The deception game
When combined with other disruptive technologies, ChatGPT-4 can exacerbate fraudulent malpractices like deepfakes and social engineering — creating an urge for preventive measures
One day, you received a call from someone claiming to be the manager of your company. Being a newly hired employee, you felt the caller sounded just like the manager. He asked you to join in a video conference to discuss an urgent matter. You were hesitant at first, but the caller was very persuasive. He told you that the matter was confidential and needed to be discussed immediately. You reluctantly agreed and joined the video conference. The manager then proceeded to ask you for sensitive information about the company, including financial reports, product development plans, and customer data. You provided the information without hesitation.
Was the person you were speaking to the real manager? It was a deepfake, a highly sophisticated computer-generated video that looked and sounded just like the manager. Were you aware that you were being duped, considering how convincing the deepfake was? The deepfake was created using ChatGPT-4 and Machine Learning, which enabled the hackers to mimic the manager's voice, facial expressions, and body language. The deepfake was so convincing that you did not even realise that you were being duped. ChatGPT-4, combined with generative video, can create high-quality disinformation, which is a potentially explosive combination. Experts say advanced video and audio deepfake tech, along with a convincing ChatGPT-4 script, could yield deepfakes that pass as genuine.
Fraud and impersonation: the dark side of ChatGPT-4
ChatGPT-4's exceptional writing capabilities are utilised by cybercriminals for advanced phishing, impersonation, and data theft. Its proficiency in generating personalised and convincing text messages has made it a tool of choice for phishing attacks, which can now avoid poorly written messages that reveal fraudulent activities. ChatGPT-4 can be used to generate harmful code and content for cyberattacks, such as ransomware encryption/decryption, spyware, keystroke loggers, and malware. Its user-friendly interface has reduced the entry barrier for cybercriminals, enabling the creation of custom phishing messages with counterfeit websites to obtain login credentials and compromise social media accounts. Hackers can also create personalised messages, impersonating legitimate sources to inject malware into users' devices, compromising their personal and financial data. With ChatGPT-4's interface, even less experienced hackers can generate complex code with ease, enhancing the speed and response quality of attacks. Its language model also allows for convincing phishing emails in the targeted audience's language that are difficult to differentiate from legitimate ones.
Social engineering with ChatGPT-4
Social engineering attacks create new challenges and risks for law-enforcement agencies, governments, businesses, and private institutions, as their widespread use makes them a desirable target for threat actors seeking to spread malware and compromise user data. ChatGPT-4 can expedite research by delivering crucial information on diverse criminal activities to an individual with no prior knowledge of a specific crime domain. ChatGPT-4 can aid in gaining insight into various crime domains, such as home invasion, terrorism, cybercrime, and child sexual abuse, without prior familiarity. ChatGPT-4's language model creates accurate spear-phishing emails in any language and can simulate social engineering attacks with social media inputs. Recognising patterns in social engineering attacks can identify online scams quickly.
Social engineering attack targets
Social engineering attacks aim to acquire sensitive information like bank accounts, and company data. Targets with greater access to the desired information are more attractive to criminals. High-value persons, prominent workers, and high-level executives are common targets of social engineering assaults because they have easier access to private data. High-profile social media influencers and individuals who tend to overshare personal information are prime targets for cyber attacks. Youngsters and personnel with less education, who are unaware of cybersecurity concerns, are also at risk.
Uncovering and probing
Scammers target those who have what they want, such as credentials, data, money, etc. They research potential victims online, examine their social media and online activity, and then craft a personalised attack based on the information they find. Because scammers have detailed information about their targets, victims are more susceptible to lower their guard.
Deception and luring
Scammers search for entry points such as email addresses, phone numbers, and social media accounts to contact their victims. To attract the victim's attention, fraudsters utilise a "hook" strategy that could involve a falsified email posing as a meeting invitation. This approach takes advantage of newly hired employees who may have limited experience with cyberattacks.
Execution of the attack
After the hook works, scammers perform various social engineering attacks. For instance, following the link to schedule a virtual interview may cause malware to be installed on your computer. This can lead to the infection of your corporate network and the theft of sensitive data. Small cybersecurity errors like this can have a significant financial impact on companies.
Retreat
After completing their mission, criminals will quickly disappear, leaving minimal evidence. It's conceivable that you may not even realise that a cyber-attack or data breach has transpired.
Preventive measures
Adhere to these suggestions to prevent social engineering attempts from stealing sensitive data and information from your organisation:
✼ Encourage workers to report suspected cybersecurity problems without worrying about penalties by fostering a good security culture;
✼ Make security awareness training a requirement for new recruits during onboarding, as they are particularly vulnerable to social engineering assaults;
✼ Regularly conduct team testing using outside services to create simulated social engineering attacks and educate vulnerable employees on how to avoid becoming victims;
✼ Keep software and hardware updated to prevent hackers from exploiting vulnerabilities in webpages and infecting them with malware;
✼ Implement data monitoring, including sensitive file monitoring in your company’s data analytics, to check for unusual behaviour such as employees downloading sensitive information outside of work hours.
A key takeaway
Social engineering can target anyone, and a single mistake can lead to serious consequences. Recognising all types of attacks is crucial, but extra protection is recommended. Consider using an identity theft and device protection tool that offers advanced security features like robust encryption, Wi-Fi/network security, malware/phishing alerts, fraud detection, and identity theft protection.
The writer is an HoD and Assistant Professor of Dept of Computer Sc & Electronics, Ramakrishna Mission Vidyamandira. Views expressed are personal