Gezielte Umgehung der Zwei-Faktor-Authentisierung (#2FA) durch Voice Phishing (#Vishing) - #Telekom und #DHL warnen aktuell, der Angriffsvektor gilt aber generell für alle Online-Konten mit schwacher SMS-Absicherung:
"Betrüger geben sich derzeit am Telefon als Mitarbeitende der Telekom oder von DHL aus und versuchen die Angerufenen dazu zu bringen, empfangene SMS-Codes durchzugeben."
So?
Does everyone remember #LastPass?
Welp!?
It happened again, but this time on the user side of the house. LastPass users targeted by #vishing attackers.
VISHING: the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
https://www.helpnetsecurity.com/2024/04/19/lastpass-vishing/
So some of you might remember this post (and the subsequent demonstration on national news) of using a voice cloning tool (AI, Audio Deep Fake) by @racheltobac
Link to post: https://infosec.exchange/@racheltobac/110963070495263373
(If you haven't seen it, go watch it. Rachel is amazing.)
I'd never needed to do a similar attack before, but! I was just tasked yesterday with researching it.
Asked some friends for a turn-key solution to clone voices. Got pointed to a website. Signed up for $1 a month (first month... then it goes to $5 a month thereafter).
Pulled some audio of my target's voice down from a youtube interview (a podcast works great too).
Only needed a minute's worth of audio.
Uploaded it to the website for cloning.
Typed out a quick script for the voice to read.
30 seconds later, I had my cloned audio.
It was so good, that it even included natural voice inflections AND!!! verbal pauses like umm's and uhh's that matched the target's original presentation. I can't tell the difference between the cloned voice and the original person.
Y'all... voice cloning and audio deep fakes are well past the ease of "script-kiddy" level. Anyone can do it.
Voice-Phishing: Betrüger setzen auf raffinierte Vishing-Masche | heise online
https://heise.de/-9212374 #Cybercrime #VoicePhishing #Vishing
I'm coming back from taking two weeks off of work to find that I've got some hilariously bad #phishing #vishing emails in my personal inbox that were sent to an email address I used back when I was dealing with #Dell customer support several years ago, when they had an insider data breach where a contractor stole customer email addresses.
Anything I've received ever since addressed to this "dell@" email address has been #spam but this one really takes the cake for "high quality."
There really should be a mock awards ceremony for terrible attacks. This one would be in the nominations for sure just because they decided to use colored text in Comic Sans font for the #PayPal logo.
Brandt 