[0:00]In late 2024, a CEO of a prominent cloud security startup valued at $12 million was targeted in a sophisticated deep fake voice scam. Attackers used artificial intelligence to clone the CEO's voice creating a convincing imitation. They sent voice messages to several employees posing as the CEO and urged them to disclose their login credentials. The deception was nearly flawless, however, the attackers overlooked one detail. The CEO's public speaking voice differs from his conversational everyday tone. This discrepancy raised suspicions across the employees, ultimately preventing the breach. And how lucky was that?
[0:48]to talk more about social engineering today. Welcome back to Unlocked 403, your favorite cybersecurity podcast. I'm Becks your host and today with me I have a software a senior have a senior software engineer from ESET, Alenka, welcome. Can I call you Alenka or? Yeah, that's perfectly fine or you can do Ally. Ally, okay let's do that. It works best in English. Okay, cool. Let's do that. How long have you been an engineer and what brought you to cybersecurity? Well specifically in that in ESET, I've been for five years now, almost. Okay. Um but I have been a coder ever since I was like a teen. I started in a different company and so on. I studied this, so Cool. And why cybersecurity in specific? So I grew up around someone who is very into cybersecurity. Okay. Uh so even like when I was younger, I was fascinated by like hearing about malware and things like that, but I was never into reverse engineering. When I went to work and so on I decided to just go normally, you know, normal software houses and stuff like that. But then when I decided to change jobs and I found out that by sheer miracle and and luck, uh ESET was at the time looking for someone with my specialty. So I was like, I can tell that I'm probably overqualified for it, but let me try. Why not? So I did, I got in and then I got much more into it when I started to do uh volunteering. And what kind of volunteering do you do? Uh I do uh teaching of of uh future teachers or current teachers, children, et cetera, in terms of how to be safe online. So that kind of got me into majority of the topics. Of course, I am not a researcher or something like that. Never will be, never want to be. Frankly, I'm more I would be more tempted to be a pentester. Oh, that's cool. Although I think it takes a very specific set of skills to do that. I have a special set of skills. It's from the movie. Okay. Which movie? Liam Neeson, the the one where The one taken. He's going to Yeah, yeah, yeah. That's what I said. I have a very particular set of skills. Anyways, with a special set of skills. You mentioned that you do volunteering and that got you into multiple different topics, but one of them and that's what we're going to focus on today is social engineering. And you previously mentioned that you're fairly interested in that. Um why? Well, social engineering for me is interesting from the point of view that it targets psychology. And I have been always interested in psychology and how people behave in certain situations, how they act, how they make choices. Right? And that's the bread and butter of social engineering. They want to know what you will do and force you to do what they want. So it's manipulation at its core. Whether it is, you know, our compassion, our loneliness, our need to connect with people, our ego, frankly. All these things can be misused in social engineering. Major part of what you can do with social engineering is that you can gather information and get extra information that you otherwise wouldn't get. So that in itself provides a very good base for other attacks, even at the technical ones. Mhm. Because if I know that you use a you are the type of person who would use a specific software, for instance, I might want to use that against you. If I know that you seem to be a type of person who doesn't really do messenger or like chat applications, but you do email a lot, then maybe emailing you something would work better. Right? And of course, there is the aspect that people are doing what they want to do. We can tell them what they should be doing and they might not. What do you mean exactly like in in terms of prevention or Yes. So with social engineering, no one can fix it for you.
