Threat Research

Emerging Trends in Deepfake Scam Campaigns Online

Unit42

Researchers have uncovered dozens of scam campaigns using deepfake videos of public figures to promote fraudulent investment schemes and giveaways. These campaigns share an infrastructure that points to a single threat actor group across languages and nations, featuring hundreds of newly registered domains and a network of shared hosting that complicates attribution and takedown. #QuantumAI #Deepfake

Keypoints

  • Discovery of multiple scam campaigns using deepfake videos of public figures.
  • Campaigns target specific countries and languages, including English, Spanish, French, and more.
  • Believed to originate from a single threat actor group due to similarities in tactics and infrastructure.
  • Hundreds of domains linked to these campaigns, averaging 114,000 accesses each globally.
  • Deepfake videos often feature well-known figures like Elon Musk, promoting fake investment schemes.
  • Traditional investigative techniques remain effective in identifying malicious hosting infrastructure.
  • Proactive measures, such as Advanced URL Filtering, are essential for defense against these scams.

MITRE Techniques

  • [T1566] Phishing โ€“ Threat actors use social media ads and fake news articles to lure victims to scam webpages. โ€˜Threat actors use social media ads and fake news articles to lure victims to scam webpages.โ€™
  • [T1584] Impersonation โ€“ Deepfake videos impersonate public figures to gain trust and promote scams. โ€˜Deepfake videos impersonate public figures to gain trust and promote scams.โ€™
  • [T1483] Domain Generation Algorithms โ€“ Attackers register numerous domains to host scam content and evade detection. โ€˜Attackers register numerous domains to host scam content and evade detection.โ€™
  • [T1003] Credential Dumping โ€“ Scammers collect personal information from victims through registration forms on scam sites. โ€˜Scammers collect personal information from victims through registration forms on scam sites.โ€™
  • [T1486] Data Encrypted for Impact โ€“ Scammers may lock victims out of their accounts, preventing fund withdrawal. โ€˜Scammers may lock victims out of their accounts, preventing fund withdrawal.โ€™

Indicators of Compromise

  • [Domain] Campaign hosting infrastructure โ€“ belmar-marketing.online, fiirststreeeet.top, and 2 more domains (ai-usmcollective.click, fortunatenews.com)
  • [Webpage URL] Deepfake scam landing pages โ€“ xtradgpt[.]online, euphemiouslystner[.]life
  • [Video URL] Deepfake video assets โ€“ hxxps://quontic[.]site/wp-content/uploads/2024/07/449030935_482215324194392_281914555774571171_n[.]mp4, hxxps://fortunatenews[.]com/video/quantumal__video[.]mp4
  • [Domain] KazMunayGas scam domain โ€“ coinframework[.]top
  • [Webpage URL] Invest-toolavenue[.]shop โ€“ used in World Bank-themed scams to promote a fake investment program

Read more: https://unit42.paloaltonetworks.com/dynamics-of-deepfake-scams/