Phishermen’s Friend: AI

Phishing

The publication of the private data of celebrities should be a good reminder to us of the intentions we all had at the turn of the year. But not that motivated me to write this article, but some phishing mails I probably got from you. Also you are prominent!

Me, prominent? Nobody wants anything from me.

I’m afraid that’s thought too briefly. In almost everything that goes through your mailboxes or Facebook messages, there is also information about others – and if it is only the email address. Many of you readers also look after customers – the protection of this data is not only a matter of decency, but is also vital for business.

Well, then the bad guy just learns the email addresses of the others. What can he do with it?

Well, he can write her up! The email contained names, was it about orders, was an invoice included? All wonderful points of contact for phishing.

Phishing?

Damit ist -sehr verkürzt- das Ausnehmen von Dummen gemeint.

Uh, me? What does he want when he has phished me off?

Always money in the end. And the phisher needs access to the computer or mobile phone. This of course means access via the network (you don’t need a screen).

Sure, to get to my banking app!

That would be an idea – but it’s rather elaborate and leaves too many traces. It is easier to encrypt the hard disk to extort ransom. But it doesn’t have to be this immediate super disaster – it is obvious to spy out the computer for more email addresses and thus new potential victims. You can install a program that writes passwords of keyboard entries. Hijacked computers can also be rented – for money.

Who rents something like this?

If you want to send a lot of new phishing emails (say a few 10000), and want to do so in a way that the traces are not traceable, you need a lot of computers. It’s better not to attack large institutions with your own computer. Or to get bitcoins calculated…Is your computer sometimes so strangely busy when you’re not doing anything?

Hm, I don’t know. What do I have to do in order not to belong to the stupid ones?

Rule 1: Keep all your software up to date! On all computers or mobile phones! Even computers that are supposedly never connected to the Internet, if there is a network cable or a USB port. If the software doesn’t do this update control itself (like modern browsers or MS-Office) – check it daily.

Rule 2: Never click on email attachments unless you know exactly what will happen. It’s best to only open attachments like pictures or PDF’s.

But I’m already doing that!

Very good. Now rule 3: Don’t trust emails from friends per se! Are there any new attachments? Is there a strange link in it? Ask possibly back. And take the questions of your computer seriously (“Should scripts be executed in this Word document?”)!

Isn’t that an exaggeration?

Maybe, but it can save a lot of trouble. In addition, we will see much more really good fake mails in the future.

So fake emails? Who writes them all?

A computer program, probably even on an already hijacked computer. And it will use the latest trick of the programmers: Artificial intelligence.

Boah!

Well, that sounds a little dramatic. Mostly we mean “machine learning” and that is again just well done statistics and mathematics. To do phishing mails is, so to speak, what you can do especially well with AI: You design 10 variants with the help of the additional information and send them to 10000 victims. The variants that work particularly well are then (automatically) further developed (this is the learning effect)…

..and at some point the result is so perfect that they have me.

That’s it. But if your mail program is well maintained and up to date, it will certainly warn you – the good side hopefully knows the tricks too.

Well, then, three rules, that sounds manageable. Now I am sure.

Rule 4: Stay vigilant and disciplined, be honest about your own mistakes. Computers are better reinstalled when something dubious has happened. This works best with a backup, mainly of the data. On a medium that is not always connected.

Oops, you got me ?

Rule 5: Don’t get paranoid, we have to continue doing business, and our customers want to use their computers as well. That’s why it helps to invest 15 minutes every month to find out what’s new in data protection and computer security. And make sure that employees have not forgotten these rules again. And to think about the case of the cases…but that requires the GDPR anyway.

There are not only these 5 rules, of course, but they are some of the most important. Sorry if this all comes across as a bit masterly. But we are all require the Internet to work – and its really not so complicated. – Bob