The National Cyber Security Centre Finland’s weekly review – 03/2024

Topics covered in this week’s review

• Deepfakes are used in cyber crimes 
• Scammers actively phishing for bank credentials
• The Finnish election system is stable and secure 
• Mark the date: Tietoturva 2024 information security seminar on 13 March 2024 
• Vulnerabilities

Deepfakes are used in cyber crimes

Deepfakes are image, video or audio material that appears genuine, but has actually been produced by combining or manipulating existing material with the help of machine-learning AI.

Cyber scams are committed using many different techniques, and the use of deepfakes in cyber crimes has been discussed in the international media for a while now. For criminals, producing deepfakes is an appealing way of scamming the employees, damaging the reputation and creating false impressions of organisations. Deepfakes have also been used as part of information influencing activities to influence public discussion, political decisions and elections, for example.

In light of the few individual reports that the NCSC-FI has received about them, the use of Finnish-language deepfakes does not appear to be very common as of yet. The cases reported to the NCSC-FI have involved the voices of public figures being faked to present statements in Finnish that the real persons have not presented. This week, the NCSC-FI also received a report of a case involving the voice of an organisation’s CEO being cloned to request a large money transfer. In this particular case, the language used was English.

Creating a deepfake requires a lot of material of the person being faked. Deepfakes that involve a public figure saying or doing something that they have not actually said or done pop up in the media every now and then. Users of social media service are also familiar with face swaps (a way of swapping the faces of the persons talking in a video), which utilises deepfake technology.

How to spot a deepfake

Spotting deepfakes is constantly becoming more difficult as the technology continues to develop. That being said, here are some tips that can help you detect a deepfake:

• Be critical of the media. Watch, listen to and analyse material critically. 
• Examine videos closely; pause the video and zoom in, where possible.
• The fingers and the number thereof of the persons depicted, eye movements and blurring can give away a deepfake.
• A deepfake video can also sometimes be detected based on the parts where the faked face settles on to the face of the person beneath. These parts can look unnaturally smooth. 
• To spot an audio deepfake, you can try asking the person something only the real person would know the answer to. Audio deepfakes can also use unusual expressions or ask you to do something surprising, such as make large money transfers.

In the future, measures to prevent the exploitation of deepfakes will increase on the part of the service providers as well.

Scammers actively phishing for bank credentials 

There are currently a lot of email, text message and phone scams centred around different themes and companies’ product names going around. Over the past week, the NCSC-FI has received numerous reports of bank credential phishing using genuine-looking messages impersonating airlines, banks and the MyKanta service, for example. Furthermore, scam calls are being made not only in the name of Finnish banks and companies, but Bank Norwegian as well.

Scam messages under the name of Nordea and the MyKanta service

As regards banks, there have been a lot of phishing messages going around in recent days under the name of Nordea in particular. The scam messages use subject lines such as "Viite #46AHDEXF17- Tarvitaan kiireellisiä toimia: Epäilyttäviä tapahtumia pankkitililläsi (“Reference #46AHDEXF17- Urgent action required: Suspicious activity on your bank account”). According to the messages, the bank has noticed suspicious activity on the recipient’s bank account and wants to ensure the security of the account. The messages include a link via which the recipient can supposedly review the suspicious transactions.

In the scam messages sent under the name of MyKanta, the recipient is asked to click the included link to update their health information in MyKanta. According to the message, doing so is necessary to ensure the continuity and best possible quality of health care services.

In both cases, the links lead to a phishing site asking for the recipient’s bank credentials. Any information entered on the phishing site ends up in the hands of criminals. 

Scam messages centred around credit cards and home improvement loans

"Hyvä herra/rouva, luottokorttinne on estetty” (“Dear Sir/Madam, your credit card has been blocked”) claims a message spoofed to look like it was sent by Finnair. The scam message tries to scare the victim into clicking a link leading to a phishing site, where the victim is asked to identify themself using their online bank credentials. This time, the pretence is the verification of a Finnair Plus Visa credit card.

Scams also being carried out over the phone

The scammers try to scare their victims with unwarranted home improvement loans or other bank transactions and ask the victim to share their bank credentials over the phone. During the confusing scam call, the scammers try to convince the victim that someone has been opening accounts at different banks under their name.

Scammers will typically claim that they are a bank employee, a police officer or some other person of authority. Whatever the case, you should never share your bank credentials with anyone via email, text message or phone call.

What to do if you become the target of a scam attempt

Online bank credentials are used for many other purposes besides logging in to your online bank, including strong identification for public services and many commercial services, which criminals are well aware of. As such, it is important to keep in mind that you should never share sensitive information, such as personal data or your bank credentials, via text message or email. If you receive a message asking you to share such information, follow these instructions:

• Do not respond to the message or enter your information in the presented fields.
• Do not click on the links included in the message.

If you suspect that your bank credentials have ended up in the wrong hands:

• Contact your bank’s customer service department and tell them what has happened.
• File a police report.
• You can also report the incident to the NCSC-FI .

Read more about how to use online services safely:

The Finnish election system is stable and secure 

The year 2024 will be a major election year both in Finland and around the world. Preparing for the presidential election and the European elections entails long-term work by several different operators, from ministries and agencies all the way to the level of municipalities and individual polling stations. 

Advance voting in the presidential election started this week. The actual election day is Sunday 28 January 2024. Finland has always been able to hold reliable elections, and the Finnish election system is stable and secure. The voting conducted with ballot papers cannot be easily interfered with by attacks on information systems. Similarly, the reliability of counting the votes by hand cannot be influenced by cyber attacks. Nonetheless, it is good to highlight some scenarios, mainly to do with information influence activities, that we may encounter in connection with the elections.

1. Denial-of-service attacks on services related to election communications and the publication of election results
2. Disinformation on candidates on fake websites, fake news sites or social media
3. So-called deepfake videos and audio recordings can be used to create the impression that a candidate has done or said something that puts them in a bad light among voters.

For several years now, Traficom’s NCSC-FI has participated in supporting the Ministry of Justice and other election officials in preparing for national elections. The smooth and secure implementation of national elections is a good example of an undertaking involving many different authorities. In general, it can be noted that Finland’s preparedness for different threats is at a high level.

Mark the date: Tietoturva 2024 information security seminar on 13 March 2024

From artificial intelligence to quantum technology – What are the next steps for cyber security and threats?

Information security, artificial intelligence and quantum technology inspire a great deal of discussion and questions. How will cyber security and threats change as a result of the development of artificial intelligence and quantum technology? How are deepfakes created and how can they be detected?

Come and discuss the next steps of the future of cyber security and threats with top industry experts from Finland and abroad.

The Tietoturva 2024 information security seminar organised by Traficom’s NCSC-FI and the National Emergency Supply Agency will be held at Sokos Hotel Presidentti in Helsinki on Wednesday 13 March 2024 at 9:00–16:30. You can participate in the seminar on-site or remotely. Due to space constraints, the seats at Hotel Presidentti are reserved primarily for representatives of organisations critical to security of supply. The event is free of charge.

We will be sending out the actual invitations and registration link to the event by the end of January. 

Vulnerabilities

CVE: CVE-2023-22527 
CVSS: 10.0
What: Critical vulnerabilities in Atlassian products
Product: Atlassian Bitbucket, Confluence, Jira, Bamboo and Crowd products. Please see Atlassian’s security bulletin for the vulnerable versions.
https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html
Fix: Atlassian recommends updating the vulnerable software versions immediately.

Further information (in Finnish): Critical vulnerabilities in Atlassian products