An iconic Grateful Dead lyric in the song “He’s Gone” uses what’s become a catchphrase for many Deadheads: "steal your face." It's so popular that it’s even on a bumper sticker.
"Steal your face" has a new meaning for the tech world with facial recognition technology as Group-IB researchers reported on a new hacking technique in which a threat actor uses social engineering to steal the victim’s facial recognition data to then create deepfakes to gain unauthorized access to a victim’s bank account.
In a Feb. 15 blog post, Group-IB researchers said this new technique leverages a previously unknown iOS trojan, GoldPickaxe.iOS, that collects facial recognition data, identity documents, and SMS text messages.
The trojan, which runs on both iOS and Android platforms, has been active since mid-2023 and was developed by Chinese-speaking threat actor GoldFactory, which is believed to have close ties to the Gigabud trojan.
Thus far, GoldFactory has attacked victims in Vietnam and Thailand, but Group-IB anticipated that the group will move beyond the Asia-Pacific region.
What does new trojan mean for biometrics?
At first blush, it may seem like the sky really is falling — once a hacker has a user’s facial data, what can a user actually do about it, after all?
Think back to 2002 when hackers used gummi bears to break into fingerprint technology. It didn’t stop the progress of fingerprint recognition — and this new information from Group-IB won’t stop facial recognition technology — the industry will adjust and refine the technology.
“Biometric authentication should rarely be used as a sole form of authentication,” said Jason Soroko, senior vice president of product at Sectigo. “It’s a very handy PIN code replacement in most cases. So why isn't it more secure? It's because your fingerprints, your face, and your voice are not secrets.”
Soroko explained that in the case of the GoldPickaxe malware reported on by Group-IB, what’s novel is the recording of video to create deepfakes of the victim to then cause further social engineering.
“This is a scary development, but it’s not surprising,” said Soroko. “Deepfakes are very effective in social engineering. It should be noted that the trojan mobile application that’s installed by the victim has been made available via a fake Google Play store, and for iOS devices, the victim needs to utilize unusual installation methods. I suspect this means that Android users are targeted for this attack more than iOS for this reason, but everyone should be aware so they are not convinced to install fake applications.”
John Gallagher, vice president of Viakoo Labs, added that just like personal data such as Social Security numbers and date of birth, biometrics are increasingly being scraped, stored, and analyzed by threat actors. Gallagher said biometrics alone as a method of authentication will fade away and get replaced with multi-factor authentication.
Gallagher pointed out that IoT security is known to be weak, with IP cameras in particular vulnerable to exploitation, so it’s not too hard to imagine video databases being mined for iris, fingerprint, and facial recognition data — think of a typical office environment where the subject of interest may pass a high resolution camera multiple times a day for several months, said Gallagher. The hackers take a bit of the iris here, then a partial fingerprint and with enough repetition, compute power, and time, they can potentially crack a person’s full biometrics.
“This has already happened significantly with voice, and with fingerprints,” said Gallagher. “Threats are growing at AI speeds and AI solutions are needed to address them. We’ll need AI to drive more rapid expansion of zero-trust approaches, threat detection mechanisms, very early eradication of bots and malware, and multi-factor use of digital authentication methods such as certificates.”
Will LaSala, Field CTO at OneSpan, said he has seen similar social-media attacks on drivers who use ride-share applications. Hackers exploit the drivers by first causing the ride-share app to believe that the hacker requested a ride, and once the driver accepts the ride, the hacker calls the driver. Once the driver was on the phone with the hacker, LaSals said the driver would be told a convincing story about how they are a special winning driver and all the driver had to do was to read a password over the phone to the hacker.
“Of course, this password allowed the hacker into the driver’s account, and they were able to steal funds directly from the driver,” explained LaSala. “Hackers are always changing and refining their attacks. Often, it seems difficult to keep up with the biggest organizations, but they are often the first targets, so smaller institutions usually have a little time to play catch-up while the bigger organizations fend off the first wave of attacks. The security landscape is ever changing, reusing attacks from previous years — adapt to those changes to secure your users.”
Andy Ellis, operating partner at YL Ventures, said it’s important to start with a basic premise: biometric data is useful for in-person authentication, and really dangerous for remote authentication. Ellis said people should think of biometric data as a fuzzy, but complex key: once it gets transmitted, users aren’t authenticating the actual biometric, they are verifying something that looks a lot like a password.
“Mostly, computer systems have made this transition, but our financial systems really haven’t,” said Ellis. “Lift up a few rocks, and what’s obvious is that our financial system is built in a lot of assumed-but-not-verified trust. Identity theft — which is only a problem because financial systems have no real way to validate identity — will continue to be exacerbated by technologies like deep fakes as long as our banking institutions trust transmitted copies of a biometric.”
