This article is more than 1 year old

Crooks don't need ChatGPT to social-engineer victims, as they're more than happy to demonstrate

Not today, AI

RSA Conference 2023 Crooks are becoming more and more adept at using social engineering to hoodwink corporate executives into unwittingly helping the fiends break into organizations' networks — and it's not because the miscreants are using ChatGPT, according to folks at Kaspersky.

"Social engineering as a means of getting a foothold into a target organization, or compromising an individual's device is something we noticed in Q1 that was quite interesting," Dan Demeter, a senior security researcher at Kaspersky, told The Register in an interview at the RSA Conference this week.

"Attackers, most of the time, are relying on malware and everything is behind the scene: when you send a malicious payload, you use an exploit, these things usually happen without user interaction," he said.

Social engineering, on the other hand, requires the crook to interact with their victim, in real or near-real time to build a relationship and establish trust. The ultimate being to fool or persuade the mark into doing something they shouldn't, such as grant the fraudster access to accounts and data that doesn't belong to them.

And while attackers could use ChatGPT to write convincing messages or translate their lures into the victims' native language — essentially using the chatbot to write a message that sounds closer to the native tongue than what Google Translate can produce — "it's not a matter of ChatGPT or AI in this case," Demeter said. "It's a matter of attackers learning to be sneakier and more complex."

It's a matter of attackers learning to be sneakier and more complex

By studying the way their victims communicate, both internally among themselves and with external partners and customers, intruders can learn how to mimic or impersonate coworkers and clients, use the right jargon, and thus more successfully trick staff into handing over credentials, access rights, or even money via wire transfers. Plus they're getting good at copying corporate email templates and signatures to make messages appear authentic and believable, he added.

This may seem obvious but you might be surprised by the capabilities of common or garden internet criminals. The bar isn't high, from what we can tell, though some are getting quite good at scamming and swindling marks.

"Social engineering, when it is done well, requires a long time of observation and intelligence collection to understand the social connections in order to craft the initial attacks as best as possible," said Marco Preuss, deputy director of Kaspersky's Global Research and Analysis Team.

"Exploits, vulnerabilities, they are ordinary," Preuss continued. "But sophisticated social engineering is something you don't find every day." 

And again, no need for any fancy AI: crims are more than capable of scamming people by themselves.

Plenty of ordinary business being done

The threat researchers on Thursday published their latest quarterly summary of advanced persistent threat (APT) trends with this one focused on activities the team spotted during the first quarter of 2023.

In addition to seeing an uptick in convincing social engineering lures, the security researchers also discovered new implants, and a possible false-flag attack — or just better cooperation between Russian-speaking miscreants. An implant is a fancy word for malware someone secretly installs in a compromised network, allowing that intruder to carry out whatever nefarious activities they have planned.

The potential false-flag discovery came while the Kaspersky team investigated possible Turla activity. Turla is a Russia-based crew, and it led Kaspersky to the uncovering of the TunnusSched backdoor (aka QUIETCANARY) being delivered from a Tomiris implant. 

"Having tracked Tomiris since 2021, we believe, with medium-to-high confidence, that it is distinct from Turla," the Global Research and Analysis Team said in its Q1 report. "So, we think that either Tomiris is conducting false-flag attacks implicating Turla, or (more likely) that Turla and Tomiris co-operate."

Other threats uncovered included an implant written in Rust, dubbed JLORAT, which is being used by Tomiris — this is a Russian-speaking group Kaspersky has tracked since September 2021. 

The use of newer programming languages like Go and Rust is another emerging trend that Demeter highlighted as a means to help threat actors obscure not only their malware but also their identity, and makes it more difficult for researchers to attribute attacks and for law enforcement to have much of a chance. This is because the crooks rely on reverse engineers not being able to analyze Go and Rust-built binaries as well as they can pull apart executables built from longer-standing languages, such as C.

"They want to avoid identifying their operations, so jumping to other languages adds more layers of complexity and sophistication to operations," he explained.

The research team also spotted a new in-memory implant, called TargetPlug, that Chinese-speaking attackers are using to target game developers in South Korea.

"Further analysis revealed that the malware is signed with valid certificates and appears to have a connection to the threat actor Winnti, a connection established through several overlaps such as shared infrastructure, code signing and victimology," the report says. ®

More about


Send us news

Other stories you might like