A new generative AI tool has emerged as a topic of conversation for all the wrong reasons — WormGPT lets malicious actors carry out sophisticated phishing and BEC attacks.
In a blog post published last week, SlashNext stated it came across WormGPT advertisements on the dark web, which enables cybercriminals with limited skills to craft convincing fake text to target individuals.
The phishing and BEC (Business Email Compromise) emails are tailored to the targets, and the texts do not contain most of the common signs of such attacks, like bad grammar or spelling errors.
The introduction of high-profile generative AI tools such as ChatGPT and Google Bard late last year grabbed global headlines. These tools can be extremely helpful with tasks that involve writing and organizing.
However, US officials and cybersecurity professionals have previously stated that criminals can leverage AI tools for online scams and to distribute malware.
Unfortunately, the surfacing of WormGPT has made these concerns all too real.
What is WormGPT?
WormGPT is a generative AI tool designed for malicious activities and is based on the GPT-J language model. It works in the same interactive manner as other prominent AI chatbots — like ChatGPT, Bard and Claude — and it offers chat memory retention and code formatting capabilities. WormGPT also supports unlimited characters.
SlashNext said that WormGPT’s authors trained it on a vast number of data sources with a strong focus on data related to malware. The authors have not disclosed the specific datasets they relied on.
WormGPT is capable of emails that are surprisingly convincing in its use of language and tricks to put pressure on victims. Since these emails have strong grammar, they can get past certain email security filters without getting flagged.
“In summary, it’s similar to ChatGPT but has no ethical boundaries or limitations. This experiment underscores the significant threat posed by generative AI technologies like WormGPT, even in the hands of novice cybercriminals,” Daniel Kelly, a reformed black hat hacker, wrote for SlashNext.
Criminals Use ‘Jailbreaks’ and Other Tricks to Manipulate ChatGPT
SlashNext’s blog post focuses on new ways in which malicious actors use AI tools for their illegal activities. A thread of a dark web forum highlights how actors can draft an email in a foreign language, translate it online, and put the text through ChatGPT with specific prompts to refine the language. The result is a far more authentic-looking email ready for a phishing or BEC attack.
Additionally, participants on these forums also sell prompts for tools such as ChatGPT that allow users to bypass security filters.
“They refer to carefully crafted inputs designed to manipulate interfaces like ChatGPT into generating output that might involve disclosing sensitive information, producing inappropriate content, or even executing harmful code. The proliferation of such practices underscores the rising challenges in maintaining AI security in the face of determined cybercriminals,” Kelly added.
How to Protect Secure Yourself From Sophisticated BEC Attacks
While BEC attacks may not have the same notoriety as phishing, they remain a dangerous tool that cybercriminals rely on. Furthermore, they can cause heavy financial losses to organizations.
The most important step to secure an organization is educating employees and staff about such attacks. Criminals can either use fake accounts or stolen credentials to make their emails seem legitimate. Therefore, it is imperative to deploy two-factor authentication on company email addresses.
Using a reliable antivirus that actively scans through emails for malicious files or other suspicious materials in real time is also a great way to stay protected. Have a look at our Bitdefender review for one of our top picks.
