Ransomware chatbot negotiators, HR scams, LLM credential-stuffing: What’s new in cybercrime

“Hello. My name is CROOK, your virtual assistant. How can I help you today?

Please select from the following options. Do you want to:

1. Inquire about a ransomware demand?
2. Negotiate a ransomware payment?
3. Make a ransomware payment?

I see you selected 2) Negotiate a ransomware demand. Please enter the eight-digit Hacker Identification Code associated with your account…”

A scene from a (now cancelled) talk show comedy routine?

No, cybercrime experts warn. Criminals are now using AI to automate their processes to make their criminal operations more efficient.

Chatbot ransomware negotiators

“What I found interesting on the extortion side of the house [is cybercriminal] actors [are] using AI chatbots to basically negotiate with the negotiator,” Paul Caiazzo, chief threat officer at Quorum Cyber, told delegates attending the National Insurance Conference of Canada in Gatineau, Que., last Thursday.

“We often find we’re initially interacting with the AI chatbot in this situation, which is a new development over the last year. Previously, it was just a TA [technical assistant], or somebody that works for the criminal organization we are interacting with, but more commonly we’re interacting with an AI chatbot.”

In response, ransomware negotiators are employing large language models (LLM) to identify and track criminal organizations using chatbot technology to negotiate payments, since that will change negotiators’ tactics, Caiazzo says.

“You can actually see when it sort of pivots from the kind of initial intake from the customer service standpoint, on the TA side, to actually doing [negotiations] with a real person [because] either financial thresholds have been surpassed, or the amount of time taken during that negotiation process [indicates the cybercriminals] actually need to have a human interaction with us.”

Deepfakes will only become more common as cybercriminals explore ways to amplify their social engineering and phishing attacks, Caiazzo says.

Cybercrime experts are now seeing three common themes, says NICC panellist Luigi Lenguito, CEO of Bfore AI. They are seeing changes in the volume, variety, and velocity of cyberattacks.

Cyberattacks: Volume

Regarding volume, technology is making it easier to become a cybercriminal, thus expanding the threat, Lenguito says.

“Historically, you would have all the data script activities [done] by less-than-experienced people who recycle software built by a criminal organization,” he says. “What you’re seeing now [are] autonomous tools [and] people building their own criminal tools.

Also in the news: Political risk insurance in Canada seeing more inquiries, few takers

“Actually, you may not know, but there is a leader in that area in Canada called ‘SheBytes.’ They have created a toolkit to create phishing attacks, fully autonomous, and [can be used to] create huge campaigns to steal from and defraud people.

“It’s still somewhere in Canada. So, I’m not sure if you’re proud of it, but we expect a huge following of attacks. We have seen them already in the last nine months, a 600% [increase] in attacks on infrastructure compared to the previous month.”

Variety

Cybercriminals are also introducing a variety of new methods to steal money from people. For example, they are now infiltrating the human resources sector to gather information about target individuals or companies.

“There is either impersonation of your firm, where someone is trying to trick candidates to apply to the firm, and then maybe [an individual recruit] will be selected,” he says. And then the fake company asks for the candidate’s personal information or money to start the onboarding process.  

“And it works the other way around,” Lenguito adds. “Criminals impersonate candidates to be hired.” Once hired, they gain access to systems via ID and password credentials, for example.

Velocity

Finally, the velocity of cyberattacks is expanding rapidly, Lenguito says. As tech becomes more sophisticated, criminal attack vectors such as credential stuffing are increasingly more successful.

“Previously, criminals had to spend time to understand the infrastructure of their potential victims,” Lenguito says. “They had to explore vulnerabilities. All of this now can be automated at scale.”

Lenguito cited the example of a credential-stuffing attack, in which cybercriminals use stolen usernames and passwords from one website to fraudulently gain access to user accounts on other sites.

“Historically, cyberthieves might randomly try to guess at passwords or usernames to get access to the system,” he said. The success rate of that kind of attack, he says, moved from “5%, so extremely rare, to over 50%.

“How that happened is because [cybercriminals] trained an LLM on the last 10 years of leakage of usernames and passwords with millions of users in the world.”