AI & ChatGPT Threats and the arrival of Fleeceware
Scammers are in rare form these days, especially with arrival of mass news coverage of AI and ChatGPT. In today's blog, Todd answers questions about new scams, what are the biggest threats with AI and ChatGPT. Todd also addresses the question of using AI or ChatGPT for business purposes.
What are the biggest threats to each of us right now?
Scammers are using AI and ChatGPT as a tool to create even cheekier scams than normal!
THE ARRIVAL OF FLEECEWARE
One of the more irreverent scams is called Fleeceware, a type of mobile application (or website) that comes with excessive subscription fees you may quickly forget you’re paying. The ones oriented around these AI apps have catchy names like Genie – AI Chatbot. It can also be a website that looks like a legitimate site or uses a similar name to a trusted site to give a false sense of legitimacy.
The goal of these apps or websites is to get your to complete a sign up for a weekly/monthly subscription for what you’ll quickly find out is pretty useless.
HOW WELL DOES THE SCAM WORK?
Sophos reports that the people who publish the Genie AI Chatbot app (still available in the Apple apps store btw) are raking in $1 Million a month in subscription fees for something better, and free if you go to the source, https://openai.com/blog/chatgpt
IS THERE AN OFFICIAL OPEN AI IPHONE OR ANDROID APP FOR CHATGPT?
There is only one official app released as an iPhone app for ChatGPT and there is not one for Android, yet.
If you search the app store for ChatGPT, you’ll see dozens (maybe hundreds of apps) but only one is the official Open AI ChatGPT app. There isn’t an official app for Android yet, but there are more than a few pretenders available.
The only official app OpenAI has published, download it here for the iPhone: https://apps.apple.com/us/app/openai-chatgpt/id6448311069
SHOULD I BE SUSPICIOUS OF EMAILS RELATED TO CHATGPT?
The scams wouldn’t be complete without using the headlines to send phishing emails. The current hearings in Congress are news, and news means new subject lines for phishing emails.
There are new domain names popping up related to ChatGPT, many of which are common misspellings of legitimate domain names. BE EXTRA SUSPICIOUS of any email or text messages you receive with subjects or links related to ChatGPT. If you intend to use ChatGPT, be sure to access the service through the official OpenAI site, https://openai.com/blog/chatgpt
SHOULD I USE CHATGPT FOR BUSINESS?
For businesses, these tools bring the added risk of your employees inputting sensitive information into these tools. Your best protection is to have a policy around the use of these AI tools, similar to what you probably already have to social media usage.
If you have a legitimate business use for these AI tools, great – review their privacy policies and terms of use. You’ll have better privacy and control over your data usage is you pay for a subscription vs. using free ones.
Be sure to know how the service will use any data you give it before committing.
5 Steps To Prevent Cybercrime
You may believe that cybercrime only happens to large corporations or big businesses. However, Scott Augenbaum, retired FBI special supervisory agent, found that there are four commonalities of instances with victims. To help keep yourself off the victim list, here are five simple steps to help prevent cybercrime in your personal life and your business.
You may believe that cybercrime only happens to large corporations or big businesses. However, Scott Augenbaum, retired FBI special supervisory agent, found that there are four commonalities of instances with victims. To help keep yourself off the victim list, here are five simple steps to help prevent cybercrime in your personal life and your business.
5 STEPS TO PREVENT CYBERCRIME
STOP USING THE SAME PASSWORD FOR EVERYTHING
If you do nothing else, stop using the same password for everything, or for more than one thing. Using the same password for different accounts just hands over your password to the bad guys. Fact: Compromised credentials are used in more than 40% of data breaches. Almost all of those credentials came from other hacks where the criminals pulled down huge lists of usernames, usually email addresses, and passwords. If you use the same password for LinkedIn and your business email, and Mr. and Mrs. Criminal got a copy of the LinkedIn user database (and this has happened multiple times)… now they have access to your email. Yes, it’s that simple. Read this article from LastPass for more details on the risks: https://blog.lastpass.com/2021/09/breaking-the-cycle-of-password-reuse/
ENABLE MULTI-FACTOR AUTHENTICATION (MFA) ON AS MANY ACCOUNTS AS POSSIBLE
Enable MFA on as many accounts as possible, especially your business email account. According to Microsoft, 99.9% of BEC, Business Email Compromise instances would have been prevented if MFA was in use. The majority of cases we have been involved with didn’t have MFA enabled. It’s such a simple precaution and acts as a safety net for your passwords that do leak out.
