Artificial intelligence (AI) is often praised for its ability to streamlining things, automating menial tasks (i.e. filling out a calendar) and just overall making your life easier. But now there are reports of hackers using a similar tool called WormGPT to their advantage. Think of it as an off-the-leash variant of ChatGPT that hackers specifically use to write phishing attacks—not to mention many other nefarious activities.
These phishing attacks involve fraudulent emails, texts, and phone calls that trick you into downloading malware, sharing sensitive information—i.e. your social security number, login credentials, credit card number—and any other action that could expose you to cybercriminals. WormGPT is specifically being used to write Business Email Compromise (BEC) attacks, which are phishing attacks aimed at exploiting large businesses.
These types of emails are often personalized for the recipient to lull them into a false sense of security and click on a link that leads to an attack. Now with the power of AI, the frequency of these attacks has expanded exponentially says Maanak Gupta, an assistant professor of computer science at Tennessee Tech
What Is WormGPT?
WormGPT is an AI module based on a 2021 GPT-J language model. GPT-J is an open-source large language model that’s able to generate human-like text just as ChatGPT would. Being open source—unlike OpenAI, the lab that runs ChatGPT—means anyone can inspect, share, and even modify the source code. That combined with the lack of any anti-abuse restrictions—preventing ChatGPT from using bad words, writing hate speech, writing viruses—means WormGPT is able to do whatever hackers ask it to.
While many are talking about WormGPT’s ability to write targeted BEC attacks, these are really just the tip of the iceberg. WormGPT brings a number of other advanced features, including unlimited character support, chat memory retention, and code formatting capabilities. Its ability to write and format code is especially important as this means it’s able to write malware attacks.
It’s important to note that WormGPT’s output isn’t more complex than anything a human could come up with. The beauty of these types of programs—used for good—is their ease of use and speed rather than the complexity of what they can come up with. WormGPT is especially scary because it lowers the barriers to entry, meaning essentially anyone can download it on their computer and wreak havoc.
Other Exploits for Hackers
Along with WormGPT, hackers are also able to exploit ChatGPT to do some of their dirty work. This involves “jailbreaking” existing large-language-model (LLM) platforms like ChatGPT to unlock new functionalities; this would allow for tools that could extract sensitive information, manipulate ChatGPT itself to generate inappropriate content, disclose sensitive information, and even execute harmful code.
What’s even scarier is these jailbreaks don’t include code of any sort and are merely just prompts that you would copy-paste into ChatGPT as normal. Most of these prompts were posted on GitHub—a website that helps developers store, manage, and sometimes share their code. This makes it really easy for anyone to hop on Google and find these prompts. After doing some investigation ourselves, we’re pleased to report that ChatGPT appears to have put in safeguards for these attacks and many of them simply responded “I’m sorry but I can’t assist with that request.”
The Best Defense Against WormGPT
“The workforce needs to be trained to use these generative AI LLM based tools for both the cyber defense and offense,” says Gupta. Gupta mentioned that the best defenders in the cybersecurity space think like the attackers—and that’s the key to success when it comes to fighting back. Thankfully, cybersecurity experts have turned the tables, using AI to recognize and fight possible attacks before they happen.
Despite AI’s ability to crank out BEC attacks faster than ever, the best defense mechanism for these attacks remains the same: be alert and don’t click on any questionable links. “The lack of awareness among the employees and organizations is the best way for an adversary to get into the system,” says Gupta.
You might find those seemingly endless cybersecurity trainings to be a pain in your backside, but it could end up saving your company from a catastrophic data breach.
Matt Crisara is a native Austinite who has an unbridled passion for cars and motorsports, both foreign and domestic. He was previously a contributing writer for Motor1 following internships at Circuit Of The Americas F1 Track and Speed City, an Austin radio broadcaster focused on the world of motor racing. He earned a bachelor’s degree from the University of Arizona School of Journalism, where he raced mountain bikes with the University Club Team. When he isn’t working, he enjoys sim-racing, FPV drones, and the great outdoors.
