How to deepfake your CEO?
Inspired from this Reddit post.
We all know that AI is the future and an enabler and so on and so forth... Well, that's what we hear from the marketing department at least. We can all have different opinions on the use-cases, the legitimacy of using AI and its costs to benefits ratio. There is however one thing for sure: AI is also helping the ill-intentioned.
An attacker will always take the path of least resistance to reach its objective. The attacker can exploit all sorts of vulnerabilities (CVE...), misconfigurations (weak password...) but the easiest weakness to exploit is often the human behind the screen. The most common scheme in exploiting the user is the "CEO scam". Basically, attackers impersonate a company’s CEO, CFO, or another high-ranking executive. Their goal is to trick employees often in finance or accounting into transferring large sums of money to fraudulent accounts. It is often performed via email along the lines of :
Subject: URGENT: Wire Transfer to John from Supplies & Co. – $2,000 ASAP
Hi Sandra,
Hope you are doing good, I am at the airport going back to Paris soon. Could you please prioritize a $2,000 wire transfer to John Supplier immediately? I confirmed this amount with John from Supplies & Co., and it must be processed before my plane lands today. I will be unreachable for the next 8 hours and I really need this to be done ASAP. If we don't do it in time we risk losing a good chunk of the EMEA business.
Let me know the moment it’s done. You'll find the account ID number attached. I am counting on you !
This type of scam suppose you can impersonate the CEO's email address. An attacker either have to :
- Spoof the CEO's email address. The email will however land in the spam folder if SPF, DKIM and DMARK are configured properly.
- Steal the CEO's email account credentials. The attacker can send the email to the accounting department using the legitimate email account.
Still, a single email out of the blue lacks conviction. If the accounting department is well trained they will likely wait for more information.
It's deepfake o'clock !
Let's try to make the scam more convincing by showing you how to create a video of the CEO explaining the request to Sandra from the accounting department.
Well... no. For the sake of not being sued to oblivion, I will just try to make a video of Barack Obama thanking me for creating such a great blog post. Why Mr. Obama ? Well, political opinions aside I find his voice really recognizable and it will help you get a good feeling of what can be achieved. Mr. Obama if you are reading this, forgive me for using "your voice" without consent.
Let’s dive in and try it out!
Grab a public footage of the CEO as the source footage.
If you CEO is a public figure it's not hard to find. You can use an interview they participated in, a teams meeting you had with him,... I chose the following video of Mr. Obama, it was the first one I stumbled upon on YouTube.
Grab 10 second of video to feed into the voice generation (Elevenlabs)
I used MeTube to download the video on my PC. It is an awesome opensource YouTube video downloader I self-host on my NAS, more about the project here. I host it using Docker, it's not really hard to setup.
I cut 10s of video where we only have Mr. Obama talking using an online video tool.
Unedited 10s of Video + Audio
Generate the voice in Elevenlabs SaaS software
I paid 5$ to access Elevenlabs paid plan allowing me to create what they call Instant Voice Clones, aka the deepfake voice machine. I uploaded the 10s of video above with the audio. You can feed it more data but I don't think it is really necessary to have a realistic effect.
We can now generate a speech from text:
The result is incredible to me, it even recreated the echo from the original video!
Lip sync the audio with the initial video
To finalize the deepfake we need to synchronize the lips of Barack with the new audio. I chose to use the initial video. You can select longer video if your generated speech is longer or if you want other hand-gestures for example... Up to you.
To lip-sync I use Sync.so with a free account (that is why there is a watermark). You upload the original video, the new audio and you're done.
Barack sponsoring this blog post (please don't sue me)
Conclusion
I think the result is convincing enough for a realistic impersonation to trick people in a phishing simulation (if it were your CEO). The cost of entry for the attacker is extremely small. Every tool is browser-based, you can use mostly free accounts. When paid options are required, 5$ allow you to generate around hour of fake speech.
AI can definitely be weaponized in social engineering attacks, it's easier than what I initially expected.