social engineering
A Taxonomy of Pix Fraud in Brazil: Attack Methodologies, AI-Driven Amplification, and Defensive Strategies
Pizzolato, Glener Lanes, Lopes, Brenda Medeiros, Schepke, Claudio, Kreutz, Diego
This work presents a review of attack methodologies targeting Pix, the instant payment system launched by the Central Bank of Brazil in 2020. The study aims to identify and classify the main types of fraud affecting users and financial institutions, highlighting the evolution and increasing sophistication of these techniques. The methodology combines a structured literature review with exploratory interviews conducted with professionals from the banking sector. The results show that fraud schemes have evolved from purely social engineering approaches to hybrid strategies that integrate human manipulation with technical exploitation. The study concludes that security measures must advance at the same pace as the growing complexity of attack methodologies, with particular emphasis on adaptive defenses and continuous user awareness.
The Trumpification of AI: What Could Go Wrong?
The below article first appeared in David Corn's newsletter, Our Land. The newsletter comes out twice a week (most of the time) and provides behind-the-scenes stories and articles about politics, media, and culture. Subscribing costs just 5 a month--but you can sign up for a free 30-day trial. There are only a few potential existential threats to human society, as far as we know. Nuclear weapons are the most obvious.
Synthetic Cancer -- Augmenting Worms with LLMs
Zimmerman, Benjamin, Zollikofer, David
With increasingly sophisticated large language models (LLMs), the potential for abuse rises drastically. As a submission to the Swiss AI Safety Prize, we present a novel type of metamorphic malware leveraging LLMs for two key processes. First, LLMs are used for automatic code rewriting to evade signature-based detection by antimalware programs. The malware then spreads its copies via email by utilizing an LLM to socially engineer email replies to encourage recipients to execute the attached malware. Our submission includes a functional minimal prototype, highlighting the risks that LLMs pose for cybersecurity and underscoring the need for further research into intelligent malware.
Beware of these 7 new hacker tricks -- and how to protect yourself
Following the huge wave of ransomware last year, there's now increasing reports of completely new tricks used by hackers and cybercriminals to gain access to computer systems, devices, and networks. Many of these tricks exploit existing vulnerabilities in applications and operating systems, but these perpetrators are also developing completely new approaches that combine technical procedures with social engineering to achieve their goals. To recap if you're unaware: social engineering is when a malicious person exploits you through helpfulness, trust, fear, or respect in an attempt to manipulate you into doing something. Examples of social engineering include: a work email purporting to come from your boss with a payment order for a large sum to a foreign account; a WhatsApp message from someone pretending to be your relative in need of money; or a phishing email that claims to be your bank asking you to click a link with scary consequences if you don't. Here are some of the latest scams and techniques used by criminals that you need to know about--and how you can protect yourself.
North Korea and Iran using AI for hacking, Microsoft says
US adversaries โ chiefly Iran and North Korea, and to a lesser extent Russia and China โ are beginning to use generative artificial intelligence to mount or organize offensive cyber operations, Microsoft said on Wednesday. Microsoft said it detected and disrupted, in collaboration with business partner OpenAI, many threats that used or attempted to exploit AI technology they had developed. In a blogpost, the company said the techniques were "early-stage" and neither "particularly novel or unique" but that it was important to expose them publicly as US rivals leveraging large-language models to expand their ability to breach networks and conduct influence operations. Cybersecurity firms have long used machine-learning on defense, principally to detect anomalous behavior in networks. But criminals and offensive hackers use it as well, and the introduction of large-language models led by OpenAI's ChatGPT upped that game of cat-and-mouse.
How Smart Should Robots Be?
When people hear the words "social engineering," they usually think of the supposed nefarious designs of government or an opposing political party. These days, there's a general sense of social upheaval brought on by some invisible force, and we're anxious to blame someone. I can't help feeling that, to some extent, we're tilting at windmills while the real source of social engineering is in our pockets, on our laps, in a myriad of devices and soon, highly lifelike social robots for the home. The future is coming at us fast these days. In October 2023, Boston Dynamics, the robotics company that makes advanced robots that can dance better than some people, announced it had endowed Spot, its highly utilitarian doglike robot, with ChatGPT.
Spear Phishing With Large Language Models
Recent progress in artificial intelligence (AI), particularly in the domain of large language models (LLMs), has resulted in powerful and versatile dual-use systems. This intelligence can be put towards a wide variety of beneficial tasks, yet it can also be used to cause harm. This study explores one such harm by examining how LLMs can be used for spear phishing, a form of cybercrime that involves manipulating targets into divulging sensitive information. I first explore LLMs' ability to assist with the reconnaissance and message generation stages of a spear phishing attack, where I find that LLMs are capable of assisting with the email generation phase of a spear phishing attack. To explore how LLMs could potentially be harnessed to scale spear phishing campaigns, I then create unique spear phishing messages for over 600 British Members of Parliament using OpenAI's GPT-3.5 and GPT-4 models. My findings provide some evidence that these messages are not only realistic but also cost-effective, with each email costing only a fraction of a cent to generate. Next, I demonstrate how basic prompt engineering can circumvent safeguards installed in LLMs, highlighting the need for further research into robust interventions that can help prevent models from being misused. To further address these evolving risks, I explore two potential solutions: structured access schemes, such as application programming interfaces, and LLM-based defensive systems.
AI chatbots making it harder to spot phishing emails, say experts
Chatbots are taking away a key line of defence against fraudulent phishing emails by removing glaring grammatical and spelling errors, according to experts. The warning comes as policing organisation Europol issues an international advisory about the potential criminal use of ChatGPT and other "large language models". Phishing emails are a well-known weapon of cybercriminals and fool recipients into clicking on a link that downloads malicious software or tricks them into handing over personal details such as passwords or pin numbers. Half of all adults in England and Wales reported receiving a phishing email last year, according to the Office for National Statistics, while UK businesses have identified phishing attempts as the most common form of cyber-threat. However, a basic flaw in some phishing attempts โ poor spelling and grammar โ is being rectified by artificial intelligence (AI) chatbots, which can correct the errors that trip spam filters or alert human readers.
Artificial intelligence isn't that intelligent
Late last month, Australia's leading scientists, researchers and businesspeople came together for the inaugural Australian Defence Science, Technology and Research Summit (ADSTAR), hosted by the Defence Department's Science and Technology Group. In a demonstration of Australia's commitment to partnerships that would make our non-allied adversaries flinch, Chief Defence Scientist Tanya Monro was joined by representatives from each of the Five Eyes partners, as well as Japan, Singapore and South Korea. Two streams focusing on artificial intelligence were dedicated to research and applications in the defence context. A friend who works in cybersecurity asked me this. In the world of information security, social engineering is the game of manipulating people into divulging information that can be used in a cyberattack or scam.
Criminals Use Deepfake Videos to Interview for Remote Work
Security experts are on the alert for the next evolution of social engineering in business settings: deepfake employment interviews. The latest trend offers a glimpse into the future arsenal of criminals who use convincing, faked personae against business users to steal data and commit fraud. The concern comes following a new advisory this week from the FBI Internet Crime Complaint Center (IC3), which warned of increased activity from fraudsters trying to game the online interview process for remote-work positions. The advisory said that criminals are using a combination of deepfake videos and stolen personal data to misrepresent themselves and gain employment in a range of work-from-home positions that include information technology, computer programming, database maintenance, and software-related job functions. Federal law-enforcement officials said in the advisory that they've received a rash of complaints from businesses.