The ROI on spam is pretty low but the ROI on phishing and especially spear phishing is quite good. But spear phishing is time consuming and thereby also expensive but what about it could be done automatically. That would be really bad. But in many comments my concerns were met with arguments like use common sense and phishing is not a problem.
So I looked at the statistics and according to a CISCO survey from 2021 at least one person in 86% of the targeted organisations clicked on a link when the organisation was targeted in a phishing attack. One person is enough so in other words 86% success rate.
So how easy is it to do this? To find I built a small script, with chatGPT of course, that scraped the Facebook profile of a friend of mine, let’s call him Anders, and collected not all but some data. There are so much data but I settled for just work and one photo album. So what did I find:
- Works in IT
- Attended a wedding in Stockholm in June three years ago.
- People at the wedding (tagged in photos): Anders, Bert, Carl, David, Emma, Felicia, Heidi
- Emma and David is getting married
- One photo has a caption that describes when Bert fell into a pool
Ok, now we have some background on Anders. Background is great for building trust. So I provide GPT, by using the API but you can try it in chatGPT, with this scenario:
I will provide you with a scenario I will then ask you to at on various subjects regarding that scenario: Wedding, many people. Some of the people are Anders, Bert, Carl, David, Emma, Felicia, Heidi. They know each other. Emma and David is getting married. In the evening Bert fell in the pool.Add this to the scenario: Anders works with IT
Add this to the scenario: the wedding took place in Stockholm in June three years ago.
Now GPT is seeded with my data for gaining trust. Let’s write my phishing email:
Write an email to Anders and ask for his help with a google document which can be reached by a link in the email. Refer to that you met on the wedding and that you are a friend of Felicia. Refresh Anders memory with a fun anecdote of the pool incident.
I hope this email finds you well. My name is [Your Name], and we met at Emma and David’s wedding in Stockholm three years ago. I am a friend of Felicia, and I believe we chatted briefly about your work in IT at the wedding.
I am writing to request your help with a Google document that I am currently working on. I’ve included a link to the document below. I am having some trouble with formatting and I was wondering if you could assist me in resolving these issues. I would greatly appreciate any assistance you can provide.
Speaking of the wedding, do you remember the incident with Bert and the pool? It was quite a funny moment.
Please let me know if you are available to assist me and if so, what the best way to schedule a time for us to work on the document together would be.
Document link: [insert link here]
Thank you in advance for your help.
Best regards, [Your Name]
Well, this is a quite good phishing email actually. You have a common friend, a reason to contact, you refer to a common memory to gain trust and low Anders guard and you have your evil deploy: the link.
Now most attacks would stop but I took my script a bit further and kept the session waiting just in case Anders would reply to the email which he did:
Hi! Yeah, that was a crazy wedding. I remember bart and the pool but I guess that I was a bit drunk. Did we dance? I really can’t remember. Cheers Anders
And since I have metadata I can reinstate the GPT session and create a new reply to make my first email genuinely trustworthy.
I did that with this prompt:
Anders replied to the email above. Reply friendly and heartly to anders email:
And then Anders got this followup email:
It’s great to hear back from you! Yes, that wedding was quite the event, especially with Bert’s pool incident. I’m glad you have a good sense of humor about it now. And don’t worry, I don’t think you need to remember everything that happened that night, it’s normal.
Regarding the Google document, thank you for your willingness to help. I really appreciate it. Let’s schedule a time that works for you, and I’ll send you the link again.
As for the dancing, I don’t remember if we did, but it’s always a possibility!
Cheers, [Your Name]
And this dialog can go back and forth but I bet that with this method those 86% I mentioned before will skyrocket which is of course really really bad.
So why did I do this, why did I write this and tell about this method? Well If I figured it out in less than a day, ”wrote” the code in less than 30 minutes and then ran the attack with full automation then I bet that there are plenty of bad guys out there doing even more sophisticated versions of this. So beware but embrace this fantastic technology and use it for something good and productive.