Darknet Diaries - 144: Rachel
Episode Date: April 2, 2024Rachel Tobac is a social engineer. In this episode we hear how she got started doing this and a few stories of how she hacked people and places using her voice and charm.Learn more about Rach...el by following her on Twitter https://twitter.com/RachelTobac or by visiting https://www.socialproofsecurity.com/Daniel Miessler also chimes in to talk about AI. Find out more about him at https://danielmiessler.com/.SponsorsSupport for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.
Transcript
Discussion (0)
When I was in college, a scammer called me up.
He's like, look, I'm not selling you anything
or even telling you what to do.
I just have information about a stock
and I wanted to share it with someone
and you were just like the lucky guy
I found in the phone book.
Listen, stock Z is gonna go up next week.
That's all.
I'll call you back next week to prove it.
I was like, all right, that was a strange call.
Whatever.
And yeah, he calls me back in a week.
And sure enough, the stock he told me about went way up.
He was spot on.
He was all excited about how much money he made.
But I told him he just got lucky
and he should cash out and take a trip somewhere.
He's like, no, no, no, it's not luck.
There's an algorithm that can accurately predict this.
And he said he knew which stock
was going to go up next. I was like, all right, so which one's going to go up next? And he tells me
and says to keep an eye on it. And he's going to call me back next week to prove he was right.
So yeah, another week goes by and the same guy calls me back and he's like, boom, you see what
I mean? And he was all excited again. And I was like, I don't see what you mean, but let me check the price.
And I checked the price and again, he was right.
And I was like, dang, good job.
But I think you got lucky again.
He said, no, he's been doing this for a solid year now
and he's been right every time.
And he tells me more about this algorithm
and how he's analyzing different indicators
and watching the stock market extremely close
and just has everything dialed in. And he tells me about another stock that he
says is surely going to go up. And I'm like, okay, call me back in a week. Let's see if you're right.
And sure enough, after a week, I checked and he was right again, three accurate stock price
predictions in a row. And he called me back and he's like, dude. And I'm like, dude. And he's
like, you see that? I said, I saw that. How are you doing this? And he's like, I cracked the code.
But then, like the snake he was, he tried to strike at me. He said, listen, the next one is
the craziest one I've ever seen. There's this company whose stock price is going to explode.
But the best part is they're in the initial investor round.
So you can get in on the ground floor if you want.
How much do you want to invest?
10 grand?
You've slept on three of these.
You're not going to want to miss another, right?
And I'm like, I'm a college kid, dude.
I've got 30 bucks in the bank.
I don't have 10 grand.
And he's like, oh, crap.
He hung up the phone. I don't have 10 grand. And he's like, oh, crap. He hung up the phone.
But this fascinated me. Who was this guy that was always getting the stocks right?
What was his algorithm? So I looked into it. I met with a stockbroker and I asked him,
how is this possible? And he's like, oh, that guy was a scammer. And I'm like, duh, I know.
But how did he get the stocks right every time? And this guy broke it down for me. He said, okay, that guy called up a whole bunch of people on week one, told half of them the stock was going to go up, told the other half the stock was going to go down. Then he called back the people who he was right with. And he told half of them about another stock that would go up. And the other half, he would say that stock's going to go down. And then he did it a third time, calling back the people he was right two times with, telling half of them that the stock is going to go up, and the other half saying it's going to go down. So by the time
he did that three times, he had this small pool of people who he was right with every time. But
really, he was just playing a math game with his victims. And I think this is such a long but brilliant
scam. Seemingly, this guy was golden, perfect, getting it right every time. But what I didn't
know is that he was getting his predictions wrong all over town. And I was just one of the
unlucky few that saw him get it right every time.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Dark by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online. Phone numbers, addresses, family members, where you work,
what kind of car you drive. It's endless and it's not a fair fight. But I realize I don't need to
be fighting this alone anymore. Now I use the help of Delete Me. Delete Me is a subscription
service that finds and removes personal information from hundreds of data brokers' websites
and continuously works to keep it off. Data brokers hate them because Delete Me makes sure Thank you. privacy. Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only
way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code Darknet at checkout. That's joindeleteme.com slash darknetdiaries.
Use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud,
digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes
do not need to be expensive,
and they are trying to break down barriers
to get more people into the security field.
And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInf-N-F-O-S-E-C.com. Blackhillsinfosec.com.
Gather around.
In this episode, we're going to hear stories from Rachel Toback.
She's one of the best social engineers I've ever met.
Let's start with your origin story.
As a kid, how did you get interested in this type of work?
Okay, my origin story.
So my first time that I ever thought about being any sort of hacker was when I realized that being a spy is a job that people do.
And it's a job that girls could do.
And I learned this through the movie,
Harriet the Spy. She goes around sneaking into people's houses, spying. She takes her notebook
everywhere. She sneaks through the dumbwaiter in this rich woman's house and gets caught.
And I just thought, oh my, I had no idea that a girl could be a spy. So that basically became
my personality from my childhood.
Did you get into computers when you were older or still in middle school, I suppose?
I did not get into computers. I wanted to get into computers. I went to my guidance counselor in I think sixth grade. And I said, hey, I want to take these coding classes. And my guidance
counselor, she said, you don't want, Rachel, you don't want to take those coding classes. Those coding classes are 40 boys. You'd be the only girl there. Just take HOMAC instead.
Oh, are you serious?
I know. And me being a child, I was like, oh, good call. I mean, yeah, I don't want to like
blame her for like me never learning to code. I mean, I could have tried later in life, right?
People try later in life all the time, but no, I've actually never written a single line of code.
I ended up getting my degree in neuroscience and behavioral psychology.
I was a teacher's assistant for statistics.
I never got into code.
Neuroscience?
Yeah.
So my path to infosec and hacking, to the untrained eye, it doesn't make any sense.
It's almost completely nonlinear.
To me, looking back, it makes a lot of sense. So I got my degree in neuroscience and behavioral
psychology. I was doing improv on the weekends. I was a teacher. I then was like, hey, I want to
try and get into tech. I moved to San Francisco. I was a community manager at a tech company.
I actually ended up leading a UX research team. And then while I was at that tech company, my husband was in security the entire time. I actually met my
husband in high school. I met him when I was 15 years old. So my husband was like, hey,
I heard about this thing called DEF CON. I think you would get a kick out of it. And I was like,
pass. I think I'm not going to do that.
