Beware of Cyber-Crooks Plotting To Steal Your Face 

Human faces, fingerprints and other biometrics are fast replacing passwords in an effort to outwit cybercriminals bent on digital robbery. Whether it is making an online purchase, accessing a bank account, signing up for a digital service or unlocking a phone, the correct face is often necessary to complete the task. 

Now, internet fraudsters are seeking to steal your face, too, says Stuart Wells, chief technology officer at Jumio, a cyber-security firm. 

In the latest high-tech scam, he says, online crooks are manipulating facial-recognition technology that protects consumers’ computers, internet accounts and phone apps. In essence, these criminals are using an image of a consumer’s face to gain access. The technique is known as “camera injection,” which occurs when a fraudster bypasses the normal camera device and injects pre-recorded content or a real-time face-swap video stream or a completely made up deep fake image.  

After gaining access, an attacker can register for phony accounts and complete unauthorized transactions without you or a website manager knowing until the damage is done.   

To thwart this, organizations can and should establish controls to detect when a camera-device driver has been compromised, or a virtual camera is used, or an evaluation of a video stream indicates manipulation or fabrication. Consumers should limit images of themselves they post online. 

Facial-recognition tools are meant to supply an added level of security for organizations, and the emergence of the camera injection technique is a legitimate threat to that extra layer of protection. The first banking trojan that steals people’s faces was recently uncovered and is thought to have been used to lure a victim into a malicious app and then tricked them into face scanning,  allowing the fraudster to withdraw the equivalent of $40,000 from their bank account. 

These hackers “have introduced a new category of malware families that specialize in harvesting facial-recognition data,“ says Sharmine Low, malware analyst in Group-IB’s Asia-Pacific APAC threat intelligence team. “They have also developed a tool that facilitates direct communication between victims and cybercriminals posing as legitimate bank call centers. 

“Cybercriminals are becoming increasingly creative and adept at social engineering. By exploiting human psychology and trust, bad actors construct intricate schemes that can deceive even the most vigilant users.”