‘FraudGPT’ artificial intelligence goes online as a resource for hackers to thwart cybersecurity measures.
Attackers are using AI to craft bogus emails known as phishing, which often deceive employees to click on a link or attachment, or take another computer action harmful to an organization. Those messages may serve as hackers’ point of entry into computer networks, setting up ransomware, data breaches, or both, according to the Health Sector Cybersecurity Coordination Center (HC3), a division in the U.S. Department of Health and Human Services.
“These attacks often begin with a successful phishing attack,” said the white paper, “AI-Augmented Phishing and the Threat to the Health Sector,” published this month. “The advent of artificial intelligence has only made phishing attempts more effective, especially since those tools are freely available to the public.”
HC3 noted the AI program FraudGPT went online this year as a generative tool for crafting malware and texts for phishing emails.
It’s a dark web subscription service, $200 a month for $1,700 a year, “which makes it well within the price range of even moderately sophisticated cybercriminals,” the white paper said.
Cybersecurity firm Netenrich was one of the first to publicize FraudGPT, calling it “The Villain Avatar of ChatGPT.”
FraudGPT apparently works similarly to ChatGPT, the widely publicized program created by OpenAI, that kicked off the nation’s current AI craze. Users enter prompts and FraudGPT creates text used in the body of an email of a phishing attack, according to HC3.
The white paper included an example of an email related to an urgent financial transfer, “something that sounds important, and something that sounds time-sensitive.” The recipient opens an attached file or clicks a link, with either one activating a malicious program. Thus begins the cyberattack, likely with the victim not even knowing it’s happening.
HC3 suggested security measures to stop the attacks.
First, configure email servers to filter unwanted emails, or use a spam gateway filter to do so.
“Second, awareness training for end users is imperative,” the white paper said. “They should be trained to detect a phishing email and interact with all email with healthy skepticism.”
Phishing emails are designed to get attention and provoke a response. They could include references to or requests for:
Users should check email addresses and domain names of senders and be cautious about emails generated outside their organizations, and especially if the email asks for money. Use the cursor to hover over links in the email to see if the URL matches the sender site, and don’t download attachments or click on links unless it is a legitimate email.
Finally, HC3 recommends multifactor authentication to protect against stolen credentials. The U.S. Cybersecurity and Infrastructure Security Agency has published an online guide, “Implementing Phishing-Resistant MFA.”
Although worker awareness and computer network security systems may be improving, but the problem is growing. Last year, the FBI’s Internet Crime Complaint Center logged more than 300,000 complaints about phishing attacks, the most reported type of attack. And health care remains a top target due to data and money.
“Phishing is a common tactic for hackers to use against the health sector, because it often leads to data breaches, and the stolen health data has the potential to be lucrative for the attackers,” the white paper said.