Hackers attempted to trick LastPass employee with cloned voice of CEO

Facepalm: The troubled password management company LastPass is again under attack by unknown cybercriminals trying to breach its systems. Hackers are using novel tactics involving AI algorithms, cloned voices, and social engineering.

Bad actors targeted a LastPass employee with fake WhatsApp messages, going as far as creating an audio deepfake of the company's CEO, Karim Toubba. This digital twin, which LastPass says was likely made with AI, showed a forced urgency that usually comes with traditional social engineering attempts.

LastPass explained that the unnamed employee received several calls, texts, and "at least" one audio deepfake from a fake Toubba account. The attempted communication was outside of traditional business channels, and the employee was sensible enough to ignore the requests and report the incident to the internal security team.

The security team handled the intrusion attempt, though there was no actual impact on the company. LastPass publicly shared the incident to raise awareness of new social engineering tactics employing deepfake content. What was previously only available to nation-state threat actors is now increasingly available to "common" cyber-criminals and script kiddies. Fraud campaigns leveraging impersonation of executive roles aren't so rare anymore.

Audio deepfakes have improved in quality, and the AI-based technology needed to create them is now commonplace, thanks to numerous apps and websites that even a novice can use. LastPass pointed to several high-profile incidents discovered recently, with companies falling victim to convincing AI-generated fakes that pushed them to transfer money to fraudsters.

Reports of highly sophisticated audio or video deepfakes are rare, but things could worsen as AI evolves and improves. Recent deepfake incidents involving the White House forced the FCC to intervene. Meanwhile, tech companies have agreed to proactively fight AI-generated content to avoid significant disruption in the US 2024 presidential elections.

The impersonation attempt against LastPass isn't the first of its kind, but it certainly raises an issue with how cybercriminals now perceive the company. LastPass suffered several major security breaches in the past few years, while fraudsters have tried to exploit the company's name with fake apps designed to steal users' data. LastPass said it is working closely with its partners to share intelligence and stay "one step ahead" of cybercriminals.