AI-Enhanced Fraud: Is AI Cybercrime the New Normal in Cyberattacks?

Episode Resources:

• Resilience Cybersecurity & Data Privacy

• New Ransomware Victims Surge by 47% with Gangs Targeting Small Businesses – InfoSecurity Magazine

• #RSAC: Characterless Security Training Fails to Change User Behavior – InfoSecurity Magazine

• Generative AI fueling significant rise in cyberattacks – CSO Online

• Malicious hackers are weaponizing generative AI – InfoWorld

• 3 Cybersecurity Threats Caused by Generative AI – Abnormal Security

Episode Summary

This episode delves into one of the more nefarious of the advanced applications of generative AI: use by cybercriminals in cyberattacks – AI Cybercrime. We have discussed generative AI in several prior episodes, but for the uninitiated, generative AI and large language models like ChatGPT have the ability to create realistic, human-like text. These and other types of systems can also generate images or any output that uses a significant model system. For today, we’re focusing on the increasing danger of spearfishing, a targeted cyberattack aimed at a specific individual, utilizing these AI models.

Phishing, Spear Phishing, and Generative AI

To differentiate, while phishing is akin to casting a broad net to capture as many victims as possible, spearfishing is a precise, tailored attack targeting a single individual. Historically, a significant safeguard against phishing and spear phishing was the recognizable language barriers, marked by poor grammar or incorrect usage, indicating the attacker’s non-native linguistic abilities. Most of the hackers responsible for these types of cyberattacks are believed to reside abroad, frequently in non-English speaking countries, and usually ones lacking an extradition relationship with the United States. Non-native speakers frequently have difficulty with the many nuances of the English language, with its idioms, stolen words/phrases, and numerous complex rules that may not even be reduced to teachable form.

However, with generative AI models like ChatGPT, these linguistic inconsistencies are eliminated, making AI Cybercrime more refined and harder to detect.

Generative AI Cybercrime

With the assistance of generative AI, attackers can now scrape information from platforms like LinkedIn to craft personalized, convincing spearfishing emails. By feeding the AI specific details about a potential victim, the system can generate a persuasive message aimed to deceive and manipulate the recipient.

The model streamlines the process, taking over tasks that previously required manual effort, such as data collection, crafting messages, and even sending targeted emails. This advancement not only makes attacks more effective but also allows attackers to operate with increased efficiency, relying on AI to handle the complexities.

“But… it sounded just like you?!?”

Hackers can also leverage AI tools like Chat GPT to craft emails that match the tone and style of a specific user. By accessing a user’s sent email folder, cybercriminals can feed the text of multiple emails into the AI system, which can then mimic the content of those emails to generate an email that not only is free of obvious red-flag typos but might also even include the typos that regular recipients of your emails expect from you. This adaptation means that rather than looking for overt signs of phishing, such as poor grammar or blatant errors, one must be wary of even sophisticated and well-composed emails that appear genuine.

Taking cyber-deception a step further, these attackers, equipped with AI-generated messages, can potentially compromise business accounts and send messages that genuinely seem to come from trusted colleagues. Coupled with other tactics, like creating fake websites that look identical to trusted sites, attackers can mislead users into providing critical information, including login and security information. Particularly well-crafted attacks will leave the user with no idea that they have just provided their login information to a malicious user.

Can AI Cybercrime Be Beaten?

This surge in advanced cyber threats, including AI Cybercrime, highlights an urgent need for education. Recent data suggests that small businesses, often lacking comprehensive security measures, have seen a spike in ransomware attacks over the past two years. The advent of AI-driven phishing only exacerbates these vulnerabilities. The overarching message is clear: It’s imperative to invest in cybersecurity education, ensuring individuals and businesses understand the nuanced risks and remain vigilant against emails and sites that, on the surface, appear entirely legitimate.

In cybersecurity, the fact remains that the human element is often the most unpredictable variable. Even with the best security measures in place, people are prone to click on things. This reality underscores the importance for even small businesses to have, at a minimum, basic levels of security. Using strong antivirus tools is a preliminary step that offers protection from some potential threats that might arise after users click suspicious links.

Beyond antivirus software, businesses must consider advanced measures such as email security systems, like Proofpoint, Mimecast, or Microsoft’s safe links and attachments. These systems scan and analyze links for malicious content before they ever reach the end-user. But what if smaller entities can’t access these tools? Restricting user privileges on their workstations becomes essential. Removing local admin rights can significantly reduce the risks posed by clicked links, as malware finds it harder to take root without system-level access.

Yet, technology alone isn’t the answer. User education is paramount. Traditional training methods, like making users watch videos after they click on a phishing link, aren’t always effective. To truly engage the current workforce, cybersecurity education needs innovation. The speaker foresees a future episode discussing the gamification of cybersecurity training, suggesting that making these programs interactive and engaging can potentially increase retention and application among users.

Beware the Danger of Overreaction

There is such a thing as too much security. Be wary of overly restrictive measures. While it might seem like a good idea to limit user access stringently, doing so might stifle the ability to do business. Striking a balance is critical. We also strongly caution against punishing employees who make cybersecurity mistakes, noting that fear-driven approaches could lead to over-reporting and hinder genuine progress.

Existential Problems Require Unified Responses

As AI technology grows more advanced, its misuse becomes a genuine risk. However, rather than seeing every business tackle this threat independently, we advocate collaborative efforts. Businesses need to form coalitions that can match the skill and cooperation seen in hacking communities. Believe it or not, there really aren’t that many hackers. They are, however, much better at working together and sharing resources and methods than the international businesses they target. With combined resources and expertise, businesses can potentially build robust defenses, anticipating and counteracting threats.

In Conclusion

While technological advancements in cybersecurity are necessary, so is a shift in perspective. Instead of only viewing security measures as an expense, businesses might begin to see them as investments, essential for minimizing future losses. The bottom line? We’re living in a world where cybersecurity is no longer just a tech concern but a vital aspect of daily operations for businesses everywhere. AI Cybercrime isn’t going to just go away, unlike that Nigerian Prince…

We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.