Recently, the tech world has been abuzz with the capabilities of ChatGPT, an AI-based chatbot developed by OpenAI. This versatile tool has garnered praise for its ability to generate persuasive prose and even functional code. However, as technology evolves, so do the methods of malicious actors, and ChatGPT’s prowess is not immune to exploitation by cyber attackers.
Generative AI tools like ChatGPT have become a double-edged sword. While they empower users with impressive capabilities, they also offer malicious actors a potent means to craft convincing narratives and code, including social engineering attacks. This raises concerns about the impact of this new category of tools on cyberattacks, particularly those involving social engineering.
The era of flawless social engineering
In the past, poorly worded or grammatically incorrect emails were often telltale signs of phishing attempts. Cybersecurity awareness training emphasized identifying such anomalies to thwart potential threats. However, the emergence of ChatGPT has changed the game. Even those with limited English proficiency can now create flawless, convincing messages in perfect English, making it increasingly challenging to detect social engineering attempts.
OpenAI has implemented some safeguards in ChatGPT to prevent misuse, but these barriers are not insurmountable, especially for social engineering purposes. Malicious actors can instruct ChatGPT to generate scam emails, which can then be sent with malicious links or requests attached. The process is remarkably efficient, with ChatGPT quickly producing emails like a professional, as demonstrated in a sample email created on request.
Darktrace’s findings and the rise of AI-based social engineering attacks
Cybersecurity firm Darktrace reports a surge in AI-based social engineering attacks, attributing this trend to ChatGPT and similar tools. These attacks are becoming more sophisticated, with phishing emails becoming longer, better punctuated, and more convincing. ChatGPT’s default tone mirrors corporate communication, making it even harder to distinguish malicious messages.
The criminal learning curve
Cybercriminals are quick learners. Reports suggest that dark web forums now host discussions on exploiting ChatGPT for social engineering, with criminals in unsupported countries finding ways to bypass restrictions and harness its power. ChatGPT enables attackers to generate many unique messages, evading spam filters that look for repeated content. Moreover, it aids in creating polymorphic malware, making detection more challenging.
While ChatGPT primarily focuses on written communication, other AI tools can generate lifelike spoken words that mimic specific individuals. This voice-mimicking capability opens the door to phone calls that convincingly imitate high-profile figures. This two-pronged approach—credible emails followed by voice calls—adds a layer of deception to social engineering attacks.
Exploiting job seekers and fake ChatGPT tools
ChatGPT isn’t limited to crafting emails; it can generate cover letters and resumes at scale, exploiting job seekers in scams. Additionally, scammers capitalize on the ChatGPT craze by creating fake chatbot websites that claim to be based on OpenAI’s models. These sites, in reality, aim to steal money and harvest personal data.
Protecting against AI-enabled attacks
As AI-enabled attacks become more prevalent, organizations must adapt to this evolving threat landscape:
1. Incorporate AI-generated content in phishing simulations to familiarize employees with AI-generated communication styles.
2. Integrate generative AI awareness training into cybersecurity programs, highlighting how ChatGPT and similar tools can be exploited.
3. Employ AI-based cybersecurity tools that leverage machine learning and natural language processing to detect threats and flag suspicious communications for human review.
4. Utilize ChatGPT-based tools to identify emails written by generative AI, adding an extra layer of security.
5. Always verify the authenticity of senders in emails, chats, and texts.
6. Maintain open communication with industry peers and stay informed about emerging scams.
7. Embrace a zero-trust approach to cybersecurity, assuming threats may come from internal and external sources.
ChatGPT is just the tip of the iceberg, and similar chatbots with the potential for exploitation in social engineering attacks will likely emerge soon. While these AI tools offer significant benefits, they also pose substantial risks. Vigilance, education, and advanced cybersecurity measures are essential to stay ahead in the ongoing battle against AI-enhanced cyber threats.