Hackers Work Around ChatGPT Malicious Content Restrictions to Create Phishing Email Content

Active discussions in hacker forums on the dark web showcase how using a mixture of the Open AI API and automated bot from the Telegram messenger platform can create malicious emails.

It’s good that from the start, creators of ChatGPT put in content restrictions to keep the popular AI tool from being used for evil purposes. Any request to blatantly write and email or create code that will be misused to victimize another person is met with an “I’m sorry, I can’t generate <content requested>” response.

I wrote previously about ways ChatGPT could be misused – as long as the intent for the generated content isn’t divulged to the AI engine. New research from Checkpoint shows a number of examples of dark web discussions about how to bypass restrictions intent on keeping threat actors from using ChatGPT.

In essence, a hacker has created a bot that works within the messenger service Telegram to automate the writing of maliciously-intended emails and malware code.



Source: Checkpoint

Apparently the API for the Telegram bot does not have the same restrictions as direct interaction with ChatGPT. The hacker has gone as far as to establish a business model charging $5.50 for every 100 queries, making it inexpensive and easy for anyone wanting a well-written phishing email or base piece of malware.

This only means more players can get into the game without the barrier of needing to know how to write well or to code. It also means employees need to be far more vigilant than ever before – something taught with continual Security Awareness Training – scrutinizing every email to be absolutely certain that the content, sender, and intent is legitimate before ever interacting with them.


Spear Phishing Attacks Increase 127% as Use of Impersonation Skyrockets

Impersonation of users, domains, and brands is on the rise, as is the use of malicious links, in response to security vendors improving their ability to detect malicious attachments.

I talk often about the back-and-forth that exists between cybercriminal groups and security vendors. Security solutions improve their detection capabilities, and threat actors work tirelessly to find new ways to evade detection. New data found in GreatHorn’s 2023 State of Email Security report shows that this is exactly what’s been happening in the last 12 months. Let me paint the picture for you – according to the report, in 2022:

  • Microsoft and Google have improved their attachment scanning capabilities
  • Spear phishing increases 127% to focus specific scam themes on specific targets
  • Executive Impersonation jumps 344% making the attack seemingly come from a trusted source
  • 43% of all potentially dangerous emails are now impersonation emails
  • All of the top 20 malicious links used were from compromised domains with positive reputation scores to bypass native scanning controls, such as those used by various Google services

In essence, the cybercriminals now realize they can’t really use malicious attachments, so they’re realizing they need to find a balance between great social engineering against targeted victims, use of impersonation, and the use of legitimate sites to host the malicious payload to achieve this next evolution of attacks.

According to GreatHorn, most attacks take between 1 and 4 steps to get the victim user to interact with the malicious payload.

graph showing the steps it takes users to get to malicious payload

Source: GreatHorn

This means you have a bunch of users that unwittingly follow a set of unusual and unnecessary clicks that they should know better than to follow – something they learn very quickly if they are enrolled in new school Security Awareness Training. Attackers will continue to evolve their craft, so your users need to stay up-to-date on the latest attacks.


Be Wary of Survey Scams

Online surveys are too often scams designed to steal personal or financial information, warns Phil Muncaster at ESET. Muncaster explains that these surveys are usually distributed via phishing or by ads on websites, impersonating trusted brands and offering phony rewards:

  • “The scam often begins with an unsolicited email or text/message likely spammed out to countless other victims. This is basically a phishing message designed to lure the recipient into participating by clicking through.
  • “It often features a well-known brand to add a sense of legitimacy and encourage the victim to participate. In December 2022, a popular survey scam abused the brand of chocolate-maker Cadbury to do this – promising recipients the chance to win ‘an exclusive Christmas Chocolate Magic Basket’ if they took a short quiz.
  • “The scam may feature a thematic lure – such as the Christmas Cadbury one, or the supposed ‘40th anniversary’ of wholesaler Costco which was used in a June 2022 campaign in South America.”

These scams can cause varying degrees of damage. Many are focused on collecting information, and others attempt to trick the user into installing malware or transferring money. Muncaster offers the following recommendations to help users avoid falling for these scams.

  • “Look out for any offers that seem too good to be true. It could be a large cash prize for just a few minutes work, or an expensive gift.
  • “Watch out for typos or poor grammar – it could be a sign that things aren’t quite right.
  • “Shortened URLs might also indicate fraud.
  • “Time-limited offers are another way for scammers to turn up the pressure on their victims.
  • “Some senders may be vague about who’s running the survey – with no ‘contact us’ link to follow.
  • “If the sender uses a free webmail account, then the survey is likely to be a scam.”

It’s worth noting that such scam surveys represent a business as well as a personal risk. Many of them are cast as business-to-business surveys to take the temperature of a market, or to gauge the climate of opinion among customers. New-school security awareness training can enable your employees to thwart social engineering attacks.


[Scam Of The Week] The Turkey-Syria Earthquake

Just when you think they cannot sink any lower, criminal internet scum is now exploiting the recent earthquake in Turkey and Syria.

