Published on

Chaos Phishing : When the evil find opportunity in calamity

Authors
  • avatar
    Name
    Siddharth Singh
    Twitter

Chaos

cartoon-style illustration of a mysterious, strategic figure inspired by Littlefinger, seen from the back

Chaos is a ladder

At one of the yearly Hackathons at Microsoft, I, along with a small team, built a system which sends phishing emails by making use of Large Language models. ChatGPT was just out and was the hot topic for hackathon.

The LLMs, as we later saw, were realy good at creating dynamic emails using simple prompts. Our tool, had a collection of prompts, and a distributed system to send personalized emails at scale.

I utilized bing news service to create dynamic emails based on latest headlines which looked which would put any Nigerian prince sharing his wealth to shame. The idea was to create a product for Consumers and corporate employees and continuously train them using Advanced Phishing Simulation.

That's when I had this idea about Chaos Phishing.

What does Chaos Phishing mean?

Chaos Phishing means scheduling a phishing attack when there is some chaos. Chaos could be anything which is publicly known- an outage taking down a critical service or product, an economic crisis in a company, or mass layoff news etc.

Examples-

  • ChatGPT is down for few hours.
  • Intel is in talks of merger\cost cutting.
  • Google plans to layoff few hundred engineers.
  • Microsoft Outlook is down.

The human is already the weakest link in the security chain. The desire to get that free MacBook, or 50% discount on a TV is not going away soon. Add some chaos to it and we began to loose our guard.

The Chaos Event or the Incident is a golden period for an advanced phishing attacker. People are already in distress and vulnerable during an outage and there is a high probability that they will be fooled if the attacker leverages the incident event information to create a compelling email.

For the scenarios discussed above, here are some ways to execute an attack.

ChatGPT is down for few hours.

  1. Chances are that you are dependent on chatgpt for many things.
  2. The attacker monitors the twitter handles where the outage is reported and gets to work.
  3. Users get an email from Sam Altman, aplogising for the outage and offering free access to SORA or Deep Research etc.
  4. Users get lured to click.

Intel is in talks of merger\cost cutting.

  1. Intel employees receive email about Microsoft acquiring Intel and a learn more link.
  2. Employees are distressed about the company future and they want to learn more.

Google plans to layoff few hundred engineers.

  1. Layoffs at Big tech is a tight-lipped affair and no one knows until the time comes.
  2. Imagine this news coming out, google emplyees checking their access at 15 minute interval to make sure they are not laid off.
  3. They get an email to 1x1 with manager and schedule link to a meeting.

Microsoft Outlook is down.

  1. Outlook is down and outlook team is working on fixing it.
  2. All Accenture employees who were chilling, receive text on their mobile or email to clear their cache to workaround the outage using a link

In all these scenarios, there is a high probability of users falling for the phishing because-

  1. People are in distress.
  2. Attacker has utilized the chaos and used the context well.
  3. There are no usual mistakes in the email (no bad copy or stuff like that). It's generated by LLM.

What to do ?

Attacker

  1. Keep target emails handy.
  2. Monitor all outage handles in all major services.
  3. Have all your reciepes for emails ready as outages last only for few hours.
  4. Use the LLMs creatively.

Orgnisations

  1. Most of the emails will not reach the employees. However, you need to be ready to detect phishing in phone calls, whatsapp etc.
  2. Maybe make the filters strict during outage duration.
  3. Train the Employees with security courses and do regular phishing simulation with chaos scenarios.

Consumers

  1. It's always good to remember that Nothing comes for free.
  2. Pray to god, take deep breadths and don't loose your cool at chaos times.
  3. Sign up for a advanced phishing simulation software so that you are ready and can identify a phishing Messeage from a mile.
  4. Reminder- Email is just one of the ways. There is Vishing. Video calls. SMS. Whatsapp. FB. LinkedIn and many more contact points.

Conclusion

LLMs have lowered the cost of writing a high quality phishing email. It is possible to build systems which can target you with highly personalized attacks.

You can get a call from your loved one with deepfake audio. The LinkedHR you are messaging might be a bot waiting to extract your payment info.

While Chaos phishing is a term which I just coined, it is a subset of event based phishing. Our Life is full of events and these events can be utilized by attackers in countless ways. Until there is some AI agent available in devices itself to project against these generative AI attacks, we need to be careful for the next wave of phishing attacks.

Discuss on TwitterView on GitHub