Welcome to our May 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we look at another scam taking advantage of the public’s fascination with ChatGPT, another data breach at Booking.com, and another news story about blue checkmarks – but this time it’s not at the tech company you’re thinking of.
Another ChatGPT threat vector emerges
Since the emergence of ChatGPT last year, IT Governance has covered the cyber security implications it’s having in comprehensive detail.
There were stories of scammers using the AI language tool to create phishing lures, AI being used to fend off cyber attacks, Google and Microsoft incorporating machine learning in their security systems and the security risks that individuals bring to the party.
Elsewhere, there were reports that ChatGPT’s parent company, OpenAI, had breached the GDPR (General Data Protection Regulation) and had been banned in Italy, plus the subsequent reversal of that decision.
Whether ChatGPT is the future of many industries or it turns out to be a passing trend – with its capabilities overestimated by technophiles who believe that automation and mass unemployment are the keys to prosperity – one thing is for sure: it’s currently an information security nightmare.
The latest issue facing the AI landscape is a report detailing phishing campaigns masquerading as ChatGPT.
Research from the cyber security firm Check Point discovered 13,295 newly registered domains imitating OpenAI and ChatGPT. This includes the likes of:
- chatgpt4beta.com
- chatgptdetectors.com
- chat-gpt-ai-pc.info
- chat-gpt-online-pc.com
- chat-gpt-for-windows.com
Some of these sites copy the real OpenAI’s landing page in close detail:
The bogus website (left, via Check Point) is almost indistinguishable from the genuine one.
Other lures take a different approach, pretending to offer related services. For example, one bogus site purports to offer ‘ChatGPT detectors’ that help people spot content that has been artificially generated.
According to Check Point’s data group manager, Omer Dembinsky, these scams present “two main potential problems here for enterprises”.
The first, he said, “is that employees can download malicious files and applications from those websites, and thus provide cybercriminals with an initial foothold on their corporate network.
“The second issue is that the websites mimic ChatGPT so well that employees can potentially fall for their disguise and can submit queries with sensitive corporate information to those fake websites.”
Dembinsky said that organisations must combat the risk with a combination of education and technical solutions, such as antimalware software.
Meanwhile, these threats present another reason to be cautious over the use of ChatGPT. While some people have been keen to pounce on its potential to boost productivity and farm out tasks to people without the requisite skills, human oversight is a crucial part of any organisational operation.
Booking.com scam catches out Eurovision fans
Tourists across Europe have been tricked by a scam imitating Booking.com. Over the past few weeks, prospective holidaymakers have received emails claiming that they can receive a 20% discount at any hotel in the world.
To claim the offer, they are asked to “verify” their account by clicking an attached link and providing their personal details.
Source: Trend Micro
The scam has been particularly successful targeting people travelling to Liverpool for this year’s Eurovision Song Contest.
As is often the case with such events, hotel prices skyrocket as demand increases, creating a honeypot that scammers can pounce on.
The opportunity for an apparently significant discount on hotels has led people to think that a trip is more affordable, plus it encourages them to act quickly without considering the legitimacy of the offer.
The simplicity of this scam has made it hard for people to decipher its true nature. The email reads “Congratulations! You have a code for a 20% discount at any hotel in the world”.
It adds: “To get the code, you need to verify your identity”, and prompts users to click a link.
The message is displayed as a picture, which helps it avoid email detection systems that scan for words that are often used in bogus offers, such as “congratulations” or “discount”.
Meanwhile, the email faithfully recreates Booking.com’s logo and design (although with some email clients, such as the one used in the screenshot above, users must agree to display certain images).
This is often a sign that there is something suspicious going on, because malware can be injected into images and be unleashed when it’s downloaded.
Another sign that points to the true nature of this email is the content itself. As Trend Micro observes, “real discount codes usually have certain caveats attached to them and it’s quite rare to get a discount off everything from a retailer’s range, especially such a high level discount”.
It adds: “Coupled with the use of the word ‘congratulations’, and the exclamation mark, this all adds to the feeling of excitement the scammers are hoping to evoke as it is this feeling that could make people behave more impulsively and fall victim to their scam.”
Google implements checkmark system to thwart phishing
Blue checkmarks are a hot topic right now, but that’s not stopped Google from implementing its own verification system for Gmail.
The system works much like Twitter’s now infamous blue checkmark used to operate under its previous ownership. Organisations can provide Google with details proving that they are who they claim to be, and any emails sent from a verified site will be accompanied with a badge.
Source: Google
The system is designed to protect against phishing scams. Fraudsters often replicate legitimate email domains to launch their malicious messages, thanks to slight deviations in the address. For instance, a lowercase ‘l’ might be replaced by an uppercase ‘i’. to create ‘@paypaI.com’.
Alternatively, the crook will place the organisation’s name in the local part of the address to create something like ‘paypal@gmail.com’.
These techniques are often successful, because we rarely take a close look at the email address from which a message has come. Indeed, many email providers simply display the name of the person or company that’s sent the email, requiring recipients to actively seek out the email address itself.
Google’s blue checkmark is designed to simplify things for users. Emails from legitimate senders will be clearly marked, while the lack of a badge should be a warning sign.
Additionally, the tech giant has added a feature where hovering your cursor over the sender’s name displays the following message: “The sender of this email has verified that they own [domain name] and the logo in the profile image.”
That’s not to say that any badgeless email is a scam, though. The feature is currently only available to organisations that have adopted the BIMI (Brand Indicators for Message Identification) system, which Google started supporting in 2021.
Currently, only a handful of organisations use the system, including Apple, Amazon and LinkedIn. If the system is to be truly useful, it will require other firms to adopt it. But for the time being, it’s a useful feature that demonstrates Google’s commitment to effective information security.
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.