LEARN TO RECOGNIZE PHISHING AND SOCIAL ENGINEERING SCAMS
Educating yourself and your business on these most common threats will really decrease the risk of falling victim to a phishing email. All data breach events were the result of one of two things: (A) Someone did something they should not have done, such as clicking that link in the phishing email, or using the same password multiple places, or (B) Someone didn’t do something they should have, such as updating software to close a vulnerability.
USE A PASSWORD MANAGER
Supporting bullet point #1, use a password manager to handle all of your good, secure, unique passwords.
GET CYBER INSURANCE FOR YOUR BUSINESS
Get an appropriate Cyber Insurance policy for your business. Every business should have coverage because you never know what can happen.
WILL THESE TIPS WORK?
I will guarantee you this: If you take this advice and diligently follow these 5 strategies, you will greatly reduce your risks of falling victim to all manner of cybercrime in your business or personal lives.
IS THIS ALL I NEED TO DO TO PROTECT MYSELF OR MY BUSINESS?
No. But without these foundational security strategies in place, spending all manner of money on fancy cyber tools, BCP/DR services, Intrusion Detection Systems and all the fancy buzzwords in the cyber security space, won’t yield the results you expect.
LEADING CAUSE OF CYBERCRIME
Every single breach that RealTime has been consulted on was the result of failings in these subjects. The highest leading cause of cybercrime was successful phishing attempts which provide criminals access to their business data and communications. The second leading cause was poor password hygiene, usually in the form of using the same passwords everywhere.
What are four things victims of cybercrime have in common? Read now!
4 Things Victims of Cybercrime Have in Common
Scott Augenbaum, is a retired FBI Special Supervisory Agent, author, and keynote speaker specializing in cybercrime investigations. Scott shared his experiences this week of working with the victims of cybercrime over the past 20+ years, from huge multinational businesses to mom-and-pop retail shops. These are the four things that cybercrime victims have in common.
Scott Augenbaum, is a retired FBI Special Supervisory Agent, author, and keynote speaker specializing in cybercrime investigations. Scott shared his experiences this week of working with the victims of cybercrime over the past 20+ years, from huge multinational businesses to mom-and-pop retail shops. These are the four things that cybercrime victims have in common.
No victim ever expected it to happen.
Once the bad guys break in and steal your data, the chances of Law Enforcement fixing it are about ZERO.
The bad guys won’t go to jail.
Most victims could have prevented the attack.
NO ONE EVER EXPECTS IT TO HAPPEN
Quite common and really, who expects to become a victim of crime anyway? In the online world, you are a target, usually of opportunity. We all receive phishing emails, sometimes dozens a day, so logically we’re all aware of this attack vector. Everyone should realize that a cyber event that causes data loss and service interruptions, regardless of how large or small our companies are is probable depending on your industry. While we only hear about the big guys getting breached like Target, Colonial Pipeline, Maersk, Experian, Sony, etc., understand that for every one of these headline grabbers, there are hundreds or thousands of small businesses getting successfully breached that we never hear about. If we understand that the bad guys are always looking for victims, we should admit that it’s at least a possibility and take positive steps to reduce our risks.
