In celebration of all things spooky for Halloween, we’ve collected a list of five super-scary cybersecurity trends we hope don’t trick you anytime soon.
AI Nightmares!
1. WormGPT/FraudGPT/and LLM clones for bad actors. Like any tool, ChatGPT, Bard, and the growing population of other AI-enhanced technologies are attracting their share of attention from cybercriminals. WormGPT and FraudGPT are both advertised on the Dark Web and in hacker forums as a means to create and perfect undetectable malware and other malicious code, as well as enhance the effectiveness of phishing emails. While correlation isn’t causation, there are multiple reports that ransomware is on the rise for 2023, suggesting that threat actors are upleveling their attacks.
2. Indirect Prompt Injection Attacks. An Indirect Prompt Injection Attack is a way to force a Large-Language Model (ChatGPT, Bard, Claude, and others) to bypass standard controls and do something else. The simplest technical explanation we found is:
3. Deep Fakes Getting Deeper with AI Advances. Maybe seeing the Pope in a designer puffy parka is fun, but unfortunately, we can’t count on threat actors not to fool us with important events that deserve accurate and authentic information. AI advancements in graphics and audio are propelling deep fakes into a new realm of realism, and researchers and regulators are sounding alarms. The Federal Election Commission recently concluded the comment period on the matter of deep fakes in election ads and what should be done about it. The next step will be to consider the merits of the issue and potentially begin rulemaking (https://sers.fec.gov/fosers/). And in what might be a new high for self-regulation, Meta recently announced the creation of Voicebox, a generative AI speech tool that is apparently so good at creating realistic speech, the company has decided not to release the product at this time due to concerns over misuse (https://ai.meta.com/blog/voicebox-generative-ai-model-speech/).
Gadget Goblins!
4. Flipper Zero and Other Annoying Tools with Cute Names. While these electronic multi-tools aren’t new or hard to find (you can check out a Raspberry Pi from most public libraries), there’s certainly concern over how quickly bad actors are making use of them. Cheap, easy to program, and legal, these devices can copy data from credit cards and hotel keys, clone automobile key fobs, remote controls, and electronic tracking tags, send disruptive pop-ups over Bluetooth, and spread malware or steal data through bad USB attacks. While the vast majority of these devices can’t grab the CVV number from a credit or debit card (yet), there are still plenty of websites that will honor card numbers without the three-digit security code. Defending against these devices isn’t all that difficult. To help protect your data, use a well-tested RFID blocking device for bank cards, turn off Bluetooth and WiFi in Settings when in public (enabling Airplane Mode is not sufficient), and never leave a mobile device unattended.
5. Tracker Stalking. This creepy, and potentially dangerous, trend has been on our radar. AirTags, Tiles, and even AirPods are being used to stalk celebrities and private citizens in messy breakups, as well as being used by auto theft rings for tracking target vehicles. Bluetooth-enabled trackers, such as those made by Apple, Tile, Chipolo, and others, use the same radio frequency technology that other Bluetooth devices use to connect to smartphones and tablets. Once paired, the two devices will communicate with each other on a regular basis provided both are functioning and in range. If the tracker’s owner is out of range, Bluetooth crowdsourcing allows for enabled items to be tracked over increased distances provided that other compatible devices can “chain” the signal. For example, Person A pairs a tracker with their cellphone and then places the tracker in a vehicle. Person B then drives the vehicle home. Provided there are enough Bluetooth devices sending signals along the route and at the destination, Person A will be able to find the vehicle by locating the tracker with their cellphone or tablet (other devices serving as links in the chain remain anonymous). Both Apple and Android devices will issue alerts when an unknown tracker is traveling with you and moves away from the tracker owner’s device. If you’re concerned you’re being tracked, Apple’s support page offers ways to detect and disable unknown trackers (https://support.apple.com/en-us/HT212227). Android users should try Google’s support page (https://support.google.com/android/answer/13658562?hl=en). If you discover one of these devices and suspect unwanted tracking, contact local law enforcement. Attorneys will want to let their clients know, especially those already in or contemplating litigation, that if their phone alerts of a mystery tracking device, this could be vital information to share. Fortunately, to locate the tracker, it must be registered to a mobile number, an iCloud account, or an email, which is discoverable information, and often, can take authorities right to the person who placed the tracker.
While there are plenty of scary new cyber trends creeping up daily, Digital Mountain is constantly on guard for those that need expert attention. If you have questions or fear you may need some cyber ghost busting, don’t hesitate to call.