Less than 24 hours after two massive earthquakes claimed the lives of thousands of people, cybercrooks are already piggybacking on the horrible humanitarian crisis. You need to alert your employees, friends and family… again.

Just one example are scammers that pose as representatives from a Ukrainian charity foundation that seeks money to help those affected by the natural disasters that struck in the early hours of Monday.

There are going to be a raft of scams varying from blood drives to pleas for charitable contributions for victims and their families. Unfortunately, this type of scam is the worst kind of phishbait, and it is a very good idea to inoculate people before they get suckered into falling for a scam like this. I suggest you send the following short alert to as many people as you can.

[ALERT] “Lowlife internet scum is trying to benefit from the Turkey-Syria earthquake. The first phishing campaigns have already been sent and more will be coming that try to trick you into clicking on a variety of links about blood drives, charitable donations, or “exclusive” videos. Don’t let them shock you into clicking on anything, or open possibly dangerous attachments you did not ask for!


Anything you receive about this recent earthquake, be very suspicious. With this topic, think three times before you click. It is very possible that it is a scam, even though it might look legit or was forwarded to you by a friend — be especially careful when it seems to come from someone you know through email, a text or social media postings because their account may be hacked.


In case you want to donate to charity, go to your usual charity by typing their name in the address bar of your browser and do not click on a link in any email. Remember, these precautions are just as important at the house as in the office, and tell your friends and family.”

It is unfortunate that we continue to have to warn against the bad guys on the internet that use these tragedies for their own benefit. For KnowBe4 customers, we will soon have a few templates with this topic in the Current Events. It’s a good idea to send one to your users this week.


Initial Access Brokers Leverage Legitimate Google Ads to Gain Malicious Access

A threat actor tracked as DEV-0569 appears to be using a combination of Google Ads and impersonated websites to compromise credentials and distribute malware to gain network access.

These days there is plenty of talk about Initial Access Brokers, but often, little is known about their specific actions other than the resulting presence of access to networks and assumptions that they are using the same tactics and techniques as cybercriminals that are responsible for an entire attack.

Recent Twitter posts from cybersecurity researchers like Germán Fernández, DEV-0569 is using Google ads to infect victim machines.

According to Bleeping Computer, the ads are for software titles including LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC.


Source: Bleeping Computer

This ad takes victims to a lookalike website where the desired tool (read: malware) can be downloaded and installed. In the end, a foothold is established by DEV-0569 on an endpoint within a victim organization, with its access sold on the dark web.

The use of ads is a smart use of social engineering. When’s the last time you assumed a Google ad was not only illegitimate, but malicious? Right… never.

This kind of simple innovation is why organizations – including and especially members of IT – need to undergo continual Security Awareness Training that keeps them up to date on the latest social engineering tactics and phishing scams. The alternative is, eventually, one of these malicious methods is going to fool just the right person within your organization.


Yahoo Suddenly Rises in Popularity in Q4 to Become the Most Impersonated Brand in Phishing Attacks

Completely absent from the top 10 brands for more than two years, Yahoo’s impersonation may indicate that scammers are looking for new attack angles using lesser-used brands.

Yes, of course, Yahoo is anything but insignificant. With revenues topping $8 billion, the search engine giant is still quite relevant today. But in the world of phishing attacks using the impersonation of a major brand, Yahoo was down near 24th place. That is, until last quarter, when – according to CheckPoint’s security analysts determined that Yahoo jumped up 23 places to top the list of Top 10 Impersonated Brands in Q4 of 2022.

Surpassing brands we’ve become accustomed to seeing in the top 5 such as Microsoft, DHL, LinkedIn, Google, and Amazon, Yahoo was previously an impersonation afterthought. But it’s popularity last quarter indicates that there is a resurgence in its’ use as a known and trusted brand that can give scammers just enough credibility to see their phishing attacks succeed.

Offering awards and significant amounts of money, according to CheckPoint, the Yahoo-themed phishing scams sought to trick victims into giving up personal information – including Yahoo credentials.

The use of Yahoo’s brand says a few things about the state of phishing attacks. First, you only need a widely known brand – in essence, any known brand – to launch an impersonation scam. Second, we can only assume the attackers are seeing material success to jump 23 places. Third, with lots of impersonated brands representing those who organizations like your do business with (e.g., DHL, UPS, banks, etc.), users need to be educated through Security Awareness Training that just because you no longer see the impersonation equivalent of the age-old “Nigerian Prince” scam doesn’t mean it can’t pop up in an Inbox today.



Travel-Themed Phishing Attacks Lure Victims with Promises of Free Tickets, Points, and Exclusive Deals

New analysis of December and January emails shows massive spikes in attacks aimed at stealing personal information and credit cards under the guise of once-in-a-lifetime travel deals.

Who wouldn’t want a free airline ticket, or a ton of frequent flyer points in exchange for little-to-no effort? That’s exactly the sentiment attackers are going for, according to new analysis by email security vendor BitDefender’s Antispam Lab. Nearly 10% of all spam was travel themed within the timeframe of December 20th through January 10th, with a little more than half (53%) of it targeting the United States.

