Weaponizing AI to orchestrate cyber attacks

Introduction

Since the coinage of the term in 1956, Artificial Intelligence (AI) has evolved considerably. From its metaphorical reference in Mary Shelly’s Frankenstein, to its most popular recent application in autonomous cars, AI has made a progressive shift, over the years. It influences all the major industries such as transportation, communication, banking, education, healthcare, media, etc. 

When it comes to cybersecurity, AI is changing how we detect and respond to threats. However, with the benefits, comes the risk of the potential misuse of AI capabilities. Is the primary catalyst for cybersecurity, also a threat to it?  

How do we use AI in our daily life?

Social media users encounter AI on a daily basis and probably don’t recognize it at all. Online shopping recommendations, image recognition, personal assistants such as Siri and Alexa, and smart email replies, are the most popular examples.

For instance, Facebook identifies individual faces in a photo, and helps users “tag” and notify them. Businesses often embed chatbots in their websites and applications. These AI-driven chatbots detect words in the questions entered by customers, to predict and deliver prompt responses. 

How do malicious actors abuse and weaponize AI?

To orchestrate attacks, cyber criminals often tinker with existing AI systems, instead of developing new AI programs and tools. Some common attacks that exploit Artificial Intelligence include: 

  • Misusing the nature of AI algorithms/ systems: AI capabilities such as efficiency, speed and accuracy can be used to devise precise and undetectable attacks like targeted phishing attacks, delivering fake news, etc.
  • Input attacks/ adversarial attacks: Attackers can feed altered inputs into AI systems, to trigger unexpected/incorrect results. 
  • Data Poisoning: Malicious actors corrupt AI training data sets by poisoning them with bad data, affecting the system’s accuracy. 

Examples of how AI can be weaponized

GPT-2 text generator/ language models 

In November 2019, OpenAI released the latest and largest version of GPT-2 (Generative Pretrained Transformer 2). This language model has the training to generate unique textual content, based on a given input. It even tailors the output style and subject based on the input. So, if you input a specific topic or theme, GPT-2 will yield a few lines of text. GPT-2 is exceptional in that it doesn’t produce pre-existing strings, but singular content that didn’t exist before the model created it. 

Drawbacks of GPT-2

The language model is built with 1.5 billion parameters and has a “credibility score” of 6.9 out of 10. The model received a training with the help of 8 million text documents. As a result, OpenAI claims that “GPT-2 outperforms other language models.” The text generated by GPT-2 is as good as text composed by a human. Since detecting this synthetic text is challenging, creating spam emails and messages, fake news, or performing targeted phishing attacks, among other things, becomes easier.

Image recognition software

Image recognition is the process of identifying pixels and patterns to detect objects in digital images. The latest smartphones (for biometric authentication), social networking platforms, Google reverse image search, etc. use facial recognition. AI-based face recognition softwares detect faces in the camera’s field of vision. Given its multiple uses across industries and domains, researchers expect the image recognition software market to make a whopping USD 39 billion, by 2021. 

Drawbacks of image recognition softwares 

Major smartphone brands are now using facial recognition instead of fingerprint recognition, in their biometric authentication systems. Since this cutting-edge technology is popular among consumers, cyber criminals have found ways to exploit it. 

  • Tricking facial recognition: It has been demonstrated that Apple’s Face ID can be duped using 3D masks. There are also other instances of deceiving facial recognition with infrared lights, glasses, etc. Identical twins, such as myself, can swap our smartphones to trick even the most efficient algorithms, currently available. 
  • Blocking automated facial recognition: As facial recognition depends on key features of the face, an alteration made to the features can block automated facial recognition. Similarly, researchers are exploring various ways by which automated facial recognition can be blocked.
Altering facial features (by CVDazzle)
Altering facial features (by CVDazzle)

For example: Researchers found that minor modifications to a stop sign confuses autonomous cars. If implemented in real life, these technologies could have severe consequences.