Okay, so DEF CON is the annual hacker conference in Las Vegas.
It's wild there.
You'll see people walking around with antennas sticking out of their backpacks,
talks about how to bypass just about anything on a computer,
and tons of villages that focus on specific areas of hacking.
The social engineering village is one of the more popular ones.
And when Rachel's
husband went into this village and saw what they were doing, he immediately called her up to tell
her what he was seeing. They do this thing where they put you in a glass booth. It's soundproof
in front of an audience of 500 people. You call companies and you try and solicit information out
of them over the phone. It's the exact same skill that you use every month
to get the bill lowered. When you call these companies, you build rapport, you get a deep
discount on things like the cable bill. You'll love it. And she's still like, no, I'll pass.
Thanks. He called me back and he's like, I just saw more of these calls, these social engineering
calls. You have to come. I promise you, if you don't like it, we'll just go gambling. As an aside, I love
gambling. So I was like, okay, fine. I pack my bags. I get the first flight out Saturday morning.
And as you know, if you're at DEF CON, Saturday morning, it's like DEF CON's like a third over
at that point, if not more. So I show up, I see a few calls. What she's watching was the social
engineering contest.
There's 14 contestants, and they're given the task to basically get enough information to hack into a company, all through phone calls.
So you have to prepare and figure out who would be an easy target to get information from, and what's their phone number.
And you better have backup numbers in case the person you call doesn't answer or hangs up on you. Once you do get someone on the phone, you get points for every bit of security
data you can get off them. So if you can get them to tell you what operating system they use,
you get a point or a flag. And maybe from there, you try to figure out what browser they use,
information about their security guards, what janitor service they use. You can't just ask
these questions directly. It raises suspicion.
So you got to provide a pretext
or pretend to be someone else.
Maybe someone who works in another department
or someone brand new to the company
who doesn't know anything
but urgently needs to get a report done today.
It's tricky.
It's intense.
It's high stakes
because if you get caught on the phone, you're burned and now you don't get any points.
And the best part is the audience gets to watch all this live.
I see a few calls and I'm like, oh my, this is me. Like I can do this. I was born for this. And my husband was like, I know, right? I told you.
So she immediately is like, okay, how do I compete in this?
And yeah, it's a whole process.
You need to submit an application, create a video of yourself,
and stand out from the crowd because only 14 are chosen to compete
out of hundreds of people who try out for it.
And I was like, oh, I got just the thing.
I made this Twin Peaks-style video to convince them to let me get in,
and somehow they agreed to let me get in and somehow they
agreed to let me participate. Hundreds of people apply and 14 contestants are selected every single
year. Now they actually give you the target company that you have to attack ahead of time.
So you can do your research on it, a lot of research if you want, because you want to find
as much information as you can about this company, like going through Google searches or just looking at public places.
Maybe you get a list of people and phone numbers to call
so that when it's your turn to call, you know exactly who to call and what questions to ask.
In fact, it becomes quite a lot of work to prepare for that moment
for when you're going to call someone.
You could spend a solid month learning everything you can about your target company
so you can shine when you're in the booth.
It was a major consulting firm is really all I can say. Now, these companies don't
know they're about to get hacked. It's really extraordinary to watch. It's basically a live
hack with an unsuspecting target. So she gathers as much intel as she can and heads to DEF CON to
compete. I get in that glass booth. Now all eyes and ears are on her.
Not only does she have to trick one person on the phone
to give her the information they shouldn't be giving her,
but she needs to do it in front of an audience.
But she's done improv before
and was absolutely ready for this.
I contact my target company.
I pretend to be an employee who's confused,
who's just starting out.
And I end up getting flag after flag. And I get out of the booth and I'm like, maybe I did okay.
And then there's like a standing ovation. I'm like, oh, maybe I did better than okay. And I
ended up getting second place that first time ever hacking anybody. That first time ever hacking
somebody happened in a glass booth in front of 500 people. Dang, second place.
Of course, now she's hooked.
That was fun as hell.
The nerves, the adrenaline, hacking and social engineering,
all of this she was just craving more of.
So she applies to compete again the next year.
And then I ended up getting second place the second year,
and I got second place the third year as well.
Competing three years in a row in the social engineering
contest and getting second place all three years, that's what started her career in social
engineering. After folks started seeing me get second place at DEF CON, you know, they'd see me
on stage. They'd be like, hey, I want to chat with you. Can you come speak at my company about how
you hack and how we can catch you? And I live in Silicon Valley. So I got really lucky that people started asking me to do things
that like are a job, right? Like, I'm like, oh, I guess I need to make a company. So I made social
proof security in 2017. And I mean, I live in Silicon Valley. I was so lucky. Some of my first
clients were like Facebook, Snapchat, PayPal, Twitter. And from there it was like US Air Force, NATO, Uber, Google, Cisco. It's like,
oh my gosh, you know, I feel like I just got really lucky in this life.
The crazy thing is that I've heard this story over and over. Someone who has no interest in
hacking goes to DEF CON, sees the social engineering stuff going on there, immediately wants to compete, does pretty good in the competition,
and then decides to do that for a living and start their own company.
It's mind-boggling how many lives have changed from people attending DEF CON.
Oh, it's totally wild.
I mean, if you would have asked me decades ago, like,
what did you think you were going to get into?
The word hacker would have never even made the top 100 list because I didn't know it was possible, didn't know it could be a job.
And I certainly didn't think I would be good at it.
I when I saw the concept of a hacker in TV or movies, it was usually a guy who wore a hoodie in a basement.
And I mean, I wear hoodies and basements are fine, but I didn't think that
I was going to be good enough. So yeah, you just have to see yourself in the position. And I've
had multiple women come up to me and say like, hey, I saw you in that competition, didn't realize
it was possible for people like me. And now I do this for a living. Okay, so she started a company
called Social Proof Security, which is basically social engineering for hire.
And companies were starting to hire her to see if they were vulnerable to social engineering attacks
and what they can do to stop them.
And of course, I'm fascinated by these social engineering stories.
How do you hack into a company with just your voice or your charm?
So a bank hired me to penetration test them.
Effectively, they hired me to hack them.
And they told me that I could hack via phone call, email, or chat.
And my job was to take over multiple accounts and steal access,
effectively steal the money out of the accounts.
You want to steal money out of customers' accounts?
Yes.
And when we do a penetration test, it's very particular.
I don't want to steal money from like everyday people.
