Cybercriminals increasingly use deepfakes to obtain employees’ login credentials, according to a new report by VMware.

The organization surveyed 125 security and incident response professionals. The Global Incident Response Threat Report sheds light on the state of cybersecurity.

Two in three professionals encountered deepfakes in one or more attacks, up 13 percent from last year. “Cybercriminals have evolved beyond using synthetic video and audio simply for influence operations or disinformation campaigns”, said Rick McElroy, principal cybersecurity strategist at VMware. “Their new goal is to use deepfake technology to compromise organizations and gain access to their environment.”

Deepfakes for cybercrime

Deepfakes have been used for disinformation for some time. In 2020, activists faked a speech by Sophie Wilmès, the former prime minister of Belgium. Audio recordings and video footage of Wilmès were edited to present environmental destruction as the cause of COVID-19. In the same year, activists spread a deepfake of a deceased journalist that appears to urge the president of Mexico to stop organized crime.

More and more cybercriminals are following suit. “Email is the top delivery method”, McElroy added. Deepfakes can be effective at acquiring the login credentials of personnel. Employees may find it hard to ignore a lifelike deepfake of a manager requesting them to log into a malicious website.

Double extortion ransomware

In addition to deepfakes, respondents faced sophisticated ransomware attacks. ‘Double extortion’ occurred in a quarter of all ransomware attacks. Double extortion attacks don’t stop at data encryption. Cybercriminals may, for instance, threaten to auction the data or blackmail a victim with private information.

Lateral movement

VMware also emphasized the risk of lateral movement, wherein cybercriminals breach multiple systems to move across a network. 25 percent of all attacks involved lateral movement. Script hosts were abused in 49 percent of these cases. File storage (46 percent), PowerShell (45 percent), communications platforms (41 percent) and .NET (39 percent) were popular as well.

VMware mentioned Google Drive and OneDrive as examples of file storage. According to the organization, the finding points to a troubling lack of understanding of cloud storage platforms. Chad Skipper, global security technologist at VMware, emphasized that security teams need more insight into the movements of workloads across systems.

Tip: Data privacy: from necessary security step to competitive advantage