LAW ENFORCEMENT CANNOT FIX IT
Law enforcement cannot fix it after it happens. It’s the nature of cybercrime – most people/businesses don’t know they have become a victim until after it’s happened. No one can turn the clock back on an attack unless you planned ahead with solid, tested backups and recovery processes, practiced how your business would respond to various cyber events, and took steps to reduce the likelihood of a successful attack. This doesn’t mean don’t notify law enforcement, there are financial crimes that need to be reported immediately in order to have a chance of recovering a fraudulent transfer, for example, but that is outside the scope of this article. Your IR (Incident Response Plans) should outline your plans based on the type of cyber security event experienced.
THE BAD GUYS WILL NOT GO TO JAIL
Due to the international nature of cybercrime, it’s very rare for someone to be held accountable for a crime. Even if they do get caught, the likelihood of you being made whole because of this is next to zero.
MOST VICTIMS COULD HAVE PREVENTED THE ATTACK
With simple preventative measures, you can reduce the likelihood of becoming a victim.
ABOUT SCOTT AUGENBAUM
After joining the Federal Bureau of Investigation (FBI) in the New York Field Office in 1988 as a support employee, Scott Augenbaum became a Special Agent in 1994 and was assigned to the Syracuse, New York Office, where he worked domestic terrorism, white collar and hate crimes, and all computer crime investigations. Author of the Book: The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business From Cybercrime
Interested in Five Simple Steps to Prevent a Cyberattack? Read our tips now.
What lessons can we learn from the Colonial Pipeline ransomware event?
If your business falls victim to a ransomware attack or some other type of breach, how would your company handle recovery? In talks with business owners over the past couple of years, no one thinks too much about what recovering from an event looks like for them. At RealTime we hear “I’ll call you guys!” or “our insurance will handle it”, “our IT guy will deal with it.” Are these courses of action something to stake your business on? Let’s use a real world example happening now with Colonial Pipeline.
Blog: Todd Swartzman, RealTime Chief Information Security Officer
LET’S BEGIN AT THE END
Let’s go a bit out of order and focus on the end of these types of events, the recovery. After all, if your business falls victim to a ransomware attack or some other type of breach, eventually you will get to the recovery phase. In talks with business owners over the past couple of years, no one thinks too much about what recovering from an event looks like for them. At RealTime we hear “I’ll call you guys!” or “our insurance will handle it”, “our IT guy will deal with it.” Are these courses of action something to stake your business on? Let’s use a real world example happening now:
COLONIAL PIPELINE EVENT/RECOVERY FACTS
Event May 5, 2021
Took five days and there are still intermittent service interruptions happening.
Budget? Unlimited. This was a recover at all costs exercise.
Government help – there for the asking
Temporary lifting of regulations to help deliver product.
Colonial Pipeline paid $4.4 million in ransom within hours of the attack. They opted to pay the ransom because it was unsure of the extent of the breach. The hackers provided the company access to a decryption program following the payment, but Colonial Pipeline was not able to immediately restore operations with the tool.
HOW WOULD THIS COMPARE TO YOUR BUSINESS RECOVERY?
Do you have unlimited funding and is FedGov offering every assistance available to you?
Can you go 24x7 until it’s recovered? What about your primary business serving customers, who’s going to do that while all hands are on deck dealing with the current fire? If you have one IT guy, this isn’t realistic, even if they did have the requisite skills, and they probably don’t.
Do you assume you’ll only be down for a few days? Average time to recover a small business is about two weeks, but that can vary wildly.
CLOSING
CYBERSECURITY IS NOT JUST A TECHNICAL PROBLEM. IT’S A BUSINESS PROBLEM.
Use this as a lesson you can learn at someone else’s expense. Review your own controls, backups, response plans, insurance policy, and your budget to make sure that your plan is documented, understood, and most importantly is realistic.
CISA (Cybersecurity & Critical Infrastructure Agency) put out an alert on Best Practices for Preventing Business Disruption from Ransomware Attacks. And if you are curious, yes, Colonial Pipeline would be subject to adhering to CISA requirements as they are critical infrastructure.
