Identify Cybercriminals Targeting Your Network Through Compromised Recipient Email Accounts

Identify Cybercriminals Targeting Your Network Through Compromised Recipient Email Accounts

June 14, 2024 / in Blog / by Zafar Khan, RPost CEO

The year of the cyber attack by the AI clones.

For some, it might feel like we’re speaking in sci-fi language. To those who have joined a business meeting thinking they were speaking with their colleagues, only to find out later that all those in the meeting were AI-generated clones of their business colleagues, it is shocking.

We’re here. This is the new reality. And it is going to cause absolute business chaos, chaos similar to the “COVID” moment when the world woke up to a new business reality.

We’ve spent the last three years getting used to modern tools that let us work from anywhere and feel like we are together. Web meetings with video have become ubiquitous, and have even helped us create a bond with workers who we may never meet in person. Virtual eye contact is powerful. Human connections are luring. Now, we have to unwind our trust in what we see in these web meetings, and (do I dare say) get back to in-person meetings and physical hand shaking.

At the recent Gartner IT Security conference in National Harbor (Washington DC), we heard numerous stories from analysts and colleagues about how, when cybercriminals do their research and then use readily available “deep fake” and “voice replication” generative AI tools to build their clone of your staff, they can then launch a web meeting with a team of staff clones in the meeting.

One recent cybercrime played out as follows:

The cybercriminal cloned the senior IT staff and then called for an emergency meeting with the CFO of the company. The purpose of the meeting was the overdue Amazon Web Services bill that had been gradually growing, and Amazon’s threat to cut all AWS service by the end of the day unless $2 million was wired that day – not a full payoff of the balance, but a chip in it to bring down the overdue balance substantially.

The cybercriminals, to prepare, had captured still images of the IT staff, 3 second voice clips (calling a phone and capturing their voicemail recording for example) and had compromised an email account using a tool like EvilProxy to be able to see the actual amount of the Amazon overdue payment notices.

Armed with this research, they sent a web meeting link to the CFO, and when the CFO joined, the CFO was interacting with four cybercriminals that appeared to be the IT staff. The CFO looked at them, heard them, saw their (deep fake) anxiety about the fallout if the AWS service was cut, was told of the business disruption, and then provided the wire instructions in the meeting chat to make the payment.

The CFO considered the implications of the business disruption if the AWS service was cut and sent $2 million that afternoon… $2 million that was ultimately routed to the cybercriminals, leaving the Amazon AWS bill still unpaid. 

This type of AI Clone-Crime is playing out more and more. We predict this type of well researched clone-crime will swiftly ramp up and take many, many forms.

The only protection is to pre-empt the clone-crime with RPost PRE-Crime services --- these will give you an early alert when the cybercriminals first compromise an email account which they then use to gather their intelligence to have the context for the perfect lures and clone conversations.

Know More: Man in the Middle Attack

As a quick RPost re-cap, most of the sponsors of last week’s Garter IT Security conference were providing solutions to protect AFTER cybercriminals have targeted you. RPost can do this, but is unique in that it can ALSO identify cybercriminals staging their attack while outside of your network as they compromise email accounts of recipients of email that your staff sends. This is powerful pre-emptive threat intelligence and risk visibility. This lets you see what is today unseen. Where leaks are happening, outside of your networks out in the ether; where cybercriminals begin the process to build their clone-crime, for example.

Again, if this cybercriminal (or espionage) activity goes undetected, the cybercriminals/spies see your email content in these external email accounts and they can then plan their clever, ultra targeted lures. 

As Gartner analysts mentioned at the conference, the business community will experience chaos in the coming months now that cybercriminals are able to use the latest GenAI to create deep fake and voice replicated clones of those who they are posing as, so cleverly done, that these cloned staff can even join web meetings to confirm transaction details. It’s going to be chaos with GenAI clones on web meetings; chaos from a security perspective similar to the chaos from a productivity perspective we all experienced at the onset of Covid.

Only RPost Eavesdropping AI™ intelligence can detect these email impostor schemes before they cause havoc, giving time for your team to pre-empt the steal (click to view recorded webinar with former NSA intel analyst discussing this).

And, with our RDocs remote control document kill, and RSign eSignatures (IDC MarketScape Leader in Worldwide eSignature report), along with our AI Auto-Lock tech, you can even auto-lock leaked content before the content is seen, so that cybercriminal induced leaks (or human error caused leaks) don’t become reportable breaches (view recorded webinar on this topic).

For government folks, with regards to Zero Trust strategies, and DoD Zero Trust Capabilities, these RPost capabilities add value in the Data Pillar (4.5) for Data Encryption & Rights Management (RDocs) and (4.6) Data Loss Prevention (RDocs, RMail, AI Auto-Lock); and the Visibility & Analytics Pillar (7.5) for Threat Intelligence (Eavesdropping AI, RDocs) and (7.6) Automated Dynamic Policies (RMail Gateway, RDocs, RSign with AI Auto-Lock). And, RPost is on the AT&T GSA Schedule.