Many of these scams focus on credential theft. According to the findings, travel rewards programs and gift cards are the most often used subjects, as the personal details held within those programs include birthdates, social security numbers, etc. that can be monetized by selling them on the dark web.

BitDefender offered up a few examples of these emails – notice how legitimate they look:


Source: BitDefender


Source: BitDefender

As we see travel return to pre-pandemic levels, mixed with an increase in fuel surcharges and flight prices, the opportunity to trick someone with the “too good to be true” deal is alive and well with scammers.


Russian and Iranian Spear Phishing Campaigns are Running Rampant in the UK

The UK’s National Cyber Security Centre (NCSC) has described two separate spear phishing campaigns launched by Russia’s SEABORGIUM threat actor and Iran’s TA453 (also known as Charming Kitten). The NCSC says both threat actors have targeted entities in the UK, including “academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists, and activists.”

The threat actors first conduct reconnaissance on their targets by researching social media and other open-source information. After this, they’ll make contact under the guise of a journalist, colleague, or someone else the victim would be likely to respond to.

“Having taken the time to research their targets’ interests and contacts to create a believable approach, SEABORGIUM and TA453 now start to build trust,” the report says. “They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.”

The threat actors then send the victim a link disguised as something related to their previous conversations.

“Once trust is established, the attacker uses typical phishing tradecraft and shares a link, apparently to a document or website of interest,” the NCSC says. “This leads the target to an actor-controlled server, prompting the target to enter account credentials. The malicious link may be a URL in an email message, or the actor may embed a link in a document on OneDrive, GoogleDrive, or other file-sharing platforms.

TA453 has even shared malicious links disguised as Zoom meeting URLs, and in one case, even set up a Zoom call with the target to share the malicious URL in the chat bar during the call. Industry partners have also reported the use of multi-persona impersonation (use of two or more actor-controlled personas on a spear-phishing thread) to add the appearance of legitimacy.”

New-school security awareness training can enable your employees to follow security best practices so they can thwart targeted phishing attacks.


Phishing Campaign Impersonates Japanese Rail Company

Researchers at Safeguard Cyber describe a phishing campaign that’s posing as a Japanese rail ticket reservation company.

“The phishing campaign impersonates Ekinet, a Japanese based organization that is used to reserve train tickets,” the researchers write. “The campaign attempts to lure victims to a malicious website and then makes them input their credit card or other personal information. The Council of Anti-Phishing in Japan released an alert earlier in 2022 detailing potential scams using Ekinet. From the emails we have seen, the text is usually always in Japanese and recently an email was reported on a United States based organizations inbox.”

A Japanese university was among the organizations targeted by this campaign. The attackers used several different email templates.

“It was reported by the Information Technology Center, The University of Electro-Communications in Japan that there were multiple different emails from this campaign that have been sent to their campus on December 6, 2022, but they are all from the same sender,” the researchers write.

The emails are written in Japanese, but were sent to organizations around the world. The attackers informed victims that their accounts would be shut down if they didn’t click the verification link in the email.

“The messaging is in Japanese and attempts to lure victims into clicking on a malicious URL that is then used to store credit card information or other personal information should the victim fall for the scam,” the researchers write. “The premise of the email that was detected in a customers’ inbox was to lure the victim into clicking on a URL that would redirect them to a phishing site by stating their account would be terminated if they did not verify their login.”

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for phishing and other social engineering attacks.


New QR Code Phishing Campaign is Impersonating the Chinese Ministry of Finance

Researchers at Fortinet warn that a phishing campaign is impersonating the Chinese Ministry of Finance. The phishing emails contain a document with a QR code that leads to a credential-harvesting site.

“A QR code requires an application to read and translate it into something actionable,” the researchers write. “Most mobile phones have this functionality through their camera, and software packages are available on all major platforms to do this from a computer. In each of the examples FortiGuard Labs found, the QR code contained in the Microsoft Word attachments provided a URL for the user to follow. When the user does this using their desktop platform or mobile device, they arrive at a website controlled by the threat actor.”

The QR code leads to a phony version of the Chinese business communication app DingTalk.

“It is a spoofed facsimile of a DingTalk instance (it should be noted that as of the publication date, this site is now offline),” Fortinet says. “DingTalk is a broadly used enterprise communication platform developed by Alibaba Group. Given the reach of the platform and its large number of users, credentials for it would be valuable. The user is directed to a pop-up message box that suggests their DingTalk account has committed some unspecified business violation(s) and that it will be frozen without verification in 24 hours. After acknowledging the message box, the user is invited to enter their credentials to address the issue.”

Fortinet concludes that users can avoid falling for these attacks by following security best practices.

“These attacks will undoubtedly be prevalent for some time,” the researchers write. “Users are cautioned to verify emails, not open attachments or links, and never enter credentials into a site they have not seen before. Rather than using a received link, users are encouraged to go to the known main site of the vendor to conduct any business. Users can also hover over a link to look for an unusual URL. Organizations are also encouraged to provide training to users to help them identify and avoid malicious email attachments and links.”