast and early!


The DEF CON 24 SECTF Report has been released and is FREE for download!
https://www.social-engineer.org/ctf/sectf-def-con-24-report-release/You can also view our breakdown and thoughts of the report in our DEF CON 24 SECTF Report Webninar
https://www.social-engineer.org/resources/def-con-24-sectf-webinar/

Do you like FREE Stuff?

How about the first chapter of ALL OF Chris Hadnagy’s Best Selling Books

If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!


To contribute your ideas or writing send an email to contribute@social-engineer.org


Special Thanks and Notices:

If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.


Our good friends at CSI Tech just put their RAM ANALYSIS COURSE ONLINE – FINALLY.

The course is designed for Hi-Tech Crime Units and other digital investigators who want to leverage RAM to acquire evidence or intelligence which may be difficult or even impossible to acquire from disk. The course does not focus on the complex structures and technology behind how RAM works but rather how an investigator can extract what they need for an investigation quickly and simply.

Interested in this course? Enter the code SEORG and get an amazing 15% off!
http://www.csitech.co.uk/training/online-ram-analysis-for-investigators/


A Special Thanks to:

Ace Hackware for their support in very cool schwag and hacker tools

The EFF for supporting freedom of speech

Check out Robin Dreeke’s amazing book called “Its Not All About Me” packed with the top 10 techniques to building rapport fast. It is an awesome book!

Keep Up With Us

Friend on Facebook Facebook
Follow on Twitter Twitter

Please Don’t Put Words in My Mouth

Adobe recently announced Project VoCo at the November Adobe Max conference. It’s purported to have the ability to take recordings of someone’s voice, then create audio that sounds like it is from that person. In a nutshell, it’s Photoshop for audio.

People in the television industry, book narrators, and podcast creators may be rejoicing this as it would mean less time redoing mistakes made in the studio. On the other hand, this could be a malicious social engineer’s dream tool. According to Adobe, the software needs about twenty minutes of someone’s voice, and then it can recreate that voice exactly. The software doesn’t just find words and patch them together; the demo shows it can actually mimic someone and create speech that the person never said. Couple that with the fact that spear phishing of C-suite employees is becoming a bigger problem, and you’ve got a volatile mixture. It’s usually not hard at all to find twenty minutes of audio on most CEOs and other high-level employees. considering many of them participate in press conferences, speeches, podcasts, and interviews.

How could this attack work in the real world?

Once the audio is acquired (through OSINT) and loaded in the program, it could just be a matter of typing in what you want the program to produce. A malicious social engineer’s attack vector may go like this:

  1. Perform OSINT and find that a CEO will be spending a week overseas for a conference.

  1. Create a fake voicemail from the CEO to the head of finance stating, “Hi Sue. I’m in London this week, so I need you to talk to our new vendor Phil Jones tomorrow to transfer some funds for a critical purchase. He’ll call you around 9 a.m. tomorrow.”

  1. When Sue gets to work and hears this voicemail from her CEO, the pretext has been primed and she’s now expecting a phone call.

  1. The following morning the malicious visher calls posing as Phil Jones, and gives Sue the instructions to initiate a wire transfer for a large sum of money.

Isn’t that scenario too implausible?

It may sound far-fetched, but phishing and vishing fraud is already occurring like this on a daily basis without the help of VoCo. The F.B.I. recently reported a 270% increase in “CEO Fraud” since 2015. An estimated $2.3 Billion was lost over the last three years to these attacks, and adding VoCo to the mix could significantly increase this amount.

How else might this possibly be exploited?

Furthermore, with the increasing use of voice activated assistants like the Amazon Echo and Google Home, VoCo could be used to create attacks against these devices. Many are able to integrate with IoT devices, like a garage door or home security system. Imagine if a criminal could pick a lock to a residence then play an audio file in the homeowner’s voice saying, “Alexa, disable home alarm”. Some systems require a vocal PIN as well to disarm the system, but that could possibly be gathered by phishing the target.

Finally, VoCo could be used as a smear-campaign tactic used to sway elections or cause severe controversy. Imagine if multiple “leaked recordings” emerged of a CEO leaving sexually harassing voicemails. The recordings could likely go viral, causing the stock of the company to plummet. Unlike Photoshop, it would be much harder to disprove the authenticity of the recordings made in VoCo; giving the attacker enough time to make several lucrative stock trades in their favor. How could a CEO really prove that they didn’t leave the incriminating voicemails that they were accused of doing in this case?

What can I currently do to mitigate the threat?

Currently VoCo is still in development phase and appears to have some limitations, but this will change as the technology is tweaked and improved. The best way to fight against this possibility is to continually train employees to be vigilant against vishing and spear phishing attacks. This will help prepare them to continue to fend off these attacks, as they get more sophisticated with tools like VoCo. You may also want to consider what you allow a voice-activated assistant to control in your home, and if available, setup a disarm PIN on your voice-controlled security system.


 

 

Trackbacks

Leave A Reply