What is the scariest aspect of deepfake videos and audio?
A: How accurate they appear?
B: How will threat actors implement these creations?
C: The amount of potential damage a deepfake can cause?
D: None of the above?
My argument would be D. For me, the most frightening aspect is how easy a deepfake video file is to create and the fact that free tools to generate a very realistic fake video of anyone are just a quick Google search away.
My reasoning is based on a recent request that came from a client during which Trustwave was asked to create a fake video of the client’s CEO using nothing but publicly accessible tools. The video would be shown during a company town hall on the dangers of social engineering.
Before I dive into my methodology, it is important to note that their concerns about the potential of deepfakes on their company showed an up to date and highly refined knowledge of the current cybersecurity landscape.
Deepfakes have only been “a thing” for a short period, but it says a lot about the client’s security team that it’s already preparing for a time when deepfakes will be encountered and defended against.
What is Deepfake?
Let us start at the beginning.
Deepfakes use artificial intelligence to craft convincing images, audio, and video deceptions. This term encompasses both the technology itself and the resulting deceptive content, cleverly blending "deep learning" and "fake."
Deepfakes frequently involve the alteration of existing source material, where one person is seamlessly substituted for another. Additionally, they can generate entirely novel content, depicting someone engaging in actions or uttering statements they never actually did.
There are many potential threats posed by deepfakes, and they are not necessarily based on financial gain. For me, the most dangerous aspect lies in their capacity to disseminate false information that convincingly mimics credible sources. For instance, in 2022, a deepfake video emerged, purportedly featuring Ukrainian President Volodymyr Zelenskyy urging his troops to surrender.
Creating a Deepfake
This was new territory for me, so the starting point for this project was to find a few blogs on how to create a deepfake video. The blogs quickly explained the task, and where to go to find what I need. Now, I know this is public knowledge, but I am going to leave out the names of the sites I used, why make it any easier for the bad guys?
The first step was to find a public video of the client’s CEO. This was easily enough done in this case, and I believe the same would hold true for any other business executive. Most executives have videos of talks they have given, maybe a TV appearance, or even something on their company website.
Creating the final product was a multi-step process that eventually trained me to create the video.
The first site was not very sophisticated. It used a still image which the software manipulated to mimic the mouth and eye movement.
The software required that I upload the target’s photo and it had a space where I could type in the message, I wanted the person to say. I then picked one of the supplied automated voices and it matched the voice to the text and made the mouth move in the appropriate manner.
This was a rough video and likely would not fool anyone.
The next tool I found allowed the user to upload the video, a voice recording and edit the two together. Again, the user types in a message, and the software uses the uploaded voice to speak the message.
The final result is not perfect, but I would say it is about 85% of the way there. If the recipient does not know the person speaking that well it could be believable.
But the results are outstanding when you consider that from start to finish it took me about two hours to complete a video.
The final video was presented to the client, but this was only the start of my deepfake experience.
Taking Deepfakes to the Next Level
The couple of off-the-shelf tools I used to complete my project represent just the tip of the iceberg when it comes to what is available.
Some sites allow the face on a video to be replaced, the face itself can be altered, say made to look younger or older. It all depends on who is the target receiver of the deepfake and what is the intent and the impact that needs to be achieved.
Deepfakes For Free
At this point, we should probably talk about the deepfake sites I used for my project. What I found and used are all in the public arena and some, but not all, carry some type of disclaimer that says they are only for general interest or entertainment purposes.
Additionally, the Terms and Conditions on them, mention that the intent is to upload just the voice of the person registered or using the tools, however, how can anyone ensure it is their voice or someone else’s voice that is being used for not the right purposes?
It is clearly not much of a stretch to see these tools falling into the wrong hands, in much the same way legitimate cybersecurity tools are often co-opted by bad actors.
The Threat
The fact that these tools are quite accurate, freely available, and easy to use makes them potentially extremely dangerous.
Deepfake videos can be used to sway elections by creating and posting a video of an official saying something off color. In the same manner, they can be used to impact a company’s stock by creating a video of the CEO saying business is bad or is being acquired.
They could be used to spread fake news or disinformation.
Blackmail is another option. A video can be made showing a person in a compromising position or conducting an unseemly act followed by the threat actor demanding payment to keep it off the web.
The videos could be used as part of a phishing campaign targeting a specific company. The email could say ‘click here to see a video from the CEO,’ but in fact, that link is malicious.
Unfortunately, there is no simple way to detect these fakes. Awareness training is likely the best path. Teach employees to doubt what they see or hear if it sounds out of the ordinary. Does that really sound like my supervisor’s voice? Would the COO really ask that everyone send a $250 Target gift card to this address?
