The Containment Playbook for Combatting Deep Fakes

In my role as a DFIR expert and tech lead at CYE, I recently encountered a fraudulent attempt where an imposter targeted the CEO of a prominent company, posing as a high-ranking executive and persuading a partner to transfer funds. The vigilant partner quickly sensed something amiss and promptly alerted the security team.

While SIM swapping or hijacking is a long-standing technique employed by fraudsters, in rare cases exploiting vulnerabilities in GSM protocols, a more straightforward approach involves convincing the mobile operator to register a new SIM card. This approach can lead to identity theft, exploiting 2FA, stealing WhatsApp accounts and more.

What’s new then? The emergence of deep fake technologies adds a new layer of sophistication to fraud attempts. A noteworthy example involved an employee joining a Teams call with the CEO and transferring funds under the assumption that the call participants were legitimate. Unbeknownst to him, the entire attendance in the call comprised a group of fraudsters adeptly using deep fake technology.

The containment strategies I propose are outlined at the conclusion of this article. However, addressing the looming challenge of deep fake technology in the future raises critical questions for security. In an era dominated by deep fakes, relying on someone’s voice or image as a basis for trust constitutes a significant vulnerability. To counter this, I foresee a shift towards uniquely signing different data types, such as voice or video, directly by the physical device itself. These signatures would then be bound to a specific persona, subject to validation by a recognized authority or through blockchain technology, akin to the functioning of SSL. While this approach introduces potential privacy concerns, in my perspective, these are not substantially different from longstanding privacy issues.

To structure my recommendations, I intend to align them with 3 out of the 4 phases of NIST’s Incident Response (IR) cycle: Preparation, Detection and Analysis, and Containment, Eradication, and Recovery.

Preparation

1. Remaining vigilant serves as the foremost defense against various forms of fraud, regardless of vulnerabilities arising from human actions. It is crucial to inform and train all employees about potential threats, including the dangers posed by deep fake, and emphasize strict adherence to the business protocols detailed below.
2. Clearly define actions necessitating multi-channel verification involving more than one entity.
3. Identify critical business procedures requiring adherence to verification protocols, such as initiating a validation call to the requesting entity.
4. Implement 2FA where feasible, utilizing an authenticator app. When deciding between email or SMS for cases where app-based authentication is not possible, determining the more secure option can be challenging, as it based on multiple factors and it’s hard to recommend which is safer.
5. Enhance security for applications such as WhatsApp/Telegram by implementing a PIN code using the app settings.

Detection

1. Unusual requests, particularly those concerning funds and finances, may signal fraudulent activity.
2. Inability to make calls or utilize data services could indicate a potential phone number hijacking.
3. Detecting deep fake attempts is challenging. Some bad techniques can be detected with tools or by noticing issues such as lags in video; however, employing a multi-channel verification and callback mechanisms as defined in the preparation phase can thwart such efforts. A reliable method involves posing a question known only to the genuine user and recipient.

Containment

1. Report the incident to your service provider and request:
   a. Detailed instructions on binding your SIM card to your phone number.
   b. Temporary suspension of outgoing calls to prevent impersonation — won’t be suitable for all cases.
   c. Access to communication history associated with your number for further investigation.
2. Generate a new SIM card and link it to your phone — effective primarily against classic SIM swapping attacks rather than those relying on GSM routing protocols.
3. Update 2FA configurations to use an authenticator app or email, rather than SMS, across all phone number related accounts. A list of all services can be enumerated through SMS history.
4. Terminate active sessions on all associated accounts, change login passwords, and revoke authentication tokens.
5. Closely monitor all accounts linked to the affected number.
6. In certain scenarios, individuals may need to caution colleagues and family members about the potential for impersonation through their phone line, as the aforementioned steps might not suffice in some cases.
7. DON’T disconnect the phone unless all security measures in the playbook have been implemented, as in certain cases, complete mitigation may not be achievable, and maintaining some level of control over the phone number could be essential.

In conclusion, lots of information is available online on preventing situations like SIM swapping, encompassing the methods detailed above. Detection methods are generally straightforward, often linked to a phone’s inability to make calls or use mobile data. However, the internet has been lacking in containment playbooks specifically addressing SIM hijacking from the standpoint of deep fake threats. Organizations should be urged to formulate the appropriate playbook and enhance awareness among their employees, family, and friends.