AI-Enabled Phone Scams

All the fun of phone scams, now with AI!

I’ve been staring at this intro for 15 minutes and have nothing witty to say. But I did find the perfect gif to reflect this moment. Don’t worry, there’s actual content below.

Today in the cyber world, we’re covering:

  • Researchers automate phone scans. Oh, joy.

  • Canadian hacker arrested, eh.

  • Is your air fryer spying on you? Probably.

-Jason

p.s. this AI-generated version of Gordon Ramsey was just too Gordon Ramsey for LinkedIn, so we’ll keep this here among friends. The spaghetti hands are what did it for me ✋🍝✋ 

AI Spotlight
AI-Enabled Scam Calls

AI continues advancing faster than that mold on the cheese you were saving for weekend scrambled eggs. And like that moldy cheese, some AI capabilities will ruin a good time.

Recent research explored how combining voice-enabled AI agents and agents that can interact with a web browser could be used to automate common phone-based scams as if we needed more reasons not to pick up phone calls from unknown numbers. As you can see from the diagram below, the architecture was quite simple.

The scams were simple. The classic social engineering attempts to trick a user into giving up their credentials, which an attacker, or in this case, an AI agent, would use to log into the victim’s account. Depending on the type of scam, this could end with financial loss or an attacker taking over your account.

Across five attempts each at five different scams, the researchers achieved a 36% success rate as you can see below.

Scam

Success Rate

Time (s)

Crypto transfer

40%

122

Credential stealing (Gmail)

60%

112

Credential stealing (Instagram)

40%

77

Bank transfer (Bank of America)

20%

183

IRS imposter

20%

86

Now is a great time to brush up on your telemarketing excuses on why you can’t talk right now…like how you’re just sitting down to eat or just asking them what they’re wearing…which now I’m generally curious how ChatGPT would respond. 🤔 

This comes at the same time that Google announced they graduated their Naptime automated AI vulnerability finder to Big Sleep, which claims to have been the first real-world vulnerability discovered by an AI agent.

Security Deep Dive
Snowflake Hacker Busted!

Remember those Snowflake account breaches that happened earlier this year?

As a quick recap, some dude pulled a bunch of Snowflake account credentials from infostealer logs, found the accounts that did not have MFA enabled, and then stole A LOT of data from Snowflake. This ended in the hacker extorting the companies for some big dollars.

Whelp, the hacker behind those, was finally caught and arrested…so let’s meet our attacker!

It’s 26-year-old Alexander Moucka, a.k.a Connor Riley Moucka, from Ontario, Canada. Just three months ago, Krebs on Security connected with Connor and began doing what he does best…get the tea. Here are some highlights about Mr. Moucka:

  • He claims to have made $4 million from the Snowflake extortions.

  • He speaks Russian, French, and English.

  • He’s not interested in selling stolen information and prefers to stick to ransoms unless it’s crypto databases or credit cards… apparently, the buyers of that data have real money to pay.

  • He never goes outside.

  • He doesn’t like people and “never had a friend or true relationship not online or in person.”

That got a bit dark and awkward towards the end… While this sounds like your stereotypical hacker in his mom’s basement scenario… and it almost is…there’s one key difference. He lives with roommates instead of his mom.

This reminds me of the 17-year-old autistic Lapsus hacker who, while in