At a glance.
- FBI says deepfakes are being used for sextortion.
- Privacy advocates question Florida's new data privacy bill.
- Expert offers advice for ransomware attack victims.
FBI says deepfakes are being used for sextortion.
The US Federal Bureau of Investigation (FBI) has issued a warning alerting the public to the fact that malicious actors are creating explicit deepfakes in order to harass the victims or conduct sextortion scams. “The FBI continues to receive reports from victims, including minor children and non-consenting adults, whose photos or videos were altered into explicit content,” the warning reads. As Bleeping Computer explains, sextortion is a method of digital blackmail in which the attackers threaten to publish explicit images of the targets in order to pressure them into paying to keep the pictures under wraps. Typically the cybercriminals have acquired the images in a hack or used social engineering to coerce the victims into sharing them. But through the magic of deepfake technology, attackers are able to create the images themselves by scraping the internet for innocent public pics of the victims and then using deepfake creation tools to create very convincing explicit images. "As of April 2023, the FBI has observed an uptick in sextortion victims reporting the use of fake images or videos created from content posted on their social media sites or web postings, provided to the malicious actor upon request, or captured during video chats,” the warning reads. In some cases the attackers are skipping the extortion process and simply publishing the images on pornography sites without their knowledge. It’s worth noting that the UK recently introduced an amendment to the Online Safety Bill that has made the non-consensual sharing of deepfakes a criminal act.
(Added, 6:15 PM ET, June 7th, 2023. Professor Lisa Wilson, Member of International Cyber Expo's Advisory Council, wrote to advocate a more sophisticated approach to this challenge deep fakes pose.
"As a society we need to be taking a more holistic helicopter viewpoint on this topic and the merging cyber risks being posed. All digital content is a frontline target for advanced AI platforms like GPT3 to be used for ill-gotten gain by malicious actors to produce deepfakes and also perpetuate serious social engineering through misinformation, disinformation and false information. This is just one example of the serious implications of people not being aware of how digital content and AI can be used. I am 100% an advocate for emergent technology, however, to support this I also always advocate security by design, not security as a prescriptive measure for already known risks and issues.
"We know, for example, that utilising simple tools like uploading blockchain-protected user generated content and images via already available free applications like VDXit can and will prevent malicious actors using imagery. We also know that social media platforms have the capacity to authenticate profiles like we do financial wallets using KYC and AML but they choose not to. Legislation like Online Safety Bill only impacts people and events when harm has already occurred. Focusing on headline-grabbing rhetoric by the media creating a new term 'sextortion’ simply masks the real gravity of a bigger problem. Education of people regarding the illicit use of digital material using these sorts of topics as examples is a far better approach.")
Privacy advocates question Florida’s new data privacy bill.
CBS News reports that Ron DeSantis, governor of the US state of Florida, yesterday signed Senate Bill 262, a bill aimed at strengthening online privacy. Republican House bill sponsor Fiona McFarland stated during the bill-signing event, "This bill will give Floridians the ability to know what information big tech companies are collecting about them. It's going to give Floridians the ability to ask them to delete it and get rid of it, if they don't want them to have it anymore. It's going to give Floridians the right to opt out of their information being sold or shared to the highest bidder for profit." The new law is similar to legislation previously passed in nine other states and contains typical data privacy rights, like the right to know what data is being collected and the right to delete or limit that collection. However, the Record notes, privacy advocates have criticized Florida’s bill for focusing only on companies that make more than $1 billion in annual revenue, alleging that it's a political ploy to target Big Tech. Indeed, DeSantis said of the bill, “If a multibillion-dollar company is conspiring to take your data and sell it or use it against you, it is your right to be able to protect that data. No longer will the Big Tech oligarchs be able to commandeer your personal information and deprive you of the right to access, confirm, or delete that data as you wish.” What’s more, the bill doesn’t apply to pseudonymous information like online cookies, which privacy experts say make it essentially useless at limiting targeted advertising. Matt Schwartz, a privacy policy analyst at Consumer Reports, stated, “While we recognize that big tech companies are usually some of the worst privacy offenders, they are far from the only privacy offenders. The Florida law should apply to any entity that collects significant amounts of consumer data. It should also make it far easier for consumers to take advantage of their rights by including a universal opt-out provision.”
Expert offers advice for ransomware attack victims.
As we previously discussed, Mercer University, a private research university located in the US state of Georgia, suffered a data breach last month that exposed the personal data of over 93,000 people, including Social Security numbers and other identifying information. The Akira ransomware group has taken credit for the attack, adding Mercer to the list of victims on its leak site. Now WMAZ reports that a class action lawsuit has been filed alleging that the school failed to implement adequate security measures. The plaintiff also says Mercer didn't act quickly enough to notify the public, and they are seeking compensation for any fraud charges as well as damages. Chad Hunt, Supervisory Special Agent with the FBI, offers his advice for individuals looking to protect themselves in such incidents. His recommendations include resetting passwords, freezing credit accounts, and staying informed about what data has been compromised.