[5:04]We can we can educate you, we can give you tools that might help you, but in the end if you decide to click on something, you clicked on it. Not it's not your fault in the sense of of of, oh, you wanted this, no. But it but it but we cannot prevent you from doing your behavior. No one can. Yes, but having a good security solution, that Of course. There are there are things in which technology can help you, but there is the aspect of of Yeah, they can't correct your behavior. Exactly. Like if if you do not want to do the preventive measures and things like that, no one can force you to. You also mentioned once when we talked before this that there is offline and online social engineering. Can you tell me the difference and Well the most most clear difference would be one is online, one is offline, in the sense that one happens in the digital world. And one happens in our normal world we walk in. So as an example of what could offline social engineering pertain is if I'm trying to get to a building to which I do not have access. I can use social engineering such as tailgating to try to get in. You know, I just look like I belong, I behave like I belong, I strike up a conversation with someone who does have the badge to get in. Yeah. And then just get in with them. Or you carry something. I heard that's also good. Yes. Yes, carrying things or pretending to be a repair man. Yeah. Or uh carrying flowers for someone, deliveries, that also works. A lot of social engineering is to a degree also acting, whether it's digitally acting or in person. Yeah. Right? So yes, getting to getting to a place is very easy to find a lie that would get you in. One time we uh we had one of our researchers, Rick Hord here. And we talked about an attack on a power plant and I was like, but how does one get inside such a power plant? He's like, through the front door. Yeah. Yeah. Yeah. I mean, there's also the aspect of you sometimes don't need to get in to get something in. Okay, elaborate. Very popular, very popular things like, you know, there is a a disk, a USB or something on the parking lot. You just make sure it has very interesting title on it. Uh I've heard of one where people came into a smoking area outside of a office. Okay. And they were giving out vapes. Free vapes to like try, try them out. Except these vapes were not charged. So, but you know, you just go charger, you can try it and it's fine. Mhm. And where do you think people normally charge devices that tends to be charged through USB. Well, their computers, of course, they plugged it in and there we go. Because people usually don't think of the devices that are just charging, they are not even used for a computer in any way.
[8:04]Yeah, but they still have access. Absolutely. They have access to the software, don't they? Absolutely. Which is why it's so good to have those like extension cords or such that have USB ports directly. You can just plug it in there instead of your laptop. I think a lot of the new ones now have those, actually. Yeah, yeah. Compared to that, digitally, while it can be very similar in terms of that I strike up a conversation with you, whether it is through email or some chat applications, through social media, et cetera. It also could be uh the that I send you content that is targeted at you, and I'm trying to trick you to click on something, for instance. So you send me a private message with something and I send you email, I send you private message, I if I if I get your phone number, I can send you SMS. And that's where you get all the like phishing, wishing, smishing, all the ishings. Yeah, yeah. My mom in trouble. I need help. Oh, yes. That's a very common one. Oh, yes. And uh especially when you press towards the compassion and fear, especially with parents, that is a powerful tool. What are some of the red flags that I should look out for? It apart from handing me an A4 folder. Yes, this might be a red flag. Yes, this might be a red flag. Um, one of the big things is if someone is claiming repeatedly in every other sentence that, oh, I'm not a scam artist. I'm not trying to scam you. Oh, so obvious. It's it's probably it probably is. Yeah. Also, if a person you don't know keeps claiming that you have to trust them, that might be a red flag. Yeah. Cuz trust is earned. Yeah. And other ones in terms of the profiles is if they have absolutely nothing in common with you. People sometimes add people who they don't know in real life. And it's good policy to not do that. Yeah. Like if you haven't had the contact with this person enough before to know who they are, you are risking. Then in terms of emails and things like that, if someone is telling you that they have access to your computer, it's usually safe to assume they don't. Because if they did, why wouldn't they instead do ransomware or something else that they can get money from immediately? Or just get your credentials. They wouldn't go blackmailing you into into giving them 200. Yeah. Yeah. That doesn't make much sense. The last one is do not feel like you have to be in it alone. It's not a shame to be scammed. It's bad people doing it. Exactly. It's not your fault in the sense that that you are in you should be ashamed of it. No. It it can happen. It can happen to the best of us. Clearly. It absolutely can. Yeah. And the best thing is to to try to be open with it and try to get help of people who might know what to do. And also like keep some at least some AV Blitz, have a good security solution as a good is a is a good way to stay safe. As I said, there's so much more we could talk about, but unfortunately I'm going to have to cut it off right here. Thank you so much for being here. Thank you for for talking to me and thank you for educating us and for almost scamming me and hopefully not scamming me in the future. I will get you that hot chocolate. I promise. Thank you again for being here. Thank you for for talking to me. And and yeah, see you next time. Well, until we talk again. Until we talk again.