Subtle alterations to the sign comes at a cost
Subtle alterations to the sign comes at a cost (by securityintelligence)

Poisoned training sets

Machine learning algorithms that power Artificial Intelligence, learn from data sets (training sets) or by extracting patterns from data sets. 

Poisoning Machine Learning models
Poisoning Machine Learning models

Drawbacks of Machine Learning algorithms

Attackers can poison training sets with bad data, to alter a system’s accuracy. They can even “teach” the model to behave differently, through a backdoor or otherwise. As a result, the model fails to work in the intended way, and will remain corrupted.

In the most unusual of ways, Microsoft’ AI chatbot, Tay, was corrupted through Twitter trolls. Releasing the smart chatbot was on an experimental basis, to engage people in “playful conversations.” However, Twitter users deluged the chatbot with racist, misogynistic, and anti-semitic tweets, turning Tay into a mouthpiece for a terrifying ideology in under a day. 

What next?

AI is here to stay. So, as we build Artificial Intelligence systems that can efficiently detect and respond to cyber threats, we should take small steps to ensure they are not exploited:

  1. Focus on basic cybersecurity hygiene including network security and anti-malware systems.
  2. Ensure there is some human monitoring/ intervention even for the most advanced AI systems. 
  3. Teach AI systems to detect foreign data based on timestamps, data quality etc.

RBI guidelines for banks to combat escalating cyber attacks

To meet the growing needs of customers, banks are increasingly adopting Information Technology (IT) solutions, to carry out daily operations. Thus making them attractive targets for escalating cyber attacks. To ensure that Indian banks function in a cyber-resilient environment, the Reserve Bank of India (RBI) issues regular guidelines. Hence, in one of its recent circulars, in addition to distinguishing cybersecurity from information security, the RBI advises banks to establish mechanisms for:

  • Continuous surveillance to protect personal data
  • A focused approach towards cybersecurity
  • Board/ Top Management to be aware of the bank’s threat quotient
  • Board/ Top Management to proactively monitor, share, and mitigate threats

 

The RBI guidelines advocate the following measures to help banks improve their overall security posture:

1. Provision for continuous surveillance

Cyber attacks are not preceded by warnings or timelines.  Hence, the RBI recommends that banks set up continuous surveillance to stay abreast of emerging cyber threats.

XVigil helps you anticipate and mitigate threats

XVigil, CloudSEK’s digital risk monitoring platform, offers continuous monitoring across the surface and the dark web. Specifically focusing on: mentions of the bank, its brand, and its infrastructure.

 

2. Ensure protection of customer data

Financial institutions depend on technology to function smoothly. It also helps them deliver cutting-edge digital products to address their customers’ needs. However, in the process, banks collect customers’ personal and sensitive information.

Banks should take appropriate steps to ensure uncompromised confidentiality, integrity, and availability of this data. Moreover, as custodians of such information, it is incumbent on banks to preserve data, in transit and in storage, within their environment or that of third party vendors. To this end, banks should establish suitable systems and processes, across the data/ information lifecycle.

XVigil detects data leaks

XVigil proactively monitors the web for data leaks. Subsequently, it alerts banks to leaks involving their customers’ information, credit card details, or debit card details. The platform also reports 3rd party data leaks that could affect banks and their customers.

 

3. Report cybersecurity incidents to RBI

Banks also need to notify the RBI of all unusual cybersecurity activities and incidents, irrespective of the success or failure of the attempts.

XVigil generates reports to notify the RBI

XVigil prepares reports, listing major incidents that may be submitted to the RBI, adhering to compliance standards.

 

4. Manage inventory of IT assets

Banks need to maintain an up-to-date inventory of assets including their infrastructure and business applications.

XVigil scans your assets every day

XVigil performs daily asset scans, to track all internet-facing assets, including domains, sub-domains, IPs, WebApps, etc.

 

5. Prevent execution of unauthorized software

Banks should maintain an updated, and preferably centralized, inventory of authorized/ unauthorized software.

