Recently, the U.S. federal government released a report stating that users need to pay close attention to the cybersecurity risks of ChatGPT, especially in the areas of phishing and malware development.
In its advisory opinion report, the government department warned that despite the unprecedented success of ChatGPT, an artificial intelligence tool supported by Microsoft, it has attracted a large number of leading companies and capital to frantically pour into the AI track, and AI has become the hottest topic at the moment. One of the tracks.
However, AI also brings security risks, especially in terms of phishing email production and malware generation. AI tools represented by ChatGPT have major security risks. The report states that in order to prevent the threat posed by such AI tools, enterprises must be proactive and exercise extreme caution, due diligence and close attention before a worse situation arises.
1. Attackers are using ChatGPT to amplify their malicious capabilities
The report listed a partial list of ways malicious attackers use ChatGPT, as follows:
1. Malware generation: Using ChatGPT to generate malware is no longer just a possible theory. Malicious attackers have become more and more proficient in using it, and various discussions and attempts have been started on the dark web.
2. Making phishing emails: Different from malware generation, ChatGPT has shown its powerful capabilities to users in terms of phishing emails. Malicious attackers can exploit this to generate phishing and spear-phishing emails, and these emails have the potential to pass through email provider's spam filters.
3. Fraudulent websites: By lowering the threshold for code generation, ChatGPT can help less-skilled threat actors easily build malicious websites, such as cloaking and phishing landing pages. For example, a malicious actor with zero or little skill could use ChatGPT to clone an existing website and then modify it, build a fake e-commerce website, or run a website with a scareware scam, among other things.
4. Publishing Fake Information: With ChatGPT, users have access to software capable of writing highly persuasive prose, generating thousands of fake news reports and social media posts in a short period of time.
Enterprise & User Security Guidelines /Precautions
1. Improve the defense against phishing emails
- Never open unknown, unexpected or suspicious emails, links and attachments;
- Scan attachments, even trusted ones, with antivirus software from your email service provider before downloading them. If the email service does not provide virus scanning, all downloaded files can be scanned with local antivirus software before opening;
- Updates to all computing equipment, including personal desktops, laptops, mobile phones, wearables, and other operating systems and software applications;
- Use reputable and trusted antivirus software in all computer equipment;
- Do not use personal accounts on official devices;
- Use multi-factor authentication (MFA) wherever possible;
- Never share personal information and credentials with unauthorized/suspicious users, websites, applications, etc.;
- Always type the URL into your browser instead of clicking the link directly.
- Always open links with https open sites, do not visit http sites.
2. A Guide to Identifying Masquerading Malware
(1) Administrator
- Limit incoming traffic and user privileges as much as possible by implementing hardening systems at the operating system, BIOS and application levels;
- Block unauthorized storage media (e.g. USB) through system hardening;
- Frequently format removable media to try to avoid the lateral spread of malware within the system;
- Monitor network activity by file hashes, file locations, logins and failed login attempts;
- Use reputed and trusted anti-malware, anti-virus, firewall, IP, IDS, SIEM solutions;
- Use separate servers/routes for offline LAN and online network;
- Allow specific users to access the internet and limit data usage/application permissions as needed;
- Authenticate software and documentation via digital code signing technology prior to download;
- Implement MFA (Multi-Factor Authentication) in mail system administrator controls and other critical systems;
- Always maintain regular backups of critical data;
- Regularly change passwords at the administrator level;
- Regularly patch and update all operating systems, applications and other technical equipment;
- To reduce the attack surface for malicious code execution; users are advised to always log in with an account with standard user rights.
(2) End users
- Be sure to re-authenticate the trusted user who sent the email/attachment via secondary means (phone call, text message, verbal) before downloading;
- Immediately report any suspicious activity to the administrator;
- Never store critical data on an online system, store it on an independent system.
(3) ChatGPT User Security Guidelines
- When using ChatGPT, please be careful about the information you share. Avoid sharing sensitive or confidential information such as passwords, financial information or personal details.
- Be careful with links and attachments. ChatGPT may provide links or attachments as part of its answers, but please be careful before clicking on them. Always verify the source of links or attachments and beware of suspicious/unknown sources.
- Mobile phones of government agency staff are not allowed to use ChatGPT.
(4) If you encounter a security problem while using ChatGPT, please report it to Open AI immediately.