In this edition of CyberBytes, we will be talking about the Wizard of Oz, Captain Marvel, and how our shared experiences can help thwart cybercrime! *whew* this is gonna be fun 😉, and maybe a little longer read than normal, but stay with me….

To start, yes, I know the quote in this month’s Topic should end with “…Oh My” [cue the Wizard of Oz references] but this is my way of showing this was not generated by AI, I actually wrote it! You see, AI (Artificial Intelligence) is getting better every day and is the reason we get to talk a little about the exponential increase in the difficulties and challenges facing cybersecurity professionals (and YOU) due to the increased availability and accessibility of AI technology. Now, before we jump into why this matters to YOU and how AI is going to tie in [Trust me, it will!!] a quick review…. We are all keenly aware of:

How about these…

• “Vishing” , Voice Phishing, a social engineering tactic to call people to convince them to do something that will aid their effort to infect, steal, destroy, etc… from us)
• Smishing , yup, is the same but through text (SMS) messages as you might have guessed.

Now, one you might not know about is “Swatting”, this is the process of phoning in an UNTRUE serious emergency, in the desire to have SWAT dispatched to whatever location was given (the “target”). Swatting is done to harass and inflict chaos for the targeted person/company (calling in an armed hostage situation at an address to have the authorities show up heavily armed and banging down a door to scare, intimidate, or cause physical damage (like breaking down a door, shooting tear gas in to a home, etc.…), to affect a desired outcome (create problems for a person, close a school or business for example).

I know what you’re thinking, “…where are you going with this Rob, these things don’t really align and the latter has nothing to do with cyber security, much less AI, you are all over the place this month, try and focus Rob!” To that, I say, well they kind of do, now anyway, and here is how and why it is creating the increase in challenges and difficulties I spoke of earlier, for cyber professionals and YOU!All these things are and have been happening for a while, just at a level that still allowed us to detect (mostly) that they were not real, fairly easily. Be it the difficulties with language or the inability to use a computer program to create a “real” sounding message (for all the *ishing’s). We’ve all seen the poor attempts at automated phish emails, probably even laughed at how rudimentary they are sometime. But they have gotten better and better, more convincing, and now with the daily advancements and accessibility of AI, it has opened the gates to even easier creation of composed and applicable messaging, all sounding as if you wrote it (maybe even better). [Here comes the big tie in 😊] Compound that with the ability to extract a user’s voice, from public sources [Think Tic Toc, YouTube, Facebook Reels, etc…], parse it into individual words, save it, and then start making automated calls and saying things, in the manner that AI can now compose to better sound not only like a real person, but like the actual person they want you to think your “talking” to!!

NOW, I hope you can see how this can potentially get real bad, real fast.

It is not a thought exercise anymore, it is happening today, with “Swatting as a Service” being sold to anyone with a grudge, and using AI generated voice messaging over internet phone to make it even harder to trace, while making it sound like anyone they have a voice pattern for. This use of the combination of AI generated messaging (using multiple channels like text and voice) is forking into the “*ishing” cyber realm as well, as an example, the following happened to an executive at a tech security firm recently: … a sales director got a call that seemed to be from the CEO. As his cellphone displayed founder Jay Chaudhry’s picture, a familiar voice said “Hi, it’s Jay. I need you to do something for me,” before the call dropped. A follow-up text over WhatsApp explained why. “I think I’m having poor network coverage as I am traveling at the moment. Is it okay to text here in the meantime?” Then the caller asked for assistance moving money to a bank in Singapore… (you can read the full account below). In this situation, if you don’t read it below, the director did think it was odd even though it sounded just like their CEO and did the right thing, contacted their supervisor for verification. As a tech firm, I would expect that response, but would I expect that from a company that is not focused on security and tech? No, I wouldn’t. While they did not get AI enhanced, vished/smished, I believe there are more that ARE every day.

This brings me to the two concerns I have right now: 1st, the proven ability to use an actual persons voice to generate a call, that is a believable voice match with someone we know, to try and extort something from us and 2nd, If it was to happen to one of us, we would equally be comfortable enough to question the authenticity of the request? Would we have the nerve to question a call from Earl asking us to do something, albeit a bit odd, but it sounded just like him in words and voice? How about if we were to receive a call from a loved one, out of the blue, “needing” us to send money FAST? My hope is yes, we would first reach out for a way to ascertain, with certainty, the request is real and valid. One easy solution to this high-tech issue? Ironically, I implemented about 10 years ago when I was with a global airline services company, regular (non AI) smishing was taking off and targeting our senior executives wanting them to transfer funds to one place or another, we proposed and implemented the solution to verify any transaction that was being requested with two people (total of three would need to be involved in the action), using a shared code that only they knew to verify it was real [for fans of the Marvel movies, Captain Marvel in particular, this is something they had to do when they encountered someone who they knew, and looked like the person they knew (the aliens could take on the appearance of anyone, it’s a movie 😉), and was acting strange, to ensure they were who they seemed to be, They would force them to share a private memory only they would know. Now, when forced to reveal something they don’t or couldn’t know, their identity and motives were revealed, and we did it before the movie came out 😊]. This sharing of something only we know, our human experience, is still a way (a good way) to thwart potential cyber-crime. So, if in doubt, think of something only you and the supposed coworker, friend, relative, etc…, who is reaching out to you to do something questionable, would know and quiz them on it. Make them reveal who they are before sending that wire or buying those visa gift cards. As a caveat, it is important to watch what you share on socials, as that information is scrapped and analyzed, providing the ability to feed more about you into the algorithms for a nefarious actor to possibly use.

I know it was a long one this month, but I hope you made it through and in closing, remember if you get any messaging ,of any kind from someone you know, and you have ANY doubt about its authenticity, be a super hero and use your shared experiences to verify and help thwart cybercrime, using something only we have – our HUMAN memories!

Newsletter by:  Rob Collings, ISHPI’s VP of Cybersecurity | CISO

June 1, 2023