XVigil monitors for Shadow IT threats 

XVigil runs infrastructure scans every day and alerts banks to any threats. As a result, it keeps Shadow IT threats in check.

 

6. Secure configuration

Banks must document and apply baseline security requirements/ configurations to all categories of devices.

XVigil detects misconfigured assets

XVigil detects and reports misconfiguration of internet-facing assets, in addition to the Open Web Application Security Project (OWASP) top 10 vulnerabilities.

 

7. Vendor risk management

Banks are accountable for appropriate management of security risks pertaining to outsourced and partner arrangements.

XVigil detects third-party leaks 

XVigil monitors and reports on any third-party sources that leak sensitive information, thus fulfilling the RBI’s requirement to manage vendor risk.

 

8. Advanced real-time threat defence and management

The RBI advocates for banks to:

  • Build a robust defence system against the installation, spread, and execution of malicious code, at multiple points in the enterprise
  • Consider whitelisting of internet websites/ systems
  • Consider implementing secure web gateways with capabilities to deep scan network packets. Hence securing (HTTPS, etc.) traffic passing through the web/ internet gateway.
XVigil provides real-time alerts 

XVigil monitors and provides real-time alerts, on threats that impact banks’ brand or infrastructure, from various sources across the surface web and the dark web. In addition, the platform scans open ports, misconfigured SSLs, leaky S3 buckets, and  XSS vulnerabilities.

 

9. Anti-Phishing

Banks have been advised to subscribe to anti-phishing/ anti-rogue apps or services from external service providers. Since, this will help them identify and take down phishing websites/ rogue applications.

XVigil detects and initiates takedowns

XVigil detects phishing/ rogue apps, fake domains, and fake social media accounts. CloudSEK also offers takedown of such phishing websites/rouge applications.

 

10. Data leak prevention strategy

Banks should develop a comprehensive data loss/ leakage prevention strategy to safeguard sensitive, proprietary, and confidential business and customer data.

XVigil monitors data leaks

XVigil scans for data leaks, including third-party leaks, and additionally gives banks timely and actionable threat intelligence.

 

11. Vulnerability Assessment, Penetration Test, and Red Team Exercises

Banks should conduct periodic vulnerability assessment and pen-testing exercises on all the critical systems, particularly the internet-facing ones.

XVigil runs periodic tests

XVigil runs basic level vulnerability assessments, as well as pen-testing exercises, every day. And subsequently alerts banks to open ports, misconfigured SSLs, leaky S3 buckets, and  XSS vulnerabilities.

 

12. Forensics

Banks must make arrangements for forensic investigation unless they have support.

CloudSEK offers forensic services and support

CloudSEK offers forensic services, together with unlimited support.

 

13. External Integration

While delivering services to customers, several stakeholders are involved directly or otherwise. Their experience is indispensable. Besides, their integration with multiple tools would give organizations a view of the entire security landscape. Thus, encouraging better decision making.

XVigil can be integrated with ease

XVigil can be easily integrated with multiple SIEMS, SOAR and other platforms. Thus giving banks a single view of their entire security landscape.

 

Fake Image - CloudSEK

Menace of Fake Banking Services

We have all received calls from fake bank representatives, offering us complimentary credit card upgrades, free Insurance, and assistance to complete KYC (Know your customer) formalities. And to provide these services, they would have requested us for credit card or debit card details.

However, in the last few years, the general public has smartened up to this scam. And most of us don’t indulge these calls anymore. And in response to this, scammers have repackaged their scams, that are delivered to us, via other channels. The new schemes are so convincing that we reach out to them.

Let’s explore these sophisticated approaches and the various resources that allow scammers to continue defrauding us.

What makes us vulnerable?

Most people unequivocally rely on Google search for everything ranging from bank locations to restaurant reviews. So, it is only natural that scammers have started targeting Google services, to index bogus web pages that contain fake bank branches and customer care numbers. Also, it is simple to list a business on Google, because there is no detailed verification process. In 2018, police busted a scammer who was running a fake branch of Karnataka Bank in UP’s Ballia.