That would be horrible and really scary for bank customers to just randomly have money
stolen because of a pen test.
So what we do is we create fake bank accounts.
We work with the team on the back end so that the support organization, for all intents
and purposes, sees a real customer.
But we've created fake bank accounts for me to steal so I don't actually harm real people.
But the support team doesn't know they're fake.
Okay, so this company is a bank, and she's told that she can target customer support
to see if she can access a customer's bank account.
And she's given the options to use a phone call, email, or chat to get through.
That's right. So I started with the chat feature.
And I posed as a customer to see if I could take over a customer account with just chatting.
So I told the bank support people my sob story.
I lost access to my phone, my email, my laptop.
I got lost and I had a night out and I'm traveling abroad. I mean, like the whole
story, right? And I really need access to my bank account because I'm stuck and I don't have money.
And the first thing that I usually try when I'm trying to do an account takeover
is I try to see if I can get them to change the email address or the
phone number on the account. Because if I can do that, then I can change effectively the admin on
the account. Just by changing the email address, I can then reset the password or reset to a phone
number that I control. There's SIM swapping and all of that that could happen after that. But
that's basically how it works. And they're like, oh, well, we can't do that
because we need to only send the password reset
to the email address already on your account.
Good for them.
That's the protocol they're supposed to follow.
That's exactly right.
So good job, bank.
Horrible for me as the pen tester.
A lot of times I have to play both sides of this game.
I have to train the company and update their protocols
to prevent people like
me from getting in. But when I'm first attacking them, it's so frustrating. So I try chatting with
multiple other support people. I'm trying again and again. They will not make any exceptions for
me. It doesn't matter my pretext. That's who I'm pretending to be. It doesn't matter how I contact
them, what I say, my story, nothing. So I decide to switch
to phone call-based attacking because I tend to be much more successful.
So I switched to phone calls. It leaves less of a paper trail. People tend to get less suspicious
because I can build rapport. They can hear my voice. They can hear how trustworthy I sound.
And also when I'm calling, I can spoof phone numbers. And a lot of
times that helps me gain access. Spoofing phone numbers. How is this still possible?
You can download an app from the mobile app store. And within a few taps, you can change
what phone number you're calling from to have any phone number you choose.
So you can make it look like where you're calling from is not actually where you're calling from.
Now, when I was young, I used to do this with emails.
I would love to send emails to my friends
pretending to be from the FBI
or the President of the United States.
And I'd be like, Bill, you're in serious trouble.
We're coming to get you.
Or something.
And then my friend Bill would be like freaking
out. And it was awesome fun. But then the email protocol got updated. They implemented SPF records
somewhere around 2006. And this ensures that the place you sent the emails from is where the emails
are supposed to come from. This effectively put an end to email spoofing. Of course, not all companies
configure their SPF records properly, and you can still spoof it, but at least the option is there
if you want to block someone from spoofing your email. But for phones, which have been around a
lot longer than email, it's an unpatched vulnerability in my opinion. You can still
spoof phone numbers. Yeah, it's kind of wild. In the U.S., right now,
it's still possible because all of the telcos have to make the same decisions at the same time.
And unless all of the companies get together and make the same choices, it's going to be really
hard to implement the right solution. So at least in the U.S., spoofing is still really possible for
me. Now, since phone companies refuse to fix this,
their solution was to help pass a law
making it illegal to spoof phone numbers.
So for now, it just seems like telephone companies
are just relying on the police
to help keep people from doing this.
But to me, this is an awful way to secure things.
Telephone companies can fix this if they want.
But while I see this as a vulnerability,
telephone companies have historically said, wait, why are you using telephone numbers as identifiers?
They were never meant to be identifiers. And they put the blame on us for doing that. Because for a
long time, our phones didn't have screens. So we never knew who was calling until you picked up
the phone and said hello. But then telephone companies gave us caller ID, where our phones would show who's calling.
And so I do blame telephone companies for making us think it is an identifier,
since they were charging extra for that feature back in the 90s,
and mobile phones today all come with this feature.
So I say, phone companies, turn caller ID off if you don't want us to use it as an identifier.
Otherwise, patch it so phone numbers can't be spoofed anymore. So anyway,
Rachel was trying to get into a customer's account. Let's call the customer Kelly. And
she figured out what phone number Kelly had. And Rachel spoofs her number to look like she's
calling from Kelly's phone.
I spoof my phone number.
I make it look like Kelly on the account. And by the way, on data brokerage sites,
when we're doing OSINT, open source intelligence,
typically we can find most people's phone numbers within a minute or two.
So when we're searching, we can just know,
okay, this is Kelly.
This is Kelly's phone number.
I'm going to go ahead and spoof that.
I set that up.
It usually costs me a dollar or so on the tools that are available in the app store. These are not like
heavily regulated. You can just find them on the app store. And I go ahead and I place that call.
Can you give me an example of how you sound on these calls?
You're going to make me act. Yeah. Okay. Okay. Give me one second. I got to get into character. I'm going to change me one second i gotta get into character i'm gonna
yeah yeah i'm gonna change my clothes so i can get to character here we go
okay here we go ring ring ring oh wait we both said ring okay thank you for calling the bank
how can i help you today hi i am so sorry my name is kelly smith so i'm traveling right now and I just lost my laptop. My phone's not working. I
cannot get access to any of my funds. I'm super stressed out. Can you please, please help me?
That was good. I won't make you do more. Thank you.
So yeah, I mean, they've got a script that they go through where they're just like, okay, well,
you know, do you have the last four digits of your phone number or whatever the case is to verify you?
Is that how you're challenged or what happened?
No. So this bank knew that KBA, knowledge-based authentication, things like what's your address?
What's the last four digits of your phone number?
This bank knows that that information is very easily found online.
So they don't use KBA, knowledge-based authentication, to verify your identity.
They usually use MFA, multi-factor authentication.
Now, this is great.
This is exactly what I recommend.
You know, send a code to the email address on file and make them read it out to you,
rather than going through this process of verifying identity
with information that can be found by an attacker in five minutes online. So that's good. But as an
attacker, that's going to be a challenge because I don't have access to that email address.
And when I'm spoofing a phone number, I actually can't receive text messages. And if they call back,
I'm not going to be the one that answers that phone call. I'm just spoofing. It looks like I'm calling, but I don't actually have access. Now, of course,
I could SIM swap and many criminals will do that. But for the purposes of this pen test,
that's not what I'm testing. So they say, okay, we have an edge case here. Let me see if I can
talk to my manager and have you send in a picture of your driver's license,
your social security card, and a utility bill.
