TIME TO WAKE UP
2024 has already started off interesting… This week President Joe Biden was AI voice cloned and voters were robodialed urging people not to vote. Not surprised this happened at all, and this is only the beginning of what we will see with AI deepfake. I can almost guarantee we will see deep-fake video as a vector for campaign misinformation.
But, maybe the more important thing to note is the mass use of robodialing… Bad actors are starting to use marketing tools. This has been a trend we’ve seen for a while. Mass email outreach makes these sorts of marketing tools extremely lucrative for bad actors. For phishing, typically we’ll see a spray and pray approach. Where an organization is targeted all at once with the hopes of getting login credentials off a few users after a mass phishing campaign is executed. It’s effective and it works… Attackers use this tactic before their accounts and infrastructure get cut off.. it’s a rapid hit all at once before they get caught and dismantled.
But, a big development from Gmail and Yahoo going into effect next month may limit this. In an effort to curb spam, the big providers are starting to rate limit mass send for email. It may have an impact for phishing, or it may not… we’ll see.
But, it could have adverse impacts that haven’t been fully considered yet. Adversely it may cause an uptick in whaling vs. phishing… The difference is highly targeted attacks focused on C-level executives vs. the spray and pray approach. This makes sense as a logical next step with the use of AI. There are marketing tools available now that AI data-scrape information about a target.. think LinkedIn sales navigator but much much more in depth. These tools can automatically formulate a very targeted and well crafted email with personal details and collect all reconnaissance needed including, name, phone number, email and personal details. This exists in the marketplace today and is terrifying.
Another potential adverse effect is a shift towards mobile as an attack surface. The defense in depth tools for mobile are not in place as they are in desktop. Mobile, especially user brought (BYOD) is the biggest gap in a security program today. This leaves the end user and their phone as the most vulnerable.. and bad guys like to pick off the easiest target.
It is very possible we will see highly targeted and well crafted whaling and spear-phishing attacks with the rise and adaptation of AI to fuel this move. Potentially a phish can be cross-screen and extremely targeted and very convincing. Either way, it’s important to note that users are failing phishing simulations today and all it takes is one click for a ransomware attack. As targeted phishing is likely on the horizon, it is absolutely critical to educate your users about these emerging threats.
That next phish is likely going to be extremely well crafted and targeted.