As deepfake technology rapidly evolves, its application in social engineering has reached a new level of sophistication. This talk will explore a real-world red team engagement where AI-driven deepfake voice cloning was leveraged to test an organization’s security controls. Through extensive research, we examined multiple deepfake methods, from video-based impersonation for video calls to voice cloning for phishing scenarios. Our findings revealed that audio deepfakes were the most effective and hardest to detect by human targets.
In this engagement, we successfully cloned a CTO’s voice using audio samples extracted from a publicly available podcast interview. A trained AI model was then developed to convincingly replicate the executive’s voice. This model was deployed in a social engineering campaign targeting the organization’s helpdesk, who believed I was their Chief Technology Officer for about 11 minutes.
This talk will provide attendees with an in-depth look at how threat actors exploit deepfake technology, the technical process of voice cloning, and the implications for enterprise security. We will also discuss countermeasures and detection techniques that organizations can implement to mitigate these emerging threats.
