Post Content Read More
Related Posts
AI girlfriends want to know all about you. So might ChatGPT (Lock and Code S05E17)
AI girlfriends want to know all about you. So might ChatGPT (Lock and Code S05E17)
This week on the Lock and Code podcast…
Somewhere out there is a romantic AI chatbot that wants to know everything about you. But in a revealing overlap, other AI tools—which are developed and popularized by far larger companies in technology—could crave the very same thing.
For AI tools of any type, our data is key.
In the nearly two years since OpenAI unveiled ChatGPT to the public, the biggest names in technology have raced to compete. Meta announced Llama. Google revealed Gemini. And Microsoft debuted Copilot.
All these AI features function in similar ways: After having been trained on mountains of text, videos, images, and more, these tools answer users’ questions in immediate and contextually relevant ways. Perhaps that means taking a popular recipe and making it vegetarian friendly. Or maybe that involves developing a workout routine for someone who is recovering from a new knee injury.
Whatever the ask, the more data that an AI tool has already digested, the better it can deliver answers.
Interestingly, romantic AI chatbots operate in almost the same way, as the more information that a user gives about themselves, the more intimate and personal the AI chatbot’s responses can appear.
But where any part of our online world demands more data, questions around privacy arise.
Today, on the Lock and Code podcast with host David Ruiz, we speak with Zoë MacDonald, content creator for Privacy Not Included at Mozilla about romantic AI tools and how users can protect their privacy from ChatGPT and other AI chatbots.
When in doubt, MacDonald said, stick to a simple rule:
“I would suggest that people don’t share their personal information with an AI chatbot.”
Tune in today to listen to the full conversation.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.
Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.
Critical SonicWall SSLVPN bug exploited in ransomware attacks
Critical SonicWall SSLVPN bug exploited in ransomware attacks
Ransomware affiliates exploit a critical security vulnerability in SonicWall SonicOS firewall devices to breach victims’ networks. […] Read More
Operation Uncle Scam – AI-Powered Phishing Attack Steals Microsoft Dynamics 365 Credentials
Operation Uncle Scam – AI-Powered Phishing Attack Steals Microsoft Dynamics 365 Credentials
Security researchers at Perception Point have uncovered a sophisticated phishing campaign, dubbed “Uncle Scam.” In this AI-powered campaign, threat actors impersonate U.S. government agencies to send fraudulent tender invitations to numerous American enterprises.
The attackers employ advanced techniques, including interactive kits and large language models (LLMs), to create highly convincing phishing emails.
The phishing operation begins with an email purportedly from the General Services Administration (GSA), inviting recipients to bid on a federal project.
The email contains a link that redirects users to a spoofed GSA website, designed to closely mimic the legitimate site. This fake site includes navigation links and search options that lead to actual GSA pages, enhancing its credibility and making it challenging for users to identify the deception.
Upon clicking the “Register For RFQ” button, users encounter a CAPTCHA page, a tactic used by attackers to evade detection by automated security tools. Once users submit their details, the attackers successfully harvest their credentials.
The phishing site is nearly identical to the legitimate site, assuaging visitors of its supposed authenticity.
The attackers have also incorporated a detailed pop-up message that walks users through how to register for the RFQ, requiring multiple clicks to reach the fake login site.
According to the Perception Point report shared with Cyber Security News, “Upon clicking the link, the user is redirected to a spoofed GSA page, complete with a domain mimicking (gsa-gov-dol-procurement-notice(.)procure-rfq(.)online) the legitimate GSA domain (www.gsa.gov). The phishing site is nearly identical to the legitimate site, assuaging visitors of its supposed authenticity.”
This behavior not only enhances the site’s credibility but also makes it more difficult for users to realize they are on a malicious site.
Abuse of Microsoft’s Dynamics 365 Marketing Platform
A notable aspect of this campaign is the abuse of Microsoft’s Dynamics 365 Marketing platform. Attackers leverage the domain dyn365mktg.com to create subdomains and send malicious emails.
This domain’s association with Microsoft allows phishing emails to bypass spam filters and reach inboxes, increasing the campaign’s effectiveness.
This domain is pre-authenticated by Microsoft, complying with DKIM and SPF standards, which ensures that emails from this domain are more likely to bypass spam filters and land directly in inboxes.
This pre-authentication and association with Microsoft contribute to high deliverability, making phishing emails sent from dyn365mktg(.)com less likely to be flagged as spam.
Additionally, the domain’s built-in credibility, stemming from its link to a trusted marketing platform, makes emails from this domain appear more legitimate, increasing the effectiveness of phishing campaigns.
Perception Point researchers identified two variations of the phishing campaign, both crafted with the help of LLMs. These models enable attackers to generate sophisticated and contextually accurate emails at scale. The emails impersonate different U.S. government departments, maintaining a professional tone and incorporating department-specific details.
Protection Measures
To protect against such sophisticated phishing attacks, organizations are advised to:
Double-check the Sender’s Email: Scrutinize the sender’s email address for legitimacy.
Hover Before You Click: Hover over links to verify the actual URL.
Look for Errors: Be vigilant for grammatical mistakes or unusual phrasing.
Leverage Advanced Detection Tools: Use AI-powered, multi-layered security solutions.
Educate Your Team: Train employees to recognize phishing emails and verify unsolicited communications.
Trust Your Instincts: Be cautious of offers that seem too good to be true and verify their authenticity through trusted channels.
The post Operation Uncle Scam – AI-Powered Phishing Attack Steals Microsoft Dynamics 365 Credentials appeared first on Cyber Security News.