Black Friday Cyber Risks 2023: The Year Of The AI
It’s happened again. Black Friday spending hit $9.12 billion in 2022 (and $40 billion globally) and 87 million Americans shopped online, in yet another rise that eclipsed the previous year’s spending by 2.3%. It’s probably going to go up again this year too, and because Black Friday is the gateway to the holiday shopping season and the annual uptick in online security threats.
Yes, once again, the threat level to your online business and customers is about to enter the red zone. So, what should you be looking out for this year? Well, the usual suspects of course, like phishing, Magecart and web-skimming attacks, ransomware, man-in-the-middle attacks, and so on, but 2023 has also introduced some new twists to test your vigilance and the resilience of your systems. We’re talking of course about the advent of AI. This was the year when AI went mainstream, securing lots of news headlines, plenty of doomsday speculation, and a permanent place in the public consciousness.
The dawning of AI seems like the Wild West days of the early Internet, and just like in those lawless times, people are discovering the criminal potential of the new technology, and some of them could be getting ready to try them out on Black Friday.
AI-Assisted Web Supply Chain Attacks
Back in June, Vulcan Cyber reported that cybercriminals had found a novel way of using ChatGPT hallucinations to distribute malware to developers.
AI chatbots run on LLMs (large language models) and their neural networks resemble the human brain. They use the experience they gain from these massive data sets to predict answers to questions. But just like human brains, they sometimes deliver made-up responses, and these phantom answers are known as hallucinations.
With this in mind, Vulcan’s researchers gathered popular questions from the Stack Overflow coding platform, made them about Python and Node.js, and then fed them to ChatGPT.
The result? Out of 400 answers, around 150 of them contained references to at least one non-existent Python or Node.js package. The team then surmised that after doing it once the chances were good that ChatGPT would provide them as legitimate answers again, so the next time a developer asked a similar question, the chatbot would again refer to these imaginary software packages.
That means cybercriminals could rename their malicious code packages after these bogus recommendations and upload them to popular repositories for developers to find. The developers would assume they were trustworthy and use them. As easily as that they could find their way into supply chains.
If your business website is like most then it relies on dozens or even hundreds of apps and code snippets created by third-party developers to deliver a safe and efficient customer experience. The idea that some of them could be laced with malware designed to quietly harvest customer payment data or surreptitiously inject ransomware into your systems is chilling.
That’s why we recommend the Reflectiz platform’s automated supply chain inventory and continuous monitoring solution—to make sure that every one of your third and fourth-party apps is legitimate. At the first sign of suspicious activity that deviates from baseline behaviors, Reflectiz alerts you.
Ransomware-as-a-service (RaaS) attacks
Ransomware attacks occur when bad actors find a way to inject malware into your system that encrypts all your data, rendering it unusable. They may also choose to steal your proprietary information or threaten to publicly release sensitive data. In either case, you’re on the hook to them until you pay the ransom, and because they are criminals, there are no guarantees that they will honor any commitments they make to you.
This has long been a problem, but now we’ve noticed a shift to as-a-service type attacks, which is likely to make them more prevalent.
For a while now, legitimate businesses have been creating ‘as-a-service’ products, things like Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), and Content Management Systems, (CMS). Now criminals are adopting the name format, presumably because it’s good for sales. It’s not an accurate analogy though, because they don’t offer an ongoing service. Just a one-time tool or bundle of information in return for a one-time payment.
With RaaS they sell ransomware toolkits and templates, which makes sense from their point of view because while there are plenty of would-be cybercriminals, not all of them have the skills to conduct an elaborate ransomware attack. The RaaS approach reduces the risks for the vendor and makes this method available to many more criminal hopefuls.
An adjacent threat to this is access-as-a-service, where malicious actors gain access to business networks but don’t launch an attack themselves. Instead, they sell their access privileges to other parties who take it from there.
Sharper Spear Phishing
The human element is still one of the weakest links in any company’s defenses, but at least we all know it now and make efforts to train our staff to not click on suspicious links. This may explain why phishing attackers are putting more effort into duping their targets. They’ve stopped pretending to be foreign princes promising to reward you for helping them move their money overseas.
Former CIA intelligence officer Peter Warmka warns that attackers will now identify a high-value target, like a CFO or CEO, and then spend time crafting a fake social media persona that appears to have things in common with the target. They will then connect via a fake profile on LinkedIn, establish trust, and at some point, ask the target to click on a malicious link. Once that’s done, they’re in!
Hopefully, you can now see that the groundwork for compromising your online business during Black Friday and the holiday season may already be in place. Book a demo now and see how Reflectiz keeps it safe.