How are fake banking services provided?

  • The scammer buys a domain name that closely mimics the targeted bank. They replicate the bank’s trademarks, logos, and website design, to give it an air of authenticity.
  • They set up telephone numbers which are advertised on the fake website. The scammer goes the extra mile, to convince skeptical users, by mimicking original caller tunes, hold tunes, and following standard operating procedures.
  • Sometimes, scammers even set up interim branches and kiosks, employing people at different levels, so that it appears to be a legitimate operation.
  • They then list themselves on Google services with seemingly genuine location details.
  • When a customer searches for a bank branch or customer care number, these sites appear as top Google search results.
  • When the customer calls the fake number or visits a fake branch, scammers slip questions about CVVs (Card Verification Value) or ask for OTPs (One Time Password) in the middle of the conversation.
  • They may even advise users to download and install certain remote desktop sharing apps or open links that give them the control of the customer’s mobile device.
  • Scammers especially favour UPI (Unified Payment Interface) and other similar apps. They will ask for a victim’s UPI ID, and convince them to accept 1 rupee on the app. Wherein, instead of accepting money, unaware and inexperienced users, will in fact be remitting a large amount from their account.

Are there precautions we can take?

  • Stay abreast of scammers and the different types of online scams.
  • Proactively monitor the surface web and alert authorities of any scams you have identified.
  • Inform targeted banks about such scams. It will also help them to initiate the takedown of such sites and apps and ensure others don’t fall prey to these scams. 

If you have concerns about your organization’s security posture, contact us: Request a Demo now.

SIM Hijacking: An imminent threat to anybody with a phone

 

Miscreants recently siphoned INR 4.57 million from Creative Engineers’ bank account. The attackers first hacked the proprietor’s gmail account and sent an email to Airtel to confirm the SIM swap. With access to his email and phone number, they were able to gain access to his internet banking credentials, to carry out the attack. The attackers employed SIM hijacking, which is the process of deactivating a SIM and appropriating a phone number, to pass the internet banking authentication.

SIM hijacking bypass 2 step verification
Fig 1: SIM hijacking to bypass 2 step verification

If you have a phone, you are a target.

Other than being a convenient mode of communication, mobile phones also serve as authentication for a variety of services. 

Since password protection alone could not secure accounts, we introduced 2 Factor Authentication, linked to our email or phone number, to protect sensitive accounts. This includes emails, online banking accounts, and cryptocurrency exchanges.

Time has come, to assess if 2 Factor Authentication is still ironclad. Given the success of attacks such as SIM hijacking, it looks like hackers have found a way to get around that as well.

Overview

SIM Hijacking is the process through which a hacker confiscates your phone number and deactivates your SIM card, rendering it non-functional.

Getting access to your SIM is usually just one part of a larger scam. In order to siphon your bank accounts or steal sensitive information, a hacker needs access to your account details also. Without which they cannot successfully bypass 2 Factor Authentication.

SIM Hijacking is also used to steal Instagram usernames that are then sold for Bitcoin. This form of attack, though not as rampant, should be monitored, considering the potential impact.

Sophisticated strategies to compromise a phone number

  • SS7 and Diameter attacks function by attacking the underlying telecom network/protocol. This allows an attacker to take over any phone number by intercepting SMS-based tokens, account recovery codes, and calls.
  • IMSI catchers are RF devices that enable an attacker to take over a phone number by intercepting and injecting cell traffic. This method requires physical proximity to the target.

    ISMI catcher used for SIM hijacking

    Fig 3: ISMI catcher used for SIM hijacking

  • SIM Hijacking targets a carrier through conventional attacks, or by social engineering support staff, to take control of a phone number. This is known as SIM porting/hijacking, which is becoming increasingly popular with attackers.