And instantly I'm like, okay, bingo.
We're in.
The other half of social proof security is my husband, Evan.
He does all the technical stuff.
I do all the human hacking stuff.
This is great because I need a fake driver's license.
So I can't wait to hear how you got a fake driver's license.
No.
Okay.
So my husband, Evan, he gets to work editing a driver's license. So I can't wait to hear how you got a fake driver's license. No. Okay. So my husband, Evan, he gets to work editing a driver's license, a social security guard, and the utility bill to the exact information that they're expecting for this
account, which again, we can find through a data brokerage site. So we're hoping that this company
does not know the actual driver's license number,
the actual social security number,
and they're just looking to ensure that the name and address that are on the account
match those documents.
I can find those pieces of information through OSINT.
And a lot of times I've noticed that when they ask for these types of documents,
they don't know the right info.
They're just hoping that it matches and they stop there.
So you didn't need a real driver's license social security card. You just needed a JPEG, right? Correct. And that's the trick there. Photoshop was your friend. Photoshop,
yes. We spend all night on these driver's license, social security cards and utility bills of the
accounts we're trying to hack. I email the bank at 8 a.m. the next day.
I tell them my story.
I tell them the edge case that we have set up with support.
I send them the driver's license and social security card and utility bill.
By 9 a.m., I have full admin access to the bank account.
I have changed it to be controlled by my attacker
controlled email address, and I can steal all of the money in the account. So once I finally get in,
I have access to everything. I use the same method again and again. I get access to two
more accounts throughout the day. I end up spreading out the request so that we're not
raising suspicion with the same attack method over and over again, back to back. And in the end, we took over each bank account that we were asked to to hack
within two days. It's truly astonishing the sheer force of the human voice, its ability to persuade,
to move, to manipulate all through a simple phone call. It also reminds me of how vulnerable customer support is
to this kind of exploitation.
When you're met with a soft voice telling you a sad story,
but wrapped in kindness, it tugs at your heartstrings.
You find yourself eager to assist,
especially if you just got off the phone with a real prick
who was yelling at you about overcharging him 10 cents.
Contrast that with a kind voice that's truly asking for help.
And it really makes it hard to say no.
I know that in a lot of these organizations, there are edge cases.
So I'm helping companies say,
okay, we did this pen test.
We figured out what the edge case is.
We figured out how we got access.
How do we make sure we don't fall into this trap next time
when the real criminals get here?
So I then help them with,
okay, let's set up some edge cases back to back
so that we have something like a callback.
That would thwart spoofing.
If you don't want to use that,
you can use email verification, one-time passwords,
you know, sending a code or just a word to the email on file
and having them read that out.
SMS verification.
Okay, they claim they're calling you from this phone number,
but maybe they're just spoofing it.
See if they can read out a text message,
callbacks toward spoofing,
service codes, pins or verbal passwords.
If it's some sort of internal support ticket,
you can loop in a manager. There's so many ways to do this right that a huge part of the pen test
is not just hacking the company, but helping the company figure out what is a real practical way
that we can solve these edge cases in the future to verify identity the right way and make it
harder for you to get in the next time. Because I'll go in, I and make it harder for you to get in the next time.
Because I'll go in,
I'll make it harder for me to get in as an attacker.
And then the next year I'm like,
oh my, this is so hard for me to get in until the point where I can't get in anymore.
And that's when I'm like,
okay, you've done the most that you can do.
It's time for a sponsor break,
but stay with us because Rachel has a few more stories
that she's going to share with us.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data
criminals have at their disposal,
from credentials to cookies to PII.
Knowing what's putting you and
your organization at risk and what to remediate is critical for protecting you and your users
from account takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability to profit from stolen data. With SpyCloud, a leader in
identity threat protection,
you're never in the dark about your company's exposure from third-party breaches, successful phishes,
or infostealer infections.
Get your free Darknet exposure report
at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
On another engagement, Rachel was hired by a company to help them sort out an issue that they kept encountering. It was a large technology company who would sometimes buy or acquire smaller companies.
Now, when you're buying another company, you typically want to keep it quiet until the official announcement.
It could affect share price or cause panic in the company if things aren't communicated properly. But for some reason, when this technology company would
do any merger or acquisition, it would get scooped by some news agencies. The announcement would show
up on news sites way before the company was ready to tell the world. So this company was like,
Rachel, maybe you can help us figure out how this news keeps slipping out ahead of schedule.
And so they approached me about doing a pen test to figure out how this M&A info was getting leaked, where they could possibly improve their training, their messaging, their internal protocols to figure out why is this happening?
Why are folks being incentivized to talk about this and what can we do about it?
When you hear this, what's your mind first go into?
Like, you've got an insider threat somewhere.
You've got a breach, an active breach.
Yeah, so insider threats happen.
But what is usually most common is people just make a mistake.
I kind of live in this world where I assume that people are making mistakes and I try and help them.
So we came out with a few different attack methods that might work to uncover where this is happening.
Number one, I was going to attempt to pose as a journalist and reach out to various team members, asking them via social media DMs, email, text message, etc. about their experience in tech and see if I could siphon out M&A info
and just see where it goes.
And number two, I was going to apply
to their product manager role,
go through the entire hiring process
and see if I could extract M&A related info
during the question portion of the hiring interview.
I did not know what was going to work
and what wasn't, but I just wanted to try both. All right. So if you're going to pose as either
one of these people, it sounds like you're going to need a LinkedIn account or at least some
online presence. You can't just show up as a nobody, right? Or I mean, at least it helps
establish your background and your pretext. Definitely. Do you have any framework or methodology for how you establish an existing ghost in the world?
Yeah.
So we call these ghosts, we call them sock accounts.
Sometimes they'll be real people.
And so we'll fashion them pretending to be a real person.
Sometimes they'll be fake people.
And they'll just have this full life online.
With the fake journalist,
I figured it was gonna be a lot easier to pretend to be a real journalist
and just not actually be them
than create an entire persona of a fake journalist
and populate real content.
So I built a fake journalist pretext,
email, background and social media based on a real journalist who I'm not going to name, of course.
Interesting. Rachel tried to be another journalist that actually exists.
Maybe by doing something like using a similar email address or social media accounts.
