LastPass, the password and identity management solutions provider, was recently the target of a voice phishing attack, according to an article on Bleeping Computer.
The article says that the attack, which attempted to impersonate LastPass CEO Karim Toubba via AI driven Voice Synthesis, was unsuccessful because the hacker used WhatsApp, and the employee that was the target didn’t fall for the ruse.
That this attack used deep fake technology to synthesize the CEO’s voice is significant. The benefits of artificial intelligence are significant, but the risks are arguably more so. Indeed, the Bleeping Computer article also references an alert published on April 3rd by the Health Sector Cybersecurity Coordination Center, which cited two recent cybersecurity incidents where criminals attempted to register a new device to gain access to a corporate network. In both cases, HSCCC said that the attackers “did leverage spearphishing voice techniques and impersonation of employees with specific access related to the threat actors’ end goals.”
HSCCC recommends in the note that callbacks should be required to the phone number on record when an employee requests a password reset and enrolling of a new device.