How artificial intelligence is changing social engineering
Category: IT careers, Professional development
June 2, 2020
When I was first learning about social engineering, I remember listening to a recording of different phone calls to Starbucks. I was astounded how easy it was to obtain sensitive information like partner and employee numbers.
Since then, social engineers have evolved, equipping themselves with the futuristic tools of artificial intelligence (AI) in order to further exploit human psychology and gain access to systems and data.
Below are just a few of the new tools in a hacker’s arsenal.
New social engineering tools: Catch
me my AI, if you can
Voice transfer AI
New voice technology allows attackers to impersonate the sound of their chosen target. For example, a cybercriminal recently used voice imitation to defraud a company for $243,000. The social engineer utilized AI to mimic the voice of the CEO of a company and succeeded in transferring large amounts of funds to their accounts. Check out the quick demo below of how voice transfer AI works:
Deepfake technology has made it easy to create convincing counterfeit videos, leaving politicians and the media very nervous. You can learn how cybercriminals use deepfakes — and even create your own deepfake video — in my Infosec Skills course on the topic. See this convincing deepfake of former president Barack Obama as an example:
Advanced Natural Language Processing (NLP)
NLP technology has allowed automated production of targeted phishing bots that outperform humans. They can successfully phish an astonishing two out of three users. These fully-automated, AI-based phishing bots generate interesting tweets and then fools users into clicking on them.
These are just a few of the growing ways in which machine learning is being applied to social engineering — topics which are covered in my Cybersecurity Data Science Learning Path in Infosec Skills.
How AI is used to detect social engineering
Though many of the new technologies enabled by AI are being used for social engineering, AI also offers tools for preventing social engineering attacks. To name just a few:
Technology can now determine when an image or video is counterfeit. It learns the real entity’s facial mannerisms and uses this knowledge to analyze an image or video in question for a match.
Fake review detection
AI is also being used to scrub out the fake reviews in a dataset. The validity of reviews has great consequences for e-commerce buyers. With shocking statistics like “61% of electronics reviews on Amazon being fake,” AI can have a huge impact to help filter out these misleading reviews.
Combating social engineering through security awareness
Everyone should be in-the-know of these new tools and how they can be used for malicious intent. If these topics are taught as part of general cybersecurity awareness, we can be all be safer and more secure in the face of new crime. For example, had the voice transfer AI fraud victim been aware of the capability to mimic anyone’s voice live on the phone, he or she may have used additional means to authenticate the caller — and changed the outcome.
Similarly, knowing how realistic deepfake technology has become and how easy it is to create would add a healthy dose of skepticism to everyone, particularly those watching political videos.
Enterprises and businesses are especially in need of training on these latest types of cybercrime. With 62% of businesses having experienced phishing and social engineering attacks, trained employees are a great asset.
AI and machine learning training
For cybersecurity professionals, the importance of learning these technologies is even greater. The reality is that if you’re not learning these technologies, you’re living in a legacy cybersecurity world — a tenuous place for one’s career. Conversely, how powerful is it for one’s career advancement to be well-versed in the most recent and modern cybersecurity tools and technology?
In addition, we cybersecurity professionals hold the responsibility of informing those who have trusted us with their security about these new techniques that criminals are employing. We can only do so if we have knowledge of them ourselves.
In collaboration with Infosec, I’ve designed two Infosec Skills learning paths to teach you how to employ machine learning to implement these social engineering techniques. To begin learning modern AI-based social engineering, start by covering the fundamentals in the Cybersecurity Data Science Learning Path. Then progress to more advanced AI-based social engineering in Machine Learning for Red Team Hackers Learning Path.
Remember — the bad guys are getting smarter. Are you? Happy learning!
About Emmanuel Tsukerman
Dr. Tsukerman graduated from Stanford University and UC Berkeley. In 2017, his machine-learning-based anti-ransomware product won Top 10 Ransomware Products by PC Magazine. In 2018, he designed a machine-learning-based malware detection system for Palo Alto Network’s WildFire service (over 30k customers). In 2019, Dr. Tsukerman authored the Machine Learning for Cybersecurity Cookbook and launched Infosec Skills Cybersecurity Data Science Learning Path.