But the question is, how do you know who to ask in a company to get information about upcoming mergers and acquisitions?
These are typically closely guarded secrets.
But there is a website that's extremely helpful to social engineers.
There's a website that lists pretty much every company and most of the employees that work there.
And it tells you their job title,
role, what duties they have, and full name. The website is LinkedIn. And personally,
I feel like LinkedIn is a security risk to most companies on there. It makes it really easy for
someone like Rachel to go down the list of people who work at a company and pinpoint the exact
person to target.
Once you have their name, it's probably easy to guess their email address.
It's usually first.lastname at companyname.com.
I mean, not only is there a list of people who work at most companies on LinkedIn, but they like to list their skills too.
And if someone says they've worked for a company for 10 years as a database admin,
and specifically they say they're excellent at Microsoft SQL Server,
now you can guess with high confidence this company runs Microsoft SQL Server internally,
and this person probably has the admin password for it.
And we all know how susceptible people are to phishing emails.
I mean, my opinion is if you list and stuff like that,
you're just putting like a big old beacon over your head saying, hey, I'm the person you're going to want to hack if you want to get in the database of this company. Come at me.
Essentially, the private information that should just be kept inside the company
is posted publicly for anyone to see on LinkedIn. And I mean, here's a story where the company is wondering,
hey, how come the public knows about one of our internal memos?
I say start by auditing what your employees are posting to LinkedIn.
If the company is totally cool with all this internal stuff getting posted publicly,
then maybe that's perpetuating a culture that's okay to blab about exciting news to whoever asks.
I had someone message me on LinkedIn the other day asking me,
hey, how can I get my data taken off the internet?
Like, is this your photo?
Is this where you work?
Is this where you went to school?
Is that your actual name?
And you posted all this to LinkedIn and you're wondering,
how come the internet knows all this stuff about you?
Because the thing is,
a lot of what data brokers know about us
is from the stuff we post publicly.
Data brokers are scouring our social media profiles,
our blog posts, and any mentions of us on the internet.
And then data brokers store all that information about you
that you posted.
It's frightening.
And I mean, the reality of the situation
is that anybody can do a full background search
in less than five minutes on most people in the US.
And people don't realize
that this information is out there about them.
They have no idea that it's being sold.
They just don't Google themselves.
I say we should take our own privacy seriously
because the more we don't care about our privacy, the more companies
won't care about your privacy. Anyway, as you can imagine, Rachel had this target company and was
able to quickly guess at who might know about upcoming mergers and acquisitions and started
hyper-targeting them, doing full background searches on them, gathering up their details,
and just started reaching out, acting like a journalist, emailing them, wanting to see if she can easily get this information
from people. Exactly. Or we can reach out over social media DM, you know, DM on LinkedIn or
Twitter or Instagram. And I mean, that's the thing. Journalists really do reach out using
all of those methods. So it's hard to know what's real and what's fake sometimes.
But it didn't work. No matter who she reached out to or how convincing her backstory was,
people weren't freely giving her information about upcoming mergers and acquisitions.
This method wasn't working. They let me know some minor details about excitement about potential M&A,
but they're not going to confirm any juicy details. And I try to get people on the phone
to talk with me, but I think there's just like this inherent distrust of this particular pretext. So I'm like,
okay, I got to really go for the big guns here. I want to attack via the hiring process.
Attack via the hiring process? What an interesting sentence to say.
I don't think that idea crosses many people's minds. That people applying for jobs
might have malicious intent. I've heard of the evil maid attack, but what's this called? The
phantom applicant attack? There's a lot of information that you can get just from reading
a job posting. Like when a company lists the job duties, it might tip their hand into what
endeavors the company is going to do next or expose what technology they have in the company.
And these things can be used against the company in social engineering attacks.
I think if you read enough job listings, you could probably develop a map of the data center.
Hacking into the company through the employment process is actually a decent attack vector.
I don't think many companies would expect
you to come in through that door. Anyway, what Rachel was going to do was pose as a job candidate
and try to get an interview. And in the interview, she was going to see if she could
get some insider information about upcoming mergers and acquisitions.
Something to understand is, as an attacker, this is not easy to do. I've never been a PM.
So to apply for a PM role takes a lot of background research.
I mean, I led a UX research team at a tech company.
So I do have a sense of what a PM, a product manager does,
but I am in no way prepared for a PM interview.
So I have to study for three full weeks for this role.
I'm watching YouTube videos.
I'm doing interview prep quizzes online. I'm taking free online courses like, so you want to
be a PM, like the whole nine yards. So I'm building a full persona, a resume, a Twitter, LinkedIn,
Facebook. All of these stock accounts have photos, thousands of friends, reviews of my work from
networking groups on LinkedIn, people I've never met that like you give them a review and they give you a review.
All of this stuff is so gameable.
I suppose this is stuff you do at Social Proof.
Like there's just like one person sitting over there like, hey, just keep making sock accounts all day.
I'm going to burn through them so fast.
Unfortunately, everything. I'm going to burn through them so fast. Unfortunately, yes.
We do change the names of many sock accounts,
but then you have to populate a lot of new information.
It ultimately takes me about three weeks
to build a believable social media account
and enough examples of previous PM work
to get anywhere near convincible during the interview process.
Did you get help at getting your resume to the top of the pile?
No, I just had to apply.
That's not easy.
You know, there's a lot of people don't get callbacks.
Well, during this period of time,
the tech hiring process wasn't as bad as it is in this current year.
So I apply for the role.
I get a phone screen.
I am sweating bullets
because if I don't get through this phone screen,
I will not move on to a full interview process.
I'm gonna have to do a bunch of work
to change my sock accounts on social media
to match a new persona.
It's gonna be a lot more work for me.
Luckily, it took like 45 minutes.
I passed.
I get moved on to the next round.
The next round has six different interviewers.
So is it in person?
No, virtual.
Thank goodness.
Did you try to gain any information on the first round?
No, not during the phone screen.
I wanted to get...
Because you were like, I'm going to wait for the right time.
Yeah, I was terrified that they're going to be like, this person's a weirdo. Like,
let's not move them forward. So I waited until the actual official interviewers.
And it's going to be a packed day of interviews. I have six interviews back to back all day.
These interviews are conducted over Zoom. I get all dressed up in my interview clothes that
I haven't worn in years. I'm prepped with all my anecdotes, my strengths and weaknesses, my KPIs
and success stories. And a lot of these examples I'm using are heavily focused on UX research,
because if you remember, that's something I used to do. And many PMs do have advanced UX research
skills. So I'm just like hoping that they don't think that's weird.
