Here’s something else to worry about: deepfake video calls.
When you or your customers join a videoconference, the other participants could be deepfakes.
That’s what happened in April when the employee of a cryptocurrency foundation supposedly met with executives from their company and another organization. But the other participants were deepfakes. During the meeting, the employee was instructed to download a Zoom extension that turned out to be a malicious file, according to managed security provider Huntress. Huntress got involved after being contacted by the victim company’s MSP.
The case underscores the critical need for MSPs to work with customers on protecting all endpoints, says Jamie Levy, director of adversary tactics at Huntress. Especially when taking on new clients, it’s important to leave nothing exposed. An unprotected machine can get compromised when connecting to another, and remain undetected until a malicious payload becomes active.
How the Deepfake Video Call Unfolded
In this case, the victim company didn’t catch on for several weeks. The MSP contacted Huntress on June 11 about a potential malicious Zoom extension. The user’s machine was exhibiting unusual behavior, with “a service process that kept pulling constantly,” says Levy. “They obviously knew something was weird.”
Huntress found the user had been tricked into downloading a malicious file, which eventually stole personal information, including passwords for various websites.
It all started when the user received a message through the Telegram messaging platform from an external contact requesting a meeting time. The sender used a Calendly link that appeared to be for Google Meet but, when clicked, it redirected the recipient to a fake Zoom domain controlled by the attacker.
When the user joined the conference, the deepfakes appeared to be having a conversation. The user could not hear the deepfakes and the user’s microphone was disabled, so the deepfakes instructed the user to download a Zoom extension.
Immediate Signs of Malice
After being contacted by the MSP, Huntress installed its EDR agent on the compromised computer. “Immediately we had an alert that showed the backdoor for this and then we just starting digging into it,” Levy says.
In an blog detailing the case, Huntress says it recovered eight malicious binary files from the victim host. “With high confidence, Huntress attributes that this intrusion was conducted by the North Korean (DPRK) APT subgroup tracked as TA444 or BlueNoroff,” the blog says. BlueNoroff is a state-sponsored threat actor known for targeting cryptocurrencies.
Unfortunately for the user, personal data had already been stolen. The lesson for MSPs, says Levy, is to tell your clients to “trust nothing. If you do get an invite, verify what it is.” Look for signs such as whether the domain in the invite’s link is correct. If a link doesn’t work with the videoconferencing app to which it is supposed to connect, “that’s probably a bad sign,” Levy says. Tell your customers not to be afraid to pick up the phone and call the supposed invite sender for verification purposes, she adds.
RELATED: The Identity Threat Surge—How MSPs Can Stay Ahead
Disconnect Previous MSP Tools
For MSPs, this incident underscores the importance of vigilance, Levy says. When taking on a new client, be sure to delete the previous MSP’s tools in addition to placing security controls on all endpoints, Levy says.
“If remote management tools are still on a machine, that is definitely a risk. We’ve seen cases where all of a sudden that has been taken advantage of either by an attacker or even a malicious MSP.”
Although vendors are working on technology to help spot deepfakes, deepfakes have become much more convincing, Levy says. In the past, clues may have included features that didn’t look quite right, such as ears or hair, but the images have gotten better.
Don’t Let Fake Faces Fool You
MSPs should caution customers to treat every unknown invite, extension, or endpoint as a potential threat. As deepfakes grow more convincing, vigilance isn’t optional—it’s essential. Remind clients: Verify everything, secure every device, and never trust a Zoom face at first glance.
