Cybersecurity experts have been debating for some time whether it makes sense for cybercriminals to use machine learning to train algorithms that can generate phishing emails. After all, mass phishing emails are simple, formulaic, and have proven to be extremely effective. However, targeted phishing emails are not easy to create, and natural language processing (NLP) technologies can come in handy.
At last week's Black Hat and Defcon conferences in Las Vegas, the State Technology Agency of Singapore presented the results of a recent experiment in which they sent out targeted phishing emails to two hundred of their colleagues, both self-generated and generated by the platform. "artificial intelligence as a service" (AI-as-a-service).
Both messages contained links that were not malicious, but told researchers how many times recipients clicked on them. Imagine the surprise of the experimenters when it turned out that most often the "victims" clicked on links in messages created by AI, and not by humans. The difference in the number of clicks turned out to be quite significant.
“The researchers noted that AI must have a sufficient amount of specialized knowledge. It takes millions of dollars to train a really good model. But if you use the AI-as-a-service platform, the cost is down to a few cents, and it's also very easy to use - just type in and out. You don't even need to run the code, just enter the data and get the result. This lowers the barrier to entry for a much larger audience and increases the number of potential targets for targeted phishing. Suddenly, it turned out that every bulk email can be personalized for every recipient, ”said Eugene Lim, an information security expert at the State Technology Agency of Singapore.
Using the OpenAI GPT-3 platform and other AI-as-a-service products focused on personality analysis, the researchers created phishing emails tailored for each recipient. Machine learning, focused on personality analysis, aims to predict a person's dispositions and mentality based on data about their behavior. By running this data through several services, the researchers were able to develop a pipeline that processes and polishes emails before they are sent. According to the researchers, the results were "surprisingly human."
A source