So I get to the first interviewer and the interviewer is like, okay, asking me all these questions.
I seem a little nervous, but they're like, oh, you know, don't worry about it.
It's going to be fine.
We go through all the PM related questions.
This person's a PM. You're nervous for all the wrong reasons.
That's what's funny here.
I know, but I have to pass.
Yeah. So I'm going through this process. I mean, but I have to pass. Yeah. So I'm going through
this process. I mean, they're used to people being nervous. And so I could see them saying,
oh, it's fine. You're doing great. Don't worry about it. And you're like, oh, thanks,
because I'm trying to hack you. No, see, the funny thing is when you're hacking people,
a lot of times it makes sense for your pretext to match how you're actually going to feel when
you're hacking. Yeah. And a lot of times you are nervous when you're calling support because you
can't gain access to your bank account. You are uncomfortable during an interview. These are
normal human emotions. And so it's okay to not be way too overconfident. Sometimes that can even
read as strange. So yeah, I mean, I'm sweating bullets. It's clear I'm nervous.
We finally get to the end and the interviewer says,
so do you have any questions for me about the role?
I have never been sweatier in my life.
This is it.
If they get suspicious during this moment,
all of my work is for nothing.
So I say,
I am so excited about this company.
I hear there's a lot of opportunity for growth.
I did a bunch of research.
I did find a few news stories that mentioned XYZ potential merger.
I know you can't confirm anything,
but I just want to understand what an integration process looks like
at your company during an M&A.
I know you can't confirm anything again,
but I just want to understand how my role could potentially change over time.
The interviewer takes a beat and says, you're right. I can't confirm anything.
And my heart sinks. I'm like, no, this person's trained. And then they go, but just because I can't confirm doesn't mean I can't talk in generalities, right? And winks, actually winks.
I'm like, oh, this is going to be so good.
So there's a lot of hand waving and, you know, I can't confirm, but throughout the rest of these interviews.
But it seems that everyone at this company knows you're not allowed to say information in plain language about M&As.
But that doesn't mean that I can't glean pretty serious details about the upcoming acquisition plans
that have been clearly discussed internally.
By the end of this day,
I got M&A info out of three of the six interviewers.
So 50%.
What kind of info are we talking?
Yeah, so they wouldn't tell me the names of the companies
that were potentially going to be acquired.
But I would say things like,
I saw a rumor about XYZ company.
Is this the type of company that you would be excited about?
And then the wink, wink, hand-waving process starts of,
you know, I can't confirm it,
but we are interested in integrating things like X, Y, Z.
So I was able to glean information such that when I reported it back to the team, they were like,
I mean, yeah, you got the right information. Nobody said anything in plain language,
but you can get people to say things kind of beating around the bush.
So in the end, I got M&A info out of 50% of the interviewers, three out of six.
I debrief with the security team.
I asked them when they want to discuss the results with the organization.
They say, well, let's just wait up and just finish the hiring process so that it's not
a distraction to them.
And in the meantime, the next day, I actually get an email that I used to apply for this role,
that I was being moved to the next stage
of the interview process to get an offer.
So not only did I siphon out the info I needed
during the interview pen test,
I also got the job, I guess.
Well, congratulations.
I hope that goes on your resume.
I know, I should put PM on there.
So she meets with the security team and explains to them how she found out about all this upcoming mergers and acquisitions.
And together they had a chat about whether this was just an obscure edge case or a bigger problem.
They realized that when they explained to people that they were not allowed to say the words of the acquisition,
they realized that they needed to be clearer in their
communication. That, no, just because you're not saying we are acquiring XYZ company, it doesn't
mean that friends, family on social media, people can't glean information to understand,
oh, they're interested in AI. This person's talking about how their role's going to change.
They're talking about how much they love this specific technology and they're tagging certain companies on Instagram or Twitter. They realized that they needed to be much more specific
in their protocols and language saying, when we're planning an acquisition, once we talk about it
internally, please do not talk about it even in a hand-waving
fashion with friends or family or on social media. Don't talk about how your role is going to change
on LinkedIn. Don't talk about what you're excited about upcoming on Instagram. They had to be really
clear about that. And once they did that, those leaks stopped because it wasn't an insider threat.
It was just people not 100% getting what an attacker is interested in and how they could find that info.
Oh, so it did solve the problem.
It did.
Yeah, it doesn't necessarily mean that it's coming through the interview process.
Now, maybe it was, but it's probably just that people in general at the company didn't understand that when talking in generalities, that can be used by attackers too. Yeah. And then you probably had recordings to show concrete proof of,
here's, when you say this, I'm hearing this.
Exactly. And they were like, oh, I get it.
So I can't say that we're talking about this technology
and how it's going to change my role as a product manager,
because that tips off people to understand
that we're going to be acquiring XYZ company in the next six months. That's where these leaks are coming from. So, you know, you came on my radar because
you sometimes just create these crazy viral instances online where I've seen you hack a,
who's Donnie from? Donnie O'Sullivan from CNN.
From CNN. So I've seen you hack a CNN
correspondent. I've seen you
hack voting machines before.
I've seen you do all kinds of crazy
things that suddenly you've got like a million views
on this thing. And I'm just
like, well, there she is again. Rachel's out there
doing things.
But one thing was
interesting was when you went on 60 Minutes.
Yeah, last year or so,
I started talking more on Twitter
about how I'm seeing AI get used
by criminals to trick people.
So I'm talking about this,
scammers are tricking grandparents
out of 1500 bucks,
posing as their grandson,
spoofing the grandson's phone number,
voice cloning,
or just like modulating the pitch
to sound like the grandson and saying they need money for bail. Just talking about these examples.
60 Minutes sees this. They email me. They reach out. They say, hey, we want you to do a hack live.
It's actually got to trick somebody. Can you do that with us? And I'm like, I mean, yeah,
I can do that, but it's complicated. I've done a lot of
these live hacks over the years for large media pieces. You know, I need consent. Before I do any
sort of hacking, I get consent. Like when I hacked CNN's Donio Sullivan, I hacked him through his
service providers, and I also hacked him through his leaked passwords. And I had his consent with
a lengthy contracting process and scope discussion before I was able to contact his service providers
pretending to be him. Before I was able to log into his LinkedIn using his breached passwords
and the things that I found online. So I started explaining to them how much consent I'm going to
need. And they're like, I mean, well, we'll try. We'll just try and see what happens.