Article link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
DIY Security Awareness Training
As you might imagine, RealTime fields a fair number of questions regarding cybersecurity that range from “How can we be better protected” to “I’m scared that we might be hit like that <insert business name here> was.” As part of answering this real need for our clients, RealTime is now offering an end user training program as part of our Advanced Cybersecurity Services.
By Todd Swartzman
Chief Information Security Officer
As you might imagine, RealTime fields a fair number of questions regarding cybersecurity that range from “How can we be better protected” to “I’m scared that we might be hit like that <insert business name here> was.” As part of answering this real need for our clients, RealTime is now offering an end user training program as part of our Advanced Cybersecurity Services.
But, if you aren’t a client (yet) or you’d just like to try this on your own, you can train some of the basics of cybersecurity awareness just by spending a little time online, especially Youtube. This is not intended to replace formalized training, or make you an expert. What these videos can do is help you address some of the most likely threats that the average person encounters just because they use the internet and email in the course of doing their job. These tips are excellent for anyone who just wants to reduce their risks online.
TOOLKIT FOR SMALL BUSINESS
The Global Cyber Alliance is soon releasing a toolkit for small business to better educate and protect themselves from the most common threats in an easy to understand format. RealTime has access to this content early (it will be available to the public soon) and will post about that once it becomes publicly available. For now, here is a compilation we have put together that anyone can use to be better informed and help protect from common cyber threats we all get exposed to on a daily basis at work and at home.
SECURITY AWARENESS VIDEOS
Our Chief Information Security Officer, Todd Swartzman, has watched all of the videos below and recommends taking the the four minutes or less each needed to watch the them for your DIY education.
The links are current as of August 24th, 2020.
Phishing explained with some education, by SANS - https://www.youtube.com/watch?v=sEMrBKmUTPE
How to spot a phishing email, report by Fortune Magazine - https://www.youtube.com/watch?v=jfnA7UmlZkE – best tip in this video: If the email looks suspicious, it probably is.
If you only watch one video, make it this one – An excellent video spotting phishing scams that is well worth the almost 4 minutes of your time. Loaded with realistic examples and tips - https://www.youtube.com/watch?v=0GwWTjz6txU – best tip: Think before you click.
Office 365 phishing attack types with some examples, this is not a video - https://betanews.com/2019/04/03/office-365-phishing-attacks/ Note that these threats are not unique to Office 365 email – we’ve seen attempts against all web based email systems. Just more confirmation that if something asks you to confirm credentials or enter your logon info to access an attachment – be wary! It’s better to ask questions before you click than after.
TODD’S TIP
“The best single tip that I can provide to help you avoid being hooked by phishing: Microsoft, Google, Apple, Verizon, Bank of America, SSA, IRS, and thousands of legitimate, big, public businesses just like them will NEVER, ever, send an email to you asking you to confirm your password.”
HERE ARE SOME OTHER THREATS WE FEEL EVERYONE SHOULD BE ABLE TO RECOGNIZE:
Tech support scam, by USAGov - https://www.youtube.com/watch?v=UGBLjPKSUeU – If you have older parents who use email and the internet, please ask them to watch this video! I have helped too many older, and not so older people, who have been scammed in this way, including my own parents more than once.
Tech support scams can start just as easily with a pop up on the computer telling you something bad happenned that you need to call a number… or else something bad will happen.
Spot a bad URL or Link, by Symantec - https://www.youtube.com/watch?v=YIeS7sJ_Llw
Better passwords, Local CBS news report - https://www.youtube.com/watch?v=oakITDBYElw
Better password management using a password manager. This post explains LastPass, but all the password manager applications work pretty much the same - https://lifehacker.com/the-beginners-guide-to-setting-up-lastpass-1785424440 One important detail – you want to be sure that whatever application you use has their security act together and stores the passwords properly. 1 Password,
Mobile device security from SANS Security Awareness - https://youtu.be/WEfWFA4xdd4