Execution of SIM Hijacking

  • In India, hackers often contact victims, posing as executives from telecom companies, offering better network plans or discounts. They usually verify your full name, address, phone number, DOB, last four digits of social security number (SSN), Aadhaar number, or other security questions. 
  • The attacker then tries to obtain your unique 20-digit SIM number and SIM swap authentication. For example: If you are a Vodafone user, the attacker will use a new Vodafone SIM to process the SIM exchange. Vodafone will send a confirmation SMS on your phone number. And the attacker will instruct you to press a digit to authenticate the SIM swap. Vodafone will then officially initiate the SIM swap.
  • Once the swap is successful, your SIM will stop working and won’t have cell reception. On the other hand, the attacker’s new SIM will be fully functional.
  • The attacker, in most cases, will already have your banking ID and password. All they need is the OTP to perform fraudulent financial transactions. Hijacking your number allows the attackers to pass the 2-step verification process. This gives the hacker access to your accounts across Google, Twitter, Facebook, O365, online banking, and crypto currency trading platforms.

 

SIM Hijacking process flow

Fig 4. Execution of SIM Hijacking

What if the hacker has an individual’s email ID but not their phone number?
  • With your email ID the hacker will initiate a password reset process for your accounts.
  • The hacker can reset your password using a link or a secret code received via email, SMS, or phone call.
  • To reset a password with an SMS or a phone call, the prompt displays part of the phone number. Depending on the platform, the number of digits visible, may vary. This is because there is no standardized way to mask personal identifiable information (PII) such as phone numbers. For example, Paypal reveals the first digit and the last four digits. While some other platforms show the first digit and the last 2 digits.
  • Similarly, the hacker will use your email on different platforms to reveal more digits of your phone number.
  • A typical Indian mobile number format is: “+91-XXXX-NNNNNN”. The first four digits indicate an operator’s code, while the remaining six digits are unique to the subscriber. The hacker narrows the options by detecting the operator code.
  • There are many ways an attacker can verify if the shortlisted phone numbers are linked to the email address:- Using search engines to check if you have posted your phone number on a forum, website, etc.,
    – Employing online services such as Pipl or Spokeo that have huge databases with personal information
    – Using telephone system online services that allow you to reverse search the owner of a phone by its number.
  • By abusing password reset options, and by brute-forcing using publicly available information, a hacker can obtain your complete phone number.
Reverse search

When the hacker has a phone number, this process is reversed, to obtain the corresponding email ID. Services such as Amazon and Twitter allow password reset using a phone number. For this, a verification link is sent to the associated email ID. The prompt for which, displays a few characters of the email ID. Amazon provides the first and last letter of the username and the full domain. Also, the number of masked characters reveal the length of the username.

Tell-tale signs

Sign of SIM hijacking
Fig 2: Sign of SIM hijacking

While it is incumbent on telecom carriers to enforce stringent measures to prevent attacks that target phone numbers, it is also important for us, as mobile phone users, to be able to identify the signs of a SIM Hijacking attack.

You are a victim of SIM Hijacking if you:

  • Lose cell service for an extended period of time.
  • Get locked out of your email and social media accounts because the passwords have been reset.
  • Receive suspicious calls, during which the executive asks for your personal details or SIM number.

Preventive measures

Another layer of security, while helpful in the short term, won’t be fool proof. As witnessed from the breach of previous security frameworks, hackers will find a way to circumvent the new layer of security as well. So, how do we shield ourselves against SIM Hijacking:

  • Use PIN based authentication. Most carriers offer the option to protect your accounts using a passcode or PIN.
  • Using an authentication app such as Google Authenticator instead of receiving the two-factor authentication code via SMS.
  • Link sensitive accounts to a separate phone number and keep it confidential.
  • Label email addresses and phone numbers. So that the hint prompt displays labels such as “Home phone”, instead of your phone number.

Conclusion

As evident from the recent attack on Creative Engineers, hackers are increasingly resorting to SIM hijacking. And being linked to the services we use every day, makes each of our phone numbers valuable targets.

While telecom operators need to bolster the security of their networks, as users, our best defense is awareness. We can protect ourselves by taking simple precautions and by understanding how scammers orchestrate such attacks.