Security experts have warned of a surge in attacker interest in voice cloning as a service (VCaaS) on the dark web designed to streamline deepfake-based fraud.
Recorded Future’s latest report, I have no mouth so I have to commit a crimebased on threat intelligence analysis of conversations about underground cybercrime.
Deepfake audio technology can mimic the voice of a target to bypass multi-factor authentication, spread misinformation and disinformation, and increase the effectiveness of social engineering in business email compromise (BEC)-style attacks, among others. can.
For more information on deepfakes, see FBI: Note that deepfakes are being used in remote job applications.
Recorded Future warned that ready-to-use voice cloning platforms are now available on the dark web, lowering the barrier to entry for cybercriminals. Vendors claimed that some were free to use with a registered account, while others cost just over $5 a month.
Spoofing, callback fraud, and voice phishing are frequently mentioned in the context of such tools in conversations observed by Recorded Future.
In some cases, cybercriminals are abusing legitimate tools intended for use in audiobook narration, movie and TV dubbing, voice acting, advertising, and more.
One obviously popular option is Eleven Labs’ Prime Voice AI software, a browser-based text-to-speech tool. It allows users to upload custom voice samples for a premium fee.
But by restricting the use of tools to paying customers, the vendor encouraged further innovation in the dark web, according to the report.
“This has led to increased mention of threat actors selling paid accounts to Eleven Labs or promoting VCaaS services. It has opened the door to commoditized cybercrime,” the report continues.
Fortunately, many of today’s deepfake voice technologies are limited in that they can only generate one-off samples that cannot be used for real-time augmented conversations. But Recorded Future argued that an industry-wide approach is needed to address this threat before it spreads.
“Risk mitigation strategies must be multidisciplinary and address root causes such as social engineering, phishing and fraud, and disinformation. attack,” the report concludes.
“Thus, adopting a framework that educates employees, users, and customers about the threats it poses is more effective in the short term than fighting the abuse of the technology itself, and this is a long-term strategic goal. There should be.”
Information security reached out to Recorded Future for further comment, but was reluctant to provide more than the report.
