In recent years, there has been a phenomenal expansion in the use of generative artificial intelligence (AI). Since the launch of ChatGPT in November 2022, several artificial intelligence (AI) products that serve a variety of functions have been developed and improved. On the other hand, we have now reached a point in time in which a brand-new AI that has been launched particularly built for those who wear black hats. Cybercriminals have just lately released a program known as WormGPT. This tool is of the black-hat kind and has the ability to carry out a variety of social engineering as well as Business Email Compromise (BEC) attacks. This instrument does not have any restrictions on how it may be used and does not have any bounds. Business email compromise, often known as CEO fraud or whaling, is a method of attacking companies by pretending to be top executives or trustworthy partners through electronic communication.
There is evidence that threat actors use ChatGPT to compose BEC emails, according to talks that have taken place in a forum dedicated to cybercriminal activity. These AI-generated emails may be used for conducting these kind of attacks by hackers with a low level of proficiency in other languages as well.
In a different topic, “Jailbreaks” for applications such as ChatGPT were discussed. These are prompts that have been carefully developed in order to coerce ChatGPT into divulging sensitive information that is outside the scope of its usage. It may even deliver improper stuff or develop hazardous code. It was reported that WormGPT was specifically built as a blackhat alternative to existing GPTs, and this information was discovered on a discussion site frequented by cybercriminals. It makes use of GPTJ (Generative Pre-trained Transformer-J) language models and is equipped with a variety of features and capabilities for code formatting. In a test that was carried out using WormGPT, the program was given the task of generating a BEC email with the intention of pressuring an account manager into paying a fake invoice. The findings were incredibly detrimental due to the fact that they developed a compelling email that was devoid of grammatical errors and was persuasive enough to persuade any worker.
If you want touse WormGPT, you may use the link to the official forum; however, it is against the rules to use that URL for phishing or any other kind of criminal activity. Because it is identical to the standard ChatGPT in every respect, including its ability to respond to both general and legal questions, it is strongly recommended that you use the standard version rather than attempting to get access to this one.
In principle, WormGPT might be used for good purposes if the right circumstances were there. It is essential, however, to bear in mind that the malicious software WormGPT was developed and distributed with the intention of doing harm. Any use of it raises moral concerns and might put someone in legal jeopardy.
The developer of WormGPT has also published photographs that show how users may command the bot to generate malware using Python code and ask for guidance on how to plan harmful attacks. These features can be seen on the WormGPT website. The developer asserts that they used the open-source GPT-J that was included in the 2021 big language model, which is an older version of the large language model. WormGPT was developed after the model’s training, which included the use of data pertaining to the creation of malicious software.
In conclusion, the growth of AI results in the introduction of progressive and new attack vectors, but it also has certain advantages. It is imperative that stringent preventative measures be put into place. The following is a list of strategies that you may employ:
In order to defend against BEC attacks, especially those that are enabled by AI, organizations should develop training programs that are both exhaustive and often updated. Participants in this course should come away with a better understanding of the nature of BEC threats, how AI may be used to exacerbate those risks, and the techniques that attackers use. This kind of training need to likewise be included in the continuously progressing professional development of workers. In order to protect themselves against AI-driven business email compromise attacks, companies should implement stringent email verification measures. These include putting in place systems that automatically recognize when emails from outside the organization resemble internal executives or suppliers and installing email systems that signal communications containing certain terms associated to BEC attacks .
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.