AI-Powered Threats: Spear Phishing

Recently we posted about what, broadly speaking, AI can do to hurt you. This is the first of two posts getting a little more specific;  This post is about AI-powered spear phishing. Here is a link to the second post that gets specific.

When I first encountered email in late 1980, it was a text-only affair. A simple transfer protocol (which quickly became...more complicated), a simple text file format (which quickly became...more complicated) and a simple app to view or create simple messages (which slowly became so complicated as to terrify the meek and appall the brave).

Way back Unix types had the mighty talk app which split the screen and  allowed us to type messages on our dumb ASCII terminals and have the responses displayed on the other half of the screen--in real time! It was miraculous. But it required coordination: you both had to be logged in at the same time, And back then users usually were logged in to get work done, not to chat, so this was terrific occasionally but mostly useless.

But email, being a store-and-forward technology, allowed us to send a message whenever was convenient for us without inconveniencing the recipient, who could pick up that message whenever was convenient for them.

Security was a non-issue: we were exchanging chunks of barely-structured text, so what was the possible harm? (Privacy was another matter entirely and perhaps will get its own post.) Sometimes, just out of boredom or necessity, I connected directly to the email service on a server and typed in messages directly, formatting them all by myself and not using an email client at all, a skill so out-of-date I have used it exactly twice in the past 47 years.

In the slightly less early days there were some real improvements: being able to "attach" a text file meant that I could send people C code which was wrong and tell them to fix it. Alas, this also worked in the other direction.

But all good things must come to an end. Ordinary people, people who were not ANSI C programmers using Unix, starting using email and ordinary people turned out to want stuff like fonts and colors and graphics; God only knows why. When the Internet became the World Wide Web, ordinary people wanted to know why the web pages were pretty but emails were not pretty, leading some bright spark to begin the march toward the HTML-ification of email.

At this point things started getting dodgy for poor old email because HTML has lots of cool features which can gussy up email, but all of these feature come at a price. First came the advertising emails because graphics == advertisement but annoying as the advent of spam might have been, it was nothing compared to the advent the cyber crime. Many of the fun new things email could do have a rather dark side. Can you disguise malware as an embedded image or attached document? Oh yes, yes you can.  And can you disguise evil links as benign links? You bet. Is having naive users clicking on well-disguised malevolent links a cybersecurity nightmare? A thousand times yes. This problem was compounded by the unforeseen explosion of email: back in the day, I got an email or two a week, always from people I knew--who else would have my address? I certainly could have inspected each  and every one of them with an eye toward evil, carefully and completely, except that there was no reason to inspect any of them.

Now I get hundreds of emails per week and while there is great need to inspect them, I don't have the time. I have to rely on my ISP's email servers to do some basic filtering and my (gargantuan) email client to do some pretty sophisticate filtering, because otherwise I would find email unusable.

This vast volume of emails really gave "phishing" a boost. Phishing is a cyber attack which uses innocent-seeming email to scam people. Phishing is a numbers game: I often get "alerts" from common banks which don't happen to be one I use and from cell phone service providers I don't use and so on. Phishing is a blunt instrument, but if you throw enough mud, at least some will stick.

If Phishing is a blunt instrument then Spear phishing is a scalpel. Instead of flooding inboxes around the country or the world with emails which appear to come from common sources in the hopes that some poor person will be hoodwinked, you precisely target the poor person. And not by guessing at their first name from the email address either: spear phishing uses social engineering to send you email from (apparently) someone you expect email from and containing (apparently) legitimate communication.

An early version of this was the scam based on stealing someone's email address book (now "contacts") so that you can send email of the form "Hi, Fred, this is Bill. Here is that link we were talking about" which works better than "Please click on this link to restore your Amazon Prime account" because there are plenty of people who don't have an Amazon Prime Account, but using your contact list means that your contacts expect to hear from "you."

Spear phishing is  hard work. You have find targets, you have figure out from whom they get email and, ideally, what the correspondents sound like in those emails. You know what would make that job much, much easier and much, much faster? An AI that could help you find your "whales" (either rich people or people who are entry points to into particular companies you want to target), then help you analyze whatever messages you can gain access to, then help you write messages in the voice of those correspondents. Now you're cooking. This isn't a numbers game, this is shooting fish in a barrel.

Before AI came along, Spear phishing was generally more than most cyber criminals could accomplish: it was usually the province of the intelligence community and state-sponsored bad actors. But not any more: just as any student with an Internet connection can get help with their homework from ChatGPT, so any petty crook with an Internet connection can get help crafting that email which will make you think that a colleague needs you to click on something to authorize something.

This is why cyber leaders are on the cyber attack treadmill: the race never ends and the game always changes. And for Spear phishing, the behavior of you colleagues is a big part of the problem. Not sure how to manage the behavioral component of cybersecurity? Contact us: we can help.