Site icon Check Point Blog

From Phish to Phish Phishing: How Email Scams Got Smart

Microsoft Returns to the Top Spot as the Most Imitated Brand in Phishing Attacks for Q4 2023

One Phish, Two Phish, Spy Phish, AI Phish: How Email Scams Got Smart

If only things were this easy.

There’s never been a time where phishing was good, but there was certainly a time where phishing seemed quaint.

Back in the 1990s, and even up until the last few years, phishing as a concept was marked more by comical errors than it was by pure evil.

We’ve seen them all. The ALL CAPS subject lines. The grammar, or lack thereof. The horrible spoof jobs.

You may have gotten these emails in the 1990s. You may have gotten these emails in the last few months.

Take the Nigerian Prince scam. Yes, it’s still alive. In fact, in 2018, Americans lost over $700,000 to the scam. (We didn’t say that phishing wasn’t successful, just simpler.)

In 2021, our researchers found this classic Nigerian Prince Scam:

This is pretty standard—they all involve some “investment opportunity”. This attack lies with a missing ATM card that somehow has millions of dollars in it.

Or take a look at this attack, also from 2021:

There’s so many grammar mistakes here, as well as an implausible scenario.

Here’s one from 2022:

In addition to the grammar, the sender address doesn’t match, and the image is grainy.

These emails certainly cause people to fall victim. But they aren’t complex in terms of structure.

But then AI came around.

ChatGPT did many things—made AI somewhat more understandable, thrust it into the public consciousness.

And it instantly cleaned up the spelling and grammar errors from hackers.

Not only that, but it also made phishing a whole lot easier to create, and it produced much more intricate attacks.

It’s easy to bypass ChatGPT to write malware. No code needed. Check Point Researchers have uncovered plenty of examples of hackers finding ways around AI safeguards:

Get the right prompt and magic can happen:

This is producing very complex attacks. Take this QR Code attack we blocked a few months ago.

Seems pretty standard to start:

This email starts as a straightforward QR code-based phishing attack. The ask is to look at the annual 401K contribution statement by scanning the QR code. It will give you your account balance for the year.

What’s neat—and concerning– about this attack is what happens next.

The QR Code has a conditional destination point, based on browser, device, screen size and more. Depending on the parameters, the QR code would direct to a different page.

The link in the email is all the same:

However, depending on the destination, the result changes:

 

Essentially, there are four layers of obfuscation. One is the QR code itself. The URL embedded within the QR code looks like it’s going to a domain of Apple’s, but is instead redirected elsewhere. Then there’s a blind redirect to another domain. That domain has automatic checks to see if you are coming from a browser or a scanning engine, and would redirect accordingly.

There’s also a payload in there that has anti-reverse engineering techniques so that if you try to de-obfuscate it, it would consume infinite resources.

What The Future Holds

ChatGPT will get better. Hackers will get more effective at using it.

In short, malicious emails will become easier to create and more difficult to stop.

The Nigerian Prince Scam may never go away—but now it will be better written and more plausible. And malicious code and payloads can be inserted at the drop of the hat.

Phishing continues to skyrocket and become the dominant attack vector worldwide.

Now, it’ll lead to an arms race to between defenders and attacks. Here’s what this AI arms race might entail:

The AI future is both exciting and scary. The pace of innovation is unlike anything we’ve ever seen. Will the future be good or bad?

That, unfortunately, we don’t know yet. But we do know is that it will be more fierce.

 

Exit mobile version