Nick Savvides Chief Technology Officer, APJ at Symantec came across a new kind of attack on a call centres this year which managed to surprise the cyber security executive.
Traditionally the bad guys would try to hold call centres to ransom by tying up all their phone lines so they couldn’t take any customer service calls or receive phone payments.
They used to do this by using robo diallers to make phone calls designed to occupy call centre operators until company paid to make the problem go away. But over time the humans at the end of the line got good at realising they weren’t in fact speaking to a human and would quickly hang up.
“So it becomes a race of how many calls you can place, how can I saturate the carrier?” Savvides explained during a media event in Sydney last week.
That style of attack has now evolved.
According to Savvides, this year his client started getting phone calls from an AI which was successfully occupying the operator for a few minutes before they realised they were talking to a machine.
A similar style of tech was demoed by Google earlier this year, with Duplex making a hair cut appointment of behalf of this owner.
“I was floored,” Savvides said. “I really didn’t think the price [of developing and operating AI] had come down that far in such a short amount of time.”
The economics of AI have shifted dramatically in the favour of business thanks to open source tools, cloud services and machine learning platforms. But those same tools have also lowered the barriers of entry for cyber criminals.
Savvides believes AI’s ability to mimic human language at scale will be used to accelerate and amplify social engineering attacks — scams used by criminals get victims to hand over information or click suspicious links.
Take spear phishing emails for example.
“Imagine a bad guy has an AI that they’ve trained using from inputs all over the internet to write a spearfishing email,” Savvides said.
“I’ve spoken at a conference and someone sent me an email saying ‘hey Nick, loved your talk. I took some photos do you want to check them out?’ With a link to malware.
“That’s manual. A human has had to do that. Imagine I have an AI that does this every day, non-stop, it doesn’t get tired, it reads everything, it doesn’t don’t get bored and I’m just going to target people with specially crafted emails.”
Cyber security defenders will also use AI to counter attacks and identify vulnerabilities, Symantec predicts.
“Looking for vulnerabilities is often a very manual process and I think AI use in discovering new vulnerabilities we become commonplace among criminal actors in 2019,” he said.