Year after year, cybercrime continues to accelerate as cybercriminals become more and more sophisticated and targeted in their attacks. 2023 was no exception to this, especially with the introduction of Generative AI technologies like ChatGPT, which have fueled attackers to deliver fast moving cyber threats. As we inch closer to a new year, here are a few trends and predictions about cyber threats that organizations should keep in mind to improve their security posture.
Patrick Harr, CEO of SlashNext
Beware the Weaponization of Generative Artificial Intelligence in 2024
The top threat this year and going forward involves the weaponization of generative AI to drive more sophisticated phishing attacks, and how we will address that concern from a security standpoint. We know that human training is not enough to prevent business email compromise (BEC) attacks from succeeding. According to the FBI’s Internet Crime Report, BEC alone accounted for approximately $2.7B in losses in 2022, and another $52M in losses from other types of phishing. With rewards like this, cybercriminals are increasingly doubling down on phishing and BEC attempts – and generative AI is only further greasing the wheels.
In 2024 we will see more, not less, of such human compromise attacks that are a lot more sophisticated and targeted due to the use of gen AI. We will need to rethink our roadmaps as to how we can counter this problem. We should expect an acceleration of gen AI-based attacks becoming more prevalent and targeted, and unfortunately more successful. The attackers are moving from a spray-and-pray approach that relied on high-volume phishing emails, to now instead targeting people with specific information about someone’s identity or bank account or personal details, which makes the scams much more convincing.
We will see a significant increase in both the targeted nature of these social engineering attacks and their sophistication, and ultimately their success. Email will continue to be the top threat vector, but we are seeing these attacks anywhere now, including text messages, voice messages, work collaboration tools like Slack and social media. Anywhere you can get messaged on both the personal and business side, you can get attacked.
Highly Targeted Attacks Created with Gen AI and Personal Information
Phishing and BEC attacks are becoming more sophisticated because attackers are using personal information pulled from the Dark Web (stolen financial information, social security numbers, addresses, etc.), LinkedIn and other internet sources to create targeted personal profiles that are highly detailed and convincing. They also use trusted services such as Outlook.com or Gmail for greater credibility and legitimacy. And finally, cybercriminals have moved to more multi-stage attacks in which they first engage by email, but then convince victims to speak or message with them over the phone where they can create more direct verbal trust, foster a greater sense of urgency, and where victims have less protection. They are using AI to generate these attacks, but often with the goal to get you on the phone with a live person.
We should also expect the rise of 3D attacks, meaning not just text but also voice and video. This will be the new frontier of phishing. We are already seeing highly realistic deep fakes or video impersonations of celebrities and executive leadership. As this technology becomes more widely available and less expensive, criminals will leverage to impersonate trusted contacts of their intended victims. In 2024 we will assuredly see a rise of 3D phishing and social engineering that combines the immersion of voice, video, and text-based messages.
The Rise of Quishing and QRL Jacking
Another new twist involves the malicious use of QR codes, including quishing and QRLJacking. QR codes, or quick response codes, have become ubiquitous in recent years. Quishing adopts phishing techniques to manipulate QR codes for cyberattacks.
A typical quishing attack involves the attacker generating a QR code embedded with either a phishing link or malware download that is distributed through phishing emails, ads, social media, restaurant menus, posters, etc. In August 2023, researchers uncovered a phishing campaign that used malicious QR codes to target large companies, including a major U.S. energy firm. Similarly, QRLJacking, or quick response code login jacking, is a social engineering method that exploits the “login with QR code” feature used by many apps and websites, which can lead to full account hijacking.
Long-Range Concerns About Nation-States and Even Self-Aware Bots
It may sound like the plot of a science fiction thriller, but soon we absolutely will see the rise of generative AI-fueled malware that can essentially think and act on its own. This is a threat the U.S. should be particularly concerned over coming from nation-state adversaries. We will see attack patterns that get more polymorphic, meaning the artificial intelligence carefully evaluates the target environment and then thinks on its own to find the ultimate hole into the network, or the best area to exploit, and transforms accordingly. Rather than having a human crunching code, we will see self-learning probes that can figure out how to exploit vulnerabilities based on changes in their environment.
The final piece is the use of AI by nation-states for surveillance and espionage, and ultimately to become the arbiter of the truth for thought control. If the source of an AI answer is unknown and opaque, but the public is only given that one answer by the arbiter of truth, then the leadership can always give you what they want you to know or hear – and now you have thought control.
By applying large language models (LLM) with computer vision tools and natural language processing, we will see rapid development as we move out to more self-aware bots. That presents the classic philosophical sci-fi question of where do humans fit in with these super smart machines? As a result, we will see the use of these AI tools for more nefarious purposes that are increasingly more targeted and successful.
Bad actors will be able to do these things at scale with near zero cost, so companies will need to rethink their security roadmaps and the tooling they have used historically. This brings up the common theme of “shift left” in security, meaning building defense right into the code by conducting testing in the software development phase. Security is a multi-layered discipline to protect code throughout its lifecycle, so it is better to build security upstream to protect against downstream exploits.
The second big change is that everything in security needs to become more human ID-centric rather than network-centric. At the end of the day, we are far better off by providing access through human identity-centric methods and using AI to make that human a super-human. So rather than relying on a training simulation approach for users, we can rely on AI augmentation for that, so users don’t have to be tricked into clicking on bad phishing links, for example.
We have to shift our posture from a network-centric to a human-centric security posture. We will put an AI bubble around the user to become a super-human with an extra pair of computer vision eyes, and an ability to listen with spoken language contextualization by using AI. Everyone has talked about a personal co-pilot to help from a security posture, and we will see the rise of these AI co-pilots to augment humans and help users make the best decisions.
This problem will not go away and will only get worse. Anywhere there is money and opportunity and data, which is across every industry, there will be attacks. This is a horizontal problem for all industries, not a vertical problem. The bad guys will always look for wherever the most sensitive data is based to target their attacks.
There is no doubt that we have entered a dangerous new era of cyberattacks, and it is crucial that organizations and consumers be prepared to defend themselves against the ever-evolving cyber threat landscape.