LLMs Streamline Entry into Cybercrime
LLMs Streamline Entry into Cybercrime

Image: Sergi Kabrera (unsplash)

Egress has indicated that cybercriminals use advanced attack methodologies that challenge traditional perimeter security, such as secure email gateways. LLMs, including chatbots, have made it easier for individuals to engage in cybercrime by facilitating the creation of sophisticated phishing campaigns and malware which might be beyond the skills of lesser coders.

Jack Chapman, Egress’ VP of Threat Intelligence, has shared that a significant but underdiscussed application of LLMs is their use in reconnaissance for precision-targeted attacks. LLMs can rapidly gather open-source information about specific targets, which can then be used as the basis for social engineering schemes that have become increasingly prevalent. The efficacy of using LLMs in cybercrime largely depends on the defenses in place. Those who are dependent on traditional perimeter detection that focuses on signature-based and reputation-based detection need to seriously consider cloud email security solutions that don’t rely on definition libraries and domain checks to authenticate emails.

Evolving Attack Methods

To address the changing threat landscape, it’s imperative for the cybersecurity sector to collaborate and manage email-related human risk.

2023 witnessed a myriad of phishing attacks, ranging from RingCentral impersonations to the misuse of social media for security software impersonation and sextortion. The dominant phishing theme of the year has been missed voice messages, comprising 18.4% of attacks from January to September. A notable number of these attacks employed HTML smuggling techniques.

The ability of cybercriminals to utilize chatbots for crafting phishing campaigns has raised concerns. Research suggests that determining if a phishing email was composed by a chatbot is nearly impossible. Given that LLMs power chatbots, detector tools often need lengthy samples, typically around 250 characters, to function effectively. Considering 71.4% of phishing emails fall short of this length, many AI detectors struggle to identify them accurately.

There has been a 24.4% rise in phishing emails using obfuscation in 2023, bringing the total to 55.2%. Such techniques allow attackers to camouflage their activities from several detection methods. Analysis by Egress revealed that 47% of these emails contained dual layers of obfuscation to improve successful delivery odds, while 31% employed just one. HTML smuggling stood out as the preferred obfuscation technique, covering 34% of cases.

Understanding Graymail

To fathom graymail’s influence on cybersecurity, Egress scrutinized 63.8 million emails received by companies over a month. Their findings suggest that about 34% of emails qualify as graymail, which includes bulk but solicited emails like notifications and promotional messages. A notable trend identified was that graymail volumes directly correspond with the quantity of phishing emails received, implying that individuals with cluttered inboxes are prime targets for phishing endeavors.

Traditional Detection Systems Inadequate

Despite the consistent volume of phishing emails, their complexity is increasing, with attackers employing diverse tactics to breach perimeter email security.

Comparing 2022 to 2023, emails bypassing Microsoft’s defenses rose by 25%, and those evading secure email gateways increased by 29%. Phishing attacks originating from compromised accounts witnessed an 11% uptick in 2023. Since compromised accounts represent trusted domains, they typically evade traditional detection. Phishing links remain the most popular payload type, and all payloads have managed to evade signature-based detection in some manner.

Chapman further noted that their report aimed to arm cybersecurity professionals with insights into advanced threats. Real-time educative moments enhance one’s capability to accurately recognize phishing emails. Traditional email security methods focus excessively on quarantines that keep end users from seeing phishing emails. However, phishing emails are bound to breach defenses. This understanding led to a change in the quarantine model, integrating dynamic banners to mitigate threats directly within the inbox. Such banners offer clear risk explanations that are timely, easy to understand, and relevant. The goal is to educate users, as instructing individuals to identify phishing schemes offers a sustainable strategy for enduring security.