Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Is This Blog Real or a Deepfake?

What is the scariest aspect of deepfake videos and audio?

A: How accurate they appear?

B: How will threat actors implement these creations?

C: The amount of potential damage a deepfake can cause?

D: None of the above?

My argument would be D. For me, the most frightening aspect is how easy a deepfake video file is to create and the fact that free tools to generate a very realistic fake video of anyone are just a quick Google search away.

My reasoning is based on a recent request that came from a client during which Trustwave was asked to create a fake video of the client’s CEO using nothing but publicly accessible tools. The video would be shown during a company town hall on the dangers of social engineering.

Before I dive into my methodology, it is important to note that their concerns about the potential of deepfakes on their company showed an up to date and highly refined knowledge of the current cybersecurity landscape.

Deepfakes have only been “a thing” for a short period, but it says a lot about the client’s security team that it’s already preparing for a time when deepfakes will be encountered and defended against.


What is Deepfake?


Let us start at the beginning.

Deepfakes use artificial intelligence to craft convincing images, audio, and video deceptions. This term encompasses both the technology itself and the resulting deceptive content, cleverly blending "deep learning" and "fake."

Deepfakes frequently involve the alteration of existing source material, where one person is seamlessly substituted for another. Additionally, they can generate entirely novel content, depicting someone engaging in actions or uttering statements they never actually did.

There are many potential threats posed by deepfakes, and they are not necessarily based on financial gain. For me, the most dangerous aspect lies in their capacity to disseminate false information that convincingly mimics credible sources. For instance, in 2022, a deepfake video emerged, purportedly featuring Ukrainian President Volodymyr Zelenskyy urging his troops to surrender.


Creating a Deepfake


This was new territory for me, so the starting point for this project was to find a few blogs on how to create a deepfake video. The blogs quickly explained the task, and where to go to find what I need. Now, I know this is public knowledge, but I am going to leave out the names of the sites I used, why make it any easier for the bad guys?

The first step was to find a public video of the client’s CEO. This was easily enough done in this case, and I believe the same would hold true for any other business executive. Most executives have videos of talks they have given, maybe a TV appearance, or even something on their company website.

Creating the final product was a multi-step process that eventually trained me to create the video.

The first site was not very sophisticated. It used a still image which the software manipulated to mimic the mouth and eye movement.

The software required that I upload the target’s photo and it had a space where I could type in the message, I wanted the person to say. I then picked one of the supplied automated voices and it matched the voice to the text and made the mouth move in the appropriate manner.

This was a rough video and likely would not fool anyone.

The next tool I found allowed the user to upload the video, a voice recording and edit the two together. Again, the user types in a message, and the software uses the uploaded voice to speak the message.

The final result is not perfect, but I would say it is about 85% of the way there. If the recipient does not know the person speaking that well it could be believable.

But the results are outstanding when you consider that from start to finish it took me about two hours to complete a video.

The final video was presented to the client, but this was only the start of my deepfake experience.


Taking Deepfakes to the Next Level


The couple of off-the-shelf tools I used to complete my project represent just the tip of the iceberg when it comes to what is available.

Some sites allow the face on a video to be replaced, the face itself can be altered, say made to look younger or older. It all depends on who is the target receiver of the deepfake and what is the intent and the impact that needs to be achieved.


Deepfakes For Free


At this point, we should probably talk about the deepfake sites I used for my project. What I found and used are all in the public arena and some, but not all, carry some type of disclaimer that says they are only for general interest or entertainment purposes.

Additionally, the Terms and Conditions on them, mention that the intent is to upload just the voice of the person registered or using the tools, however, how can anyone ensure it is their voice or someone else’s voice that is being used for not the right purposes?

It is clearly not much of a stretch to see these tools falling into the wrong hands, in much the same way legitimate cybersecurity tools are often co-opted by bad actors.


The Threat


The fact that these tools are quite accurate, freely available, and easy to use makes them potentially extremely dangerous.

Deepfake videos can be used to sway elections by creating and posting a video of an official saying something off color. In the same manner, they can be used to impact a company’s stock by creating a video of the CEO saying business is bad or is being acquired.

They could be used to spread fake news or disinformation.

Blackmail is another option. A video can be made showing a person in a compromising position or conducting an unseemly act followed by the threat actor demanding payment to keep it off the web.

The videos could be used as part of a phishing campaign targeting a specific company. The email could say ‘click here to see a video from the CEO,’ but in fact, that link is malicious.

Unfortunately, there is no simple way to detect these fakes. Awareness training is likely the best path. Teach employees to doubt what they see or hear if it sounds out of the ordinary. Does that really sound like my supervisor’s voice? Would the COO really ask that everyone send a $250 Target gift card to this address?

Latest Trustwave Blogs

Email Security Must Remain a Priority in the Wake of the LabHost Takedown and BEC Operator’s Conviction

Two positive steps were taken last month to limit the damage caused by phishing and Business Email Compromise (BEC) attacks when a joint action by UK and EU law enforcement agencies compromised the...

Read More

Defining the Threat Created by the Convergence of IT and OT in Critical Infrastructure

Critical infrastructure facilities operated by the private and public sectors face a complex and continuously growing web of security threats that are compounded by the increasing convergence of...

Read More

Behind the MDR Curtain: The Importance of Original Threat Research

Searching for a quality-managed detection and response (MDR) service provider can be daunting, with dozens of vendors to choose from. However, in its 2023 Gartner® Market Guide for Managed Detection...

Read More