So I start to talk to them about who my target is going to be.
They want my target to be Sharon Alfonsi.
She's an awesome correspondent for 60 Minutes.
Rachel Toback is what's called an ethical hacker.
She studies how these criminals operate.
So ethical hackers, we step in and show you how it works.
So the mission was to use AI to somehow trick and scam the host of 60 Minutes while on the show.
But the problem is the host needs to consent to being targeted,
which if she knows she's going to be scammed while on her show,
it'll really put her guard up, right? So she's going to be scammed while on her show, it'll really put her
guard up, right? So this was going to be tricky. How do you trick someone who's asking you to trick
them? She's got a lot of information about her online, so I do my OSINT. Because the host of
60 Minutes has been on TV for years, Rachel realized there's a lot of audio of Sharon talking.
This might be useful. Maybe she can somehow use Sharon's voice to do
something. I determined through OSINT, open source intelligence, that the best way to do this hack
was to trick her coworker while pretending to be Sharon. Because sometimes our coworkers
have just as much info and access on us as we do about ourselves. So I needed to get consent from
the coworker. And here's the massive challenge. I needed to get her coworkers consent because she
was a major part of the hack. This coworker is named Elizabeth. I contacted her. I was like,
this is what we're going to do. We're going to do this hack. You need to consent to essentially being part of the hack, but you don't know when,
where, or how it's going to happen. You don't know who I'm going to pretend to be.
You're not going to know the method of the attack, whether it's going to be a phone call,
email, text, contacting your service providers, pretending to be you.
Elizabeth is awesome. She's like, that's fine.
That's like completely fine.
I'm really excited.
And I'm like, okay, let's do this.
So I decided that I wanted to do a phone call
because I wanted to clone Sharon's voice
and spoof Sharon's phone number to Elizabeth
and trick her during a phone call
to reveal some sort of personal
information to me. Now, Sharon is a famous reporter, so her voice is everywhere. I grabbed
about five minutes worth of samples of her voice just from YouTube videos from 60 Minutes.
I put her voice into my voice cloning tool. I start tweaking the tool. There's voice clone
settings for things like clarity, voice stability, style
exaggeration. And I finally get the settings tweaked to a point where I feel like it's going
to be credible at all during a phone call, but it's not 100% perfect. And I do my open source
intelligence to find the right phone numbers to spoof and the right phone numbers to call.
Like I said, data brokerage sites have personal contact details for almost everyone.
And I need to find the right details to use during the hack,
like upcoming travel,
the right information to try and siphon out for the demo.
You can find most of this stuff through social media
when people talk about their lives.
The only issue.
Now, I'm going to have to somehow get Elizabeth to participate in this hack without her realizing it's the hack itself going down.
How am I going to do that?
She's already consented to this and she knows it's coming.
So I figure the only way that this is going to work is if it feels natural within the filming day.
Otherwise, how is the film team going to catch the hack live
so that anyone in the audience can watch it?
Yeah, so they've got the cameras on you.
They've got you in the studio.
They've got Sharon there.
Not yet.
Let me tell you these details.
So I get my hair and makeup done for 60 minutes, right?
I'm doing my vocal warm-ups. I'm like, la, la, la, la, la, minutes, right? I'm doing my vocal warmups.
I'm like, la, la, la, la, la, la, la.
I'm getting ready for recording.
Sharon's still in her room prepping for the day.
The light and the sound crew
are getting the gear ready for the shoot.
Elizabeth shows up.
She's getting ready.
I pull aside the head of the sound and lighting crew
and I let them know that I think the only way
they're gonna be able to catch this hack
on camera live is this.
I'm going to go out into the hallway
with my computer and phone.
You, the camera crew, cannot follow me
because it'll be way too obvious to Elizabeth
if you follow me.
And it really shouldn't matter anyway
because it will be me on the other end of the phone call.
So you should catch the interaction from her end anyway.
So you, the crew, must ask Elizabeth
to stand in for Sharon
so you can get lighting, sound, everything prepped
so that when Sharon finally comes down,
she can just slide into the shot and we can get started.
That way, when I start the hack,
you'll be able to actually see and hear Elizabeth
and be able to catch the attack in motion.
Wow.
The crew is like, what did we sign up for?
This is ridiculous. I am so nauseated by this plan. Like I'm so freaked out by this because
if this doesn't work and Elizabeth is like, sure, crew, I'll stand in for Sharon and immediately
realizes what is happening. Then this entire shoot, all 15 members of the 60 Minutes team, the lighting
crew, sound, hair, makeup, everybody's here for nothing. And I will just have to basically
demonstrate what I would have done. That's not going to be fun for anyone. And now mind you,
it's like 7am. So this feels like the crack of dawn for all of us. People haven't even,
they have not even had a cup of coffee yet. So people are like, okay, Rachel, sure, we'll do that. So I walk over to my hacker laptop.
I announced to the room that I need to go help my team with something back home. So before we
get started for the day, everyone get your coffee, whatever, set up. They say, no worries. I step out
into the hallway. I've got my laptop and phone. I can't hear anything that's happening in the
ballroom now where we're filming.
I just have to hope that the sound and lighting crew have successfully gotten Elizabeth into the quote stand-in position with the sound and lighting on because otherwise they're not going
to catch this. And like, I'm not going to fake it for them later. It needs to be real. So I'm just
like praying this works. So I open up my voice cloning tool in the hallway. I type in my opening
line into the voice cloning tool. And to be clear, this voice cloning tool, I cloned Sharon's voice.
I can then type in any words and it will spit out those words spoken in Sharon's voice.
So I type in my opening line. My opening line is, Elizabeth, sorry, need my passport number because Ukraine
trip is on. Can you read that out to me? It has to be short and sweet, direct and to the point
without requiring a lot of follow-up because the issue with these tools is there's a delay
in me typing it into the voice cloning tool. And when it spits out the words in Sharon's voice,
I'm also holding my phone up to
the computer. So there's like kind of a strange audio vibe going on with this phone call. And I
just want to minimize it and make it happen as fast as possible. So I open up my spoofing tool
on my phone. I type in Sharon's number to spoof. I type in Elizabeth's phone number to call.
I hit go. It is 100% silent.
I hear Elizabeth's phone.
It's audibly ringing inside of the ballroom.
