Rubio deepfake a lesson that AI-powered impersonations are here to stay

After an unknown bad actor had used several AI-generated deepfakes of Marco Rubio to contact at least three foreign ministers, a US Governor, and a member of Congress, an FBI vet tells Cybernews that the problem isn’t going away anytime soon.

The US State Department said earlier this week that Russian threat actors are suspected of creating several AI deepfakes of US Secretary of State Marco Rubio and then using the AI-generated content to contact at least five foreign ministers and US officials.

The names of the officials have not been revealed, but an official cable from the State Department to all diplomatic offices said the imposter contacted some of the officials using the Signal messaging app.

The new information follows an FBI advisory issued in May that warned of cybercriminals using AI-generated voice and text messages to impersonate US senior officials – known as vishing and smishing – to target other former US government officials.

Clearly, it’s a sign that deepfake technology has become very advanced. After all, the fraudulent voice messages and texts were also said to have mimicked Rubio’s voice and writing style.

James Turgal, VP of global cyber risk and board relations at Optiv, a cybersecurity company, agrees.

The 22-year FBI veteran told Cybernews there was now a range of potential hacker deepfake applications, including political character assassination or manipulation, blackmail of public figures, brand manipulation, and theft.

The aim is to inflict damage

In cases of political character assassination, audio or video files are fabricated and released in order to damage a political aspirant.

“For example, the deepfake might depict the politician engaging in objectionable acts or saying antithetical things to the electorate,” said Turgal.

Besides, a deepfaked business, analyst, media, or regulatory persona can be used to make public comments about companies to inflict brand damage.

“Similar goals can be pursued via deepfake bot swarms, where artificial identities are created and deployed across social platforms to manipulate public perception of brand popularity,” Turgal told Cybernews.

Additionally, deepfake technology can be used to manufacture fake audio or video of celebrities and public figures engaging in compromising activity.

Attackers can also use voice cloning or AI-powered face-swaps to impersonate an influential person, such as a corporate leader. The faked persona can be used to initiate fraudulent financial transactions or to gain access to sensitive information, Turgal said.

Of course, if Rubio was really targeted by Russian bad actors, their aim was probably both to hurt America’s global standing and gain access to sensitive information or accounts.

Ways to protect yourself

Still, deepfakes obviously introduce tremendous risk on both sides of the house, according to Turgal.

If Rubio was really targeted by Russian bad actors, their aim was probably both to hurt America’s global standing and gain access to sensitive information or accounts.

“They exploit the privacy of individuals in some cases, and in others, they are used to bypass security protocols to gain access to company networks and sensitive information. They are a form of manipulation,” said the expert.

“And, with advances in artificial intelligence and machine learning, if you don’t know what to look for, it can be extremely difficult to detect audio and video deepfakes.”

It’s definitely smart to stay vigilant, though. Just learn the warning signs, Turgal advises – for example, unnatural eye movement and lack of blinking, as well as video blurriness or misalignment, are tell-tale signs of deception.

Quite obviously, always question the source of content and check their reputation. Also, question the content itself.

“Can you find higher-quality versions of the content? Deepfakes are often filmed in poor lighting or settings to hide defects in the algorithm,” said Turgal, adding that one should always try and trace the content back to the original source to see if it has been taken out of context or altered.

Finally, intent should also be questioned. Is it consistent with the source, subject, or provider? Are there surrounding circumstances to be considered? Who benefits or is harmed by the content, and what is their relationship to the source?

Denmark is going further. It’s set to become the first European country to give people copyright-like control over their face, voice, and body in a move to combat AI deepfakes and identity theft.