Impact of AI on Social Engineering
What is Social Engineering?
Deceiving and manipulating human psychology to trick targets into taking actions on behalf of the attacker and then obtain sensitive information. Social engineering attacks don’t necessarily involve technology. It could be as simple as engaging in a conversation and exploiting human nature.
“ Hackers have been believing that Human Trust is the most vulnerable thing to exploit. ”
Common Social Engineering Methods:
- Phishing: Sending malicious email attachments.
- Cloned malicious website, the intent is to install the malware in the target system.
- Impersonating a phonecall.
Types of Social Engineering Attacks:
1. Network-based Attacks :
Performs using devices to get info from a target.
2. Human-based Attacks :
Executes interacting with a target, make the target reveal sensitive information.
The Cycle of Social Engineering:
Applying AI techniques can take Social Engineering to next level. Few examples of these AI techniques are:
- DeepFake :
creating extremely convincing counterfeit videos.
- DeepVoice, Voice cloning, Voice transfer AI :
creating synthetic audio that mimics an actual sound of a chosen person.
- AdvancedNLP :
creating phishing bots that outperform humans.
Examples:
In 2019, Attackers used utilized AI to mimic the voice of the CEO of an energy company and succeeded in transferring large amounts of funds to their accounts, while tricking voiceprint recognition and authentication systems.
In 2019, the president of Gabon, appeared on video to give his traditional New Year’s address, he looked healthy but something about him was off. Some of his facial expressions seemed odd.
National newspapers ran headlines suggesting the president’s appearance in the video could have been the product of deepfake. This resulted in controversy and an unsuccessful military coup destabilized the nation.
Dangers:
- Distorting democratic discourse.
- Manipulating elections.
- Eroding trust in institutions.
- Damage to the reputation of individuals.
How to Detect?
- Using common-sense & awareness: fact-checking using multiple sources.
- Digital watermarks: when original video/audio is recorded embedded visually undetectable watermarks should be sensitive to manipulation if alter the video/audio breaks watermarks.
- Defensive AI:
AI also offers tools for preventing social engineering attacks.
Usage of AI for cyber defense is inevitable, we can’t only rely on human intelligence in terms of dealing with large-scale attacks, we need to have AI combining with human resources.
- Deepfake detection
Use AI to analyze an image or video for Deepfakes.
2. Fake news detection: flagging
3. Detecting spam, malware, intrusion detection.
- Offensive AI vs.Defensive AI:
As machine-learning applications move into the mainstream, a new era of cyber threat is emerging, one that uses offensive artificial intelligence (AI) to supercharge attack campaigns. Offensive AI allows attackers to automate reconnaissance, craft tailored impersonation attacks, and even self-propagate to avoid detection.
“ Security teams can prepare by turning to defensive AI to fight back using the autonomous cyber defense that learns on the job to detect and respond to even the most subtle indicators of an attack, no matter where it appears.”
References:
