How the Attack Was Organized

The attack was based on the following scenario. First, the attackers created a fake WhatsApp profile with a profile picture taken from WPP press releases [1]. Using that fake profile they reached a senior WPP employee through a WhatsApp message.

Then came an MS Teams call with a request for immediate meeting. During the call the attackers used two technologies: deepfake video with Mark Read’s face and deepfake voice imitating Mark Read’s speech style [2].

The attackers requested the creation of a new entity, financial information, and passports.

Why WPP Revealed the Incident Publicly

The CEO of the largest advertising holding in the world revealed an ongoing attack in an official letter to his employees [3]. This was an extraordinary step for such a public company, which speaks volumes.

The letter warned the employees of the sophistication of the attackers and urged them not to act in response to strange and/or urgent requests, particularly via channels without a verified identity. The letter noted that WPP never requests its employees to reveal passwords, financial or passport information in MS Teams.

The disclosure by the CEO was intended as an early warning for thousands of WPP employees worldwide who may be targeted in the future.

Why the WPP is Important and Why Advertising Companies Will Be Targeted

The WPP case demonstrates a new approach to choosing targets: not technology firms and banks with their robust technical security policies, but advertising and media companies. Why?

WPP manages hundreds of brands, agencies, and billion-dollar budgets. Its employees regularly deal with sensitive client information, complex media strategies, and financial information.

This type of company, unlike banks or IT firms, has high informational value and relatively low technical protection standards, which makes it a valuable target for attackers.

In addition, WPP and similar organizations form the corporate eco-system where financial flows and confidential information flow without adequate protection measures.

“I’m sorry to have to bring this to your attention, but I want to let everyone know that I’ve just seen a sophisticated cyber scam being run on the firm. Please be very careful of anything that is out of the ordinary, including unusual requests for financial information or passwords. The firm does not make any requests like that in video or Teams chats. Mark.”

— Mark Read, CEO of WPP, May 2024

How SYNHAWK Detects This Type of Attack

SYNHAWK PROTECTION: In this case we are talking about combined threat: video and voice deepfake used simultaneously. HAWK 7 and VYRA 9 modules of SYNHAWK provide the necessary protection: the former analyses audio streams and alerts for any signs of AI manipulation. The latter detects visual forgery of videos.