LastPass Revealed As Latest Victim Of Deepfake Scam

Understanding Deepfake Technology

In recent years, the cyber threat intelligence community has identified risks about the alarming increase of 'deepfake' technology. This technology allows for the creation of compelling fake audio and video. Fraudsters exploit it to target companies and individuals, posing a significant cybersecurity threat.

"Deepfakes" use AI to take existing sound and video clips to create a new recording that shows someone saying or doing anything the deepfake tool is programmed to mimic.

Common types of deepfakes include;

Deepfake video: A type of synthetic media where a person in an existing video is replaced with someone else's likeness, using artificial intelligence and machine learning techniques.
Real-time or live deepfakes: The generation of deepfake videos or audio in real time, meaning they are created and streamed almost instantaneously as the interaction occurs. This technology enables the manipulation of video and audio feeds so effectively that it can alter a person's appearance or voice during live broadcasts, video calls, or any form of live digital communication.
Deepfake audio: A synthetic form of audio content created using artificial intelligence and machine learning techniques to manipulate or generate human-like speech.
Textual deepfakes: Content generated by artificial intelligence or machine learning models that mimic human writing styles. These can be articles, social media posts, emails, or any other form of text that appears to be written by a human but is created by an AI.
Deepfakes on social media: The use of advanced artificial intelligence and machine learning techniques to create and share videos, images, or audio clips that convincingly depict people saying or doing things they did not say or do.

Unraveling The Scam

LastPass, the password manager application, has issued a warning that one of its employees fell victim to a social engineering attack involving an audio deepfake, which imitated the voice of the company's CEO.

LastPass' Senior principal intelligence analyst, Mike Kosak, had this to say about the incident in a recent blog post:

"In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp."

Mike goes on to explain, "As the attempted communication was outside of normal business communication channels and due to the employee's suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency), our employee rightly ignored the messages and reported the incident to our internal security team."

A Narrow Escape From Deepfake Fraud

Mike explained that there was no impact on LastPass as a company, and this was a fortunate close call.

He emphasised the need to raise awareness about the growing threat of deepfakes, which are increasingly linked to identity theft and can have severe consequences for both individuals and businesses.

LastPass reported this incident to point out that deepfakes aren't just for high-level espionage anymore; they're also being used in common scams that impersonate company executives.

Mike emphasised the importance of verifying suspicious contacts who say they're affiliated with your company by using the official communication channels.

Silver Lining's Guide to Avoiding Phishing Scams

Cybercriminals constantly seek new opportunities to exploit vulnerabilities, making it crucial for businesses to update their defences continuously. Securing email is essential, as it remains the primary way cybercriminals gain access to a company. Additionally, even with deepfakes, these are often combined with business email compromise tactics.

Silver Lining empowers your workforce to make informed security decisions daily. By taking advantage of our services, such as our Phishing Simulation, we can help you protect your business and your employees.

Our simulation features our expert team creating a customised phishing email designed specifically for your company. The email contains a strategically placed link that tempts your employees to click, leading them to a fake landing page closely monitored by our advanced tracking system.

Should any employees fall for this simulated phishing attack, you will be notified immediately, allowing you to educate them and prevent future breaches.

Identified employees will receive personalised training from our solution system to fill any knowledge gaps, protecting them against future threats and safeguarding sensitive data from leaks.