And I'm just hoping she like goes over and picks it up, right?
My stomach's in knots.
I am sweating profusely.
And then I hear her go, hello?
Sharon.
Like I hear it through my phone and I can also hear it in the ballroom.
And I'm like, oh my God, she can like hear out here.
So I hit my voice cloning play button. It starts playing Sharon's voice asking
for the passport number. Elizabeth, sorry, need my passport number because the Ukraine trip is on.
Can you read that out to me? And then silence. For what feels like hours, I am sick to my stomach. My hands are shaking.
This forever silence that I was experiencing was Elizabeth holding her phone in her hand,
looking at the caller ID during the call to ensure it really does say Sharon,
because the voice sounds weird.
I mean, I'm voice cloning plus spoofing.
So it looks like it's calling from Sharon, but it sounds kind of far away
because I'm holding my phone up to the computer. Elizabeth finally responds. Oh, yes, yes, yes, I do have it.
Okay, ready? And then she reads out the passport number I just asked for.
I'm like, let's just get off this call as soon as possible. So I say, thank you. She starts asking
me questions. You know, when am I going to be down for the shoot? Do I need anything else? And I have to deal with this delay back and forth typing in my replies.
So I'm just thrilled that by this point, I like siphoned out information. And I just wanted to
get off this call as fast as I possibly could. So I said, I'm just coming down. And I end the call.
I walk into the ballroom. Elizabeth is sitting under the lights with
the mic pinned on her. And I'm like, oh my God, it worked. All I have to do now is do the interview
with Sharon and explain the mechanics of the hack to her live and make sure that Elizabeth knows
that anyone would fall for this style of hack because most people don't realize it's possible
yet. I wanted to make sure she didn't feel horrible about it.
And yeah, she did the interview and explained what just happened,
how she tricked Elizabeth into giving Sharon's passport number.
But after listening to this story, I got really curious about this voice cloning tool
and wanted to try it myself.
So to clone someone's voice,
you give it a bunch of audio of them talking,
and using some advanced AI, it will get to know that voice.
And whatever you type, it'll say it in their voice.
I spent a few hours playing around in this tool,
and I cloned my voice.
I think it's really interesting.
Okay, I want to show you.
I'm going to play two clips for you.
I want you to listen and try to figure out which one is AI generated. Ready? Here's clip one. Hey,
this is Jack Recider. This morning I had a peanut butter and chocolate smoothie for breakfast.
Okay, here's clip two. Hey, this is Jack Recider. This morning I had a peanut butter and chocolate
smoothie for breakfast. Okay, punch in your votes. Ready for me
to tell you? Both clips were AI generated. In fact, what you're hearing right now is AI generated too.
I switched to having AI talk for me a few minutes back. I just type whatever I want,
and it'll narrate it for me. It's really wild. It even adds in breaths like this. Listen.
And sometimes it'll even add plosives like how the P sounds in nope. It's really wild. It even adds in breaths like this. Listen. And sometimes it'll even add
plosives like how the P sounds in nope. It's crazy how good this sounds. Huh. Okay. Okay.
I'll switch back to my normal voice now. There is, I'm using my real voice now. Okay.
The future is going to be weird, isn't it? Okay. So I just saw this article the other day on CNN's
website and it said there was this guy working for a company in Hong Kong who controlled the finances
for that company. And he got invited to a video call with the CEO and a few other colleagues that
he recognized, and he saw them on the screen. He heard their voices, and he was positive it was
the CEO and his colleagues. And they were telling him there's this new deal that just finished up,
and they wanted him to send $25 million to another company. So he did. But the problem was the video and the voices
were all AI clones. Scammers tricked him into thinking he was on a video call with the CEO.
And our future is almost surely not going to be what we think it's going to be.
I have a feeling we're going to have a hard time
knowing what's reality and what's fiction.
Yeah, it's a good point.
Hey, Jack, can I jump in here?
Yeah, who's this?
This is Daniel Meisler.
Oh, hey, Daniel.
Yeah, what do you have to say about this?
Yeah, so what I find fascinating about this whole story
is that there's a very early concept in security
about how do I know it's you, right? And we normally don't have to worry about this with video because
seeing has always been believing. And the same with hearing for audio. But now with deepfakes
for both video and audio, we need a whole nother layer. So what I actually expect to see here is products coming out
that are basically like,
how do I establish early trust?
As soon as you join a company,
you'll probably establish keys
across all of Slack
or across all of Microsoft Teams
or something.
And that's like your predetermined channel.
I think this is a good idea.
If you can cryptographically sign something,
then that'll prove the message or video came from you.
So I imagine this could cut down on people falling for fakes.
If it's not actually signed by the person who sent it,
don't trust it.
Initially getting your key would be interesting, though.
You still have to prove who you are at the beginning, right?
And one way to do that is to verify who you are in the meat space, the real world.
When you're face-to-face and in person, it's still a valid verification technique that you are you.
But with everyone having their own cryptographic keys to prove someone is real,
the threat then moves to securing the key.
If someone else grabbed a key, they could make it look like you sent something
when really you didn't.
They just signed it using your key.
Yeah.
Yeah, absolutely.
We're going to need something like that
for all remote calls, essentially,
because it's like,
first of all,
the AI can copy both of our voices
because we have our voice out there
and that's easy to copy.
But very soon,
like I won't know, honestly,
if this is you right now on this call. Yeah. But very soon, like, I won't know, honestly, if this is you right now on this call.
Yeah.
I just imagine, like, making a whole CAPTCHA network for everyone I know, right?
So my dad calls me on the phone and it says, before you can connect to this party, please solve this CAPTCHA.
Exactly.
Exactly.
There's going to be some sort of challenge or, like, predetermined, like, key exchange.
Yeah.
Oh, my gosh.
I personally am excited about our future.
We are smarter than ever and more advanced than ever.
And it feels like the human race
is going through a Cambrian explosion of sorts
with all new technologies and advancements
popping off almost daily.
We're living in the exponential era.
Time will move faster from here on out,
and we get to witness it.
We have tickets to watch the birth of Human 2.0.
How special is that?
Whatever comes next will surely be exciting. Thank you. Recider. Our editor is the gourmet sorbet Tristan Ledger. Mixing done by Proximity Sound and our intro music is by
the mysterious Brickmaster Cylinder.
How does a computer
get drunk? It takes
screenshots. This is
Darknet Diaries. We'll see you next time.