The government has warned that ChatGPT, an Artificial Intelligence (AI) backed chatbot developed by (Microsoft-funded Company) OpenAI, carries critical risks in the realms of leading cyber threats such as phishing and malware development.
The official advisory a copy of which is available with ProPakistani noted that ChatGPT has gained an explosion of interest and popularity among the masses since its prototype launch on 30 November, 2022.
Even though such a close-to-pinnacle development of AI brings the promise of augmenting the work of cyber threat hunters and defenders, it carries critical risks in the realms of leading cyber threats such as phishing and malware development.
To prevent the menace of such AI-enabled exploitation, extreme caution, due diligence, and due care are to be practiced on a proactive basis. In this regard, guidelines are provided in ensuing paras for sensitization.
Following is a non-exhaustive list of ways malicious actors can use ChatGPT:-
- Malware Generation: Malware generation by ChatGPT is no longer a mere theoretical possibility. Its use is already gaining traction and is under discussion in various Dark Web forums.
- Phishing Emails: ChatGPT has demonstrated the capability to generate extremely convincing phishing and spear-phishing emails, which carry the possibility and probability of slipping through email providers’ spam filters.
- Scam website: With the lowered bar for code generation, ChatGPT can help less-skilled threat actors effortlessly build malicious websites such as masqueraded and phishing-landing pages. For example, malicious actors with zero to little skill can clone an existing website with ChatGPT and then modify it, build fake e-commerce websites, or run a site with scareware scams etcetera.
- Disinformation Campaigns: With ChatGPT, users have access to software that is able to write extremely convincing prose and generate thousands of fake news stories and social media posts in a fraction of the time.
Prevention Against Phishing Emails
- Never open unknown, unanticipated, and/or suspicious emails, links, and attachments.
- Before downloading any attachments, including trusted attachments, scan them with the antivirus provided by the email service provider. If the email service does not provide virus scanning services, all downloaded files may be scanned with local antivirus before opening.
- Apply updates to Operating Systems and Software Applications on all computing devices such as PCs, laptops, mobiles, wearables, etc.
- Use well-reputed and trusted antivirus/antimalware in all computing devices.
- Never use personal accounts on official devices.
- Use Multi-Factor Authentication (MFA) wherever possible.
- Never share personal details and credentials with unauthorized/suspicious users, websites, applications, etc.
- Always type URLs in the browser rather than clicking on links.
- Always open websites with HTTPS and avoid visiting HTTP websites.
- Restrict incoming traffic and user permissions to the maximum possible extent, by implementing system hardening at OS, BIOS, and Applications level.
- Unauthorized storage media (such as USBs) be blocked via system hardening.
- Format removable media frequently to avoid lateral propagation of malware to the extent possible.
- Monitor network activity by (at least) employing checks via file hashes, file locations, logins as well as unsuccessful login attempts.
- Use reputed and trusted Anti Malware, Antivirus, Firewalls, IPS, IDS, and SIEM solutions.
- Use separate servers/routing for offline LAN and online networks.
- Allow internet access to specific users on a need basis and restrict data usage/applications rights.
- Verify software and documents before downloading via digital code-signing technique.
- Implement MFA in mailing systems administrator controls and other critical systems.
- Always maintain a backup of critical data periodically.
- Regularly change passwords at the administrator level.
- Regularly patch and update all OS, applications, and other technical equipment.
- In order to reduce the attack surface of malicious code execution; it is advisable that the user should always log in with an account having standard user privileges.
- Always re-verify trusted users who have sent emails/attachments via secondary means (call, SMS, verbal) before downloading.
- Report any suspicious activity to the Administrator immediately. (c) Never store critical data on online systems, rather store it on standalone systems.
Guidelines for ChatGPT users
- When using ChatGPT, be mindful of the information shared. Avoid sharing sensitive or confidential information, such as passwords, financial information, or personal details.
- Use caution with links and attachments. ChatGPT may provide links or attachments as part of its answers, but it’s important to exercise caution before clicking on them. Always verify the source of the link or attachment and beware of suspicious/unknown sources.
- Official phones must not be used for ChatGPT.
- In case of encountering a security issue while using ChatGPT, report it immediately to Open AI.
Prevention against Disinformation Campaigns
All Government Departments are to undertake the following actions as preventive measures: –
- Awareness campaigns and training be regularly arranged.
- Always try to verify information from multiple sources.