Social Engineering with Text-to-Speech
You’re sitting down to have a nice meal with your significant other on your one-night-a-week date night (when you can actually afford the requisite babysitter for the kids at home). Just as you land in your chair, you get an urgent text from your boss. It looks like there’s been some sort of security issue. They need you to reset your password as soon as possible by going to the link they gave you so you can use your company’s password reset tool. Your phone recognizes the number because your boss is in your Contacts, and you can see their photo and prior SMS text message history that you share with them.
The waiter comes to your table and asks what you and your partner would like to drink with your meal. Taking a few moments to review the wine list together, you decide to try out a modestly priced bottle. Your partner mentions that they made their wine choice based on the winery because it was where you had your first date together years ago. Suddenly, your phone starts ringing. Examining your phone’s screen, you see your boss’ name and photo from your Contacts; given that text message you got a moment ago, you get the distinct impression that you need to answer this call and do so while mouthing an apology to your partner.
You recognize the voice on the other end of the line, and your boss sounds irritated. “Didn’t you get the earlier text message?!? Why haven’t you reset your password yet?” The questions make you feel quite uneasy. Your boss explains that you need to reset a password because the company’s ongoing protection and prevention scans found your current login and password on the dark web. Almost everyone at the company was affected. So, your company quickly made an externally facing web application that would allow employees to reset their passwords. That’s where that link you got texted to you earlier points to; your boss needs you to go to that link and reset your password right now.
A little unorthodox, but you recognized the voice and the number that texted/called you… what are the chances that you click that link? A whole lot better than the chances of you doing so if some random person had texted/called, or a voice that you didn’t recognize had been on the other end of that phone call.
The ability to “spoof” the number of a phone call or text message so that it appears to come from a different number is well documented. However, in our current world of social audio apps like Clubhouse and online meeting apps like Zoom, it is entirely plausible that enough audio of your voice could be captured to train a text-to-speech algorithm to mimic your voice (or your boss’ voice). This new addition to the old attack vector of spoofed phone numbers significantly elevates the risk of successful social engineering attacks leveraging fake audio.