ChatGPT rival ‘WormGPT’, used by cybercriminals to launch phishing attacks – Kevin Curran, IEEE senior member and professor of cyber security comments
July 2023 by Kevin Curran, IEEE senior member and professor of cybersecurity at the University of Ulster
WormGPT is a new generative AI tool* being used by cybercriminals to launch sophisticated business email and phishing attacks. One in five people are already falling for AI-created phishing emails, as studies show that AI can write better phishing emails that humans. In light of this new technology, security experts are urging businesses to keep up with the evolution of AI.
Kevin Curran, IEEE senior member and professor of cyber security, comments on what WormGPT means for businesses and what can be done to combat it:
“Cybercriminals launching phishing attacks is nothing new, but WormGPT is certainly going to make it easier for them to do so. A tool called metasploit has existed for many years and allows phishing emails to be sent out en masse – but a common problem has always been poor grammar and spelling mistakes, and typos are a key indicator of spam mail.
“WormGPT has the power of a large language model (LLM) behind it, enabling emails to be sent without mistakes. This takes phishing to a new level. The emails produced will be super realistic and adopt increasingly compelling topics, which helps cybercriminals lure users to click on links within emails or download malware. Recently, LLMs have also been used to auto-generate fake landing pages which can lead to people handing over their passwords or other personal information. WormGPT is still lacking a modern interface and many necessary features for business email compromise, but hacking tools generally get better so it may only be a matter of time. Any tool which makes hacking easier is a worry to all of us.
“Malicious LLMs and AI is a new frontier for cybersecurity and security measures need to keep pace. The first line of defence to stop these attacks, apart from firewalls and intrusion detection systems, is to simply educate employees about the dangers of clicking on links. However, it generally takes people to make a mistake before they learn. In an effort to train, some enterprise security teams send phishing emails containing fake malware to their employees – and when these are activated, the employees are simply lead them to a website informing them of their mistake and educating them on the dangers of what they did. Education will be crucial to combatting these attacks.”