April Fools’ Day came late last year for employees at Albert Invent, an AI-powered research and development platform for scientists.
Last year, Albert Invent co-founder and CEO Nick Talken hired a cybersecurity firm to carry out a sophisticated spear phishing attack on a group of unsuspecting engineers at his company.
Talken, a chemist, told IT Brew that he was inclined to perform the offensive raid on his employees because the startup’s systems house the intellectual property of its consumers, which comprise Fortune 500 companies and chemical and personal care companies. That means it’s crucial the startup’s security posture is top-notch.
“A lot of them, in their own words, say that we’re housing the crown jewels of the organization, and we take that responsibility extremely seriously,” Talken said.
The scheme. Talken sought the help of Coalfire, a cybersecurity and compliance service provider, to craft the elaborate phishing attack against his employees. He said he wanted Coalfire to target the employees on his team with the highest level of privileged access into its systems.
The attack was simple. Employees were sent a spear phishing email containing a malicious link, followed by a spoofed phone call from their CEO coaxing them to click it. John Hendley, VP of offensive security at Coalfire, told IT Brew that his team was able to clone Talken’s voice by inputting audio from a public webinar into an open-source model. Hendley said the tool only needed 30 seconds of audio to train with.
“We used open-source tool sets to create a facsimile of his voice, and then we used commercial spoofing software to call and spoof his phone number, to call his employees and try to get them to open a link in an email that we sent,” Hendley said. He added that anyone could perform the attack.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
While Coalfire regularly offers offensive security services to clients, Hendley said Albert Invent’s request was different because Talken wanted a more advanced phishing attack simulation with AI-voice cloning.
The night before the attack, Talken said the Coalfire team used the spoofed number and cloned voice to call his wife.
“It was scary,” Talken said. “I was like, ‘This could work.’”
The aftermath. After the email and phone call was made to employees, skeptical employees quickly called Talken to verify what had happened.
“I was like, ‘I have no idea what you’re talking about…and by the way, you’ve passed the test. Thank you for calling me,’” Talken said. He said only a few employees clicked on the faux-malicious link in the email, though single sign-on blocked any further havoc. None of the employees gave up their credentials, and client data was never at risk during the exercise.
Looking back, Talken said the experience was “eye-opening” for his company and caused Albert Invent to “accelerate” internal changes to its system authentication.
“Everyone was secure, but it got close, and that is what we were looking for. Maybe more than anything else, it brought a heightened sense of awareness to our entire company of what is possible today.”