Phishing Kits And AI Tools Fuel Surge In Phishing Campaigns

According to zero trust security vendor Zscaler’s ThreatLabz Phishing Report, phishing campaigns worldwide rose nearly 50% in 2022 driven partly by accessibility to phishing kits and new AI tools.

The report found that most new phishing attacks rely on stolen credentials and highlighted the growing threat from Adversary-in-the-Middle attacks, InterPlanetary File System (IPFS) hosting of pages, as well as reliance on phishing kits and AI tools like ChatGPT, contributing to the growth of phishing and significantly reducing the barriers to entry for criminals.

“Recent AI technology advances like ChatGPT make it easier for threat actors to develop malicious code, generate Business Email Compromise (BEC) attacks, create polymorphic malware, and more,” the report reads.

Key Findings:

  • Education was the most targeted industry, increasing by 576%
  • Phishing attacks rose 47.2%
  • AI tools have significantly contributed to the growth of phishing
  • Attackers evolving beyond SMS phishing to using voicemail related phishing (Vishing), luring victims into opening malicious attachments.
  • Sophisticated Adversary-in-Middle (AiTM) attacks are bypassing multifactor authentication (MFA)
  • Recruitment scams targeting job seekers are becoming more common

Matt Mullins, Senior Security Researcher, Cybrary had this to say:

   “Like clockwork, when a new tool or vector is introduced a new influx of phishing attacks are detected in the wild. The advent of ChatGPT creating more realistic emails, as well as rapidly expediting the writing time, has removed more of the barrier of entry to get a good phish out. The bar has been lowered significantly and now individuals do not need to have a strong command of English to create a legitimate looking email!

   “SMS phishing with voicemails being on the rise comes as no real shocker either-the advent of AI that can emulate a voice (or create a new voice entirely) has enabled the same acceleration that we saw with ChatGPT. While most people will watch funny YouTube videos where celebrities and famous individuals make snarky comments, attackers saw another opportunity in the voice emulation. Take into consideration the recently covered case where a mother was extorted for ransom money because attackers used AI to mock-up her daughters voice, implying that they had kidnapped her. This trend of human emulation will only get worse when deepfakes and AI powered video becomes more mainstream.

   “LinkedIn scams being on the rise is unfortunately linked to the job market and the economy in my opinion. This vector isn’t very new but does a great job of harvesting information or even getting credentials. Everyone is feeling the pinch of the economy being in a poor position and so the allure of a newer, higher paying, more respectable role is too enticing for most folks. This phishing example, along with the AI voice example, are also areas where folks are not trained to look for phishes as well. This makes it ripe for attack since individuals do not have the “muscle memory” to analyze and suspect what a phish might be.

   “Like the previous point about training and muscle memory, IPFS is something that is a newer vector for blue teams to detect. IPFS allows for file transfer via a non-standard process for enterprises and thus there will be extensive blind spots associated with this. While it is nothing new, this extra vector will more than likely create some headache for defenders as it is another detection to create for their enterprise. Strong endpoint protections and post exploitation detections will still prevent extensive damage to enterprises in the event of a successful attack using IPFS.

   “Lastly, the strategy of using AITM/MITM as an approach is also nothing new. Credential theft is a timeless strategy for APT groups, as they provide the strategic value of re-visiting those accounts when they have cooled off, access immediately for a smash-and-grab, or even the selling of credentials as an access broker. Multifactor authentication can help but even that is being bypassed in some capacity due to the ability of an attacker to reset or change MFA in most accounts. Having the account tied to an email that is immutable by the user (especially for a corporate account) can be a first step in that at least the user will receive notifications to their work email, notifying of the breach. For accounts where that is not possible, sending a verification of email change or modification that must be verified with the email visiting a link, can be another step in protection. With all protections though, there is no “silver bullet”!

Dave Ratner, CEO, HYAS adds this comment:

“We see phishing attacks growing in both number and efficacy, driven in part by new phishing kits and AI tools, and still believe that the best defense is a Protective DNS solution. Bad actors will become increasingly effective at sneaking past existing filters and tricking the targeted individuals, but a Protective DNS solution that knows good domains from bad will act as a backstop and ensure that people don’t fall for the phishing attacks by blocking the connections to nefarious websites, domains, and adversary infrastructure.”

This report should be considered required reading for those who are defending against these sorts of attacks as it is clear that the threat landscape has changed and adjustments need to be made in order to stay ahead of any attacks that are headed your way.

Leave a Reply