Many real-world evils and dangers prevail in the cyber world too. What are the odds that you may come face to face with a gun-wielding mugger while walking along a desolate and dark street? Believe it or not, today the odds are the same when you visit an unsafe website or open an email. Cyber attackers don’t blink an eye to use their deadly weapons.
Hardened criminals change their identities to blend in with society and commit crimes without being noticed. Cyber hackers are no different. Just as a wolf in sheep’s clothing, they disguise as someone else to dig their claws into their victims with more ease.
Business Email Compromise (BEC) and phishing through stolen emails (Spear Phishing) are the costliest cyber-attack methods in business life. Deepfake is the most powerful weapon that cyber hackers use when they attack. The peril is not limited to the reputations of politicians, businesspeople, executives, famous artists, and athletes by forged and synthetic videos or voice recordings. The threat of deepfake should not be confined to creating chaos by contrived provocation. Global damage caused by cyber-attacks is projected to hit $6 trillion by the end of 2023. Thus, the Deepfake Detection Challenge (DFDC), spearheaded by Facebook and entering its final phase on April 1, is critical. Nearly 2100 brains are competing to develop an effective security model while fulfilling a historic responsibility against countless enemies.
Corporate email addresses are not kept in a vault
Phishing hackers, who haunt the executives of large corporations, capture business emails through various BEC attacks. Having seized authentic and legal corporate email addresses, they send emails that do not contain suspicious attachments or links, thus bypassing all filters and catching their victims off guard.
An international email authentication protocol called Domain-based Message Authentication Reporting and Conformance (DMARC) has been developed as a result of the efforts launched in 2012. DMARC has been devised to protect email domains, particularly of businesspeople and executives, against unauthorized use (generally known as email phishing). It is considered standard that email authentication prevents ill-intentioned third parties from sending malicious emails using stolen email addresses. A domain name that does not apply any type of DMARC policy exposes email recipients to possible phishing attacks, and 91% of all cyber-attacks begin with a phishing email.
Despite the promising rise in the number of domain names registered in DMARC, not much has changed in practice. The number of registered domain names surpassed 1.9 million in 2018, rising from 630,000 the year before. Nevertheless, the level of awareness in companies of DMARC practices and records is quite low. For instance, a mere 23% of Fortune 500 companies have some sort of a DMARC policy, even though they are the highest-earning companies in the United States. Chinese companies are even worse. For the second consecutive year, Chinese companies have the lowest rate in embracing any form of DMARC policy, and 93.5% of domain names maintain no policy at all. Moreover, less than 17% of DMARC records can be kept under control. In other words, fraudulent emails allegedly coming from registered domain names still end up in recipients’ email boxes.
Even smart and successful people can fall for convincing phishing
Cyber hackers are using corporate email addresses that they have captured to carry out indiscriminate phishing attacks or by targeting certain people or companies for Spear Phishing attacks with the intention to swindle money. BEC attacks are commonly carried out along with Spear Phishing attacks as a way of “baiting and tackling.” Millions of dollars are stolen in a wide range of scenarios, such as getting the company to pay fictitious invoices, or with payments or transfers to the company’s bank with bogus orders. World-renowned automotive giant Toyota is one of the latest examples. A Toyota subsidiary lost more than $37 million last September as a result of a fraudulent transfer. While confirming the attack, the company, on the ground of continuing investigation, did not disclose whether the transfer order was the result of a BEC attack. According to the FBI, BEC attacks have cost the affected companies and businesspeople more than $26 billion in damages worldwide over the past th ree years.
Those taking the bait will easily swallow it because of deepfake
Deepfake technologies, through artificial intelligence (AI) and deep learning, can produce reality derivative synthetic videos and voice recordings that deal the final blow to the victims of BEC and Spear Phishing. Imagine that a company’s CEO orders a financial transaction from his or her email address, followed by a personal voice message. Furthermore, that CEO conducts a video chat to ask the company’s executive whether the payment or remittance order he or she sent by email has been received and completed. Could any employee question a request like this from the company’s top executive? Last year, the finance manager of an energy company in England merely needed to hear the voice of the CEO to wire $243,000 to a Hungarian supplier. Ultimately, the money could be tracked only to an account in Mexico. Just envisage what the CEO could get people to do with a video request.
No online defense system exists yet, and the strength of the enemy is yet to be known.
Today, the cybersecurity industry still lacks a device, email filter, software, or a technology standard that can defend against deepfake. However, 2020 may be a milestone in this respect. We know that the US presidential elections in November are set to be a turning point for intimidating deepfake attacks. Meanwhile, the DFDC project spearheaded by Facebook remains at the center of great expectations for an online deepfake defense system. At the time of writing this article, the number of teams in a global pursuit reached 2079. On the front lines, the Zemana deepware.ai team is a contender. The initial standing for the first stage of the quest can be tracked at the kaggle.com address. Then, an exclusive list will be created for the final phase, which will commence on April 1. The announcement is expected on April 22 for the cybersecurity models that will win an award and provide hope for the online world against deepfake.
Until the day of salvation, the only remedy is to help online users be aware and alert against these types of cyber-attacks. However trivial it may seem, online users must be mindful and keep eyes open for any unusual situation. The cost of blind faith can no longer be afforded.