When Will the First ChatGPT-Based Cyberattacks Launch?

It’s evident that many cybersecurity and IT professionals have mixed feelings about AI in general and ChatGPT in particular. According to a recent study from BlackBerry, while eight in ten decision makers said they plan to invest in AI-driven cybersecurity by 2025, three-quarters of those respondents saw AI as a serious threat to security. The majority not only believed that ChatGPT will be behind a successful cyberattack within the year, but that nation-states are already using it for nefarious activities.

We know that threat actors quickly found they could use ChatGPT to help write malware code quickly and easily. So it is just a matter of time until they use this and other chatbots to launch cyberattacks.

“It’s not an ‘if’ question but more of a ‘how often’ or ‘at what scale’ as threat actors are usually one step ahead when it comes to adoption of new technologies,” said Shiran Grinberg, director of research and cyber operations with Cynet when asked about the likelihood that chatbots will play an increasing role in cyberattacks.

“Threat actors can use AI models to test their own crafted malware against a variety of environments, allowing them to better understand the detection measures they are trying to bypass or defeat,” Grinberg stated in an email interview. “By modeling their attacks in such an efficient manner, they can ensure accurate or massive impact, depending on their goal, once deployed in a real-life attack.”

The Target Attack Vectors

Chatbot-based attacks will likely be most effective in social engineering-based cyberattacks.

“ChatGPT can already write better hooks for phishing, cast-netting or spear-phishing than a lot of threat actors. With some specific training, it could take it a few steps further and create a very convincing script to social engineer a living target,” said Mike Parkin, senior technical engineer at Vulcan Cyber, in an email interview.

For that reason, Parkin said he anticipated an immediate threat from social engineering attacks, which could come through email campaigns or in live conversation scripts, because interacting with people is where these tools deliver an advantage. ChatGPT is supposed to have safeguards in place to prevent the technology from being used to create harm, but as Parkin pointed out, all it takes is some careful wording to get around those safeguards. From that point, it’s easy to get ChatGPT to create convincing email introductions that a threat actor could use to start a social engineering attack.

“The GTP-3 platform ChatGPT is built on is designed to generate convincing conversations and has a massive knowledge base backing it up,” said Parkin. “It’s ready-made for situations that focus on human interaction. Though there are indications that threat actors have also used AI techniques to develop advanced malware that can slip by existing defenses.”

Some researchers decided to test how easy it was to launch an attack using ChatGPT. The Check Point team wrote a phishing email and then, according to a Tech Monitor article, “used ChatGPT to generate a piece of VBA code that could be embedded in a Microsoft Excel document that would infect a computer if opened.”

In a few simple steps, ChatGPT was able to create and launch a cyberattack.

Considering the simplicity, it’s obvious that threat actors will take advantage of chatbots to launch attacks.

“Attackers can deceive AI models into thinking that attack behaviors are not harmful by inserting legitimate files that mimic malware or by engineering behavioral patterns that turn out to be false positives. Threat actors are and always will be looking for better ways to understand how to evade, bypass and circumvent existing security solution,” said Cynet’s Grinberg.

“By utilizing AI models to map their attacks with signatures, flags, detections, behavior patterns and traces left behind, threat actors increase the chances of their attacks delivering the desired outcome while going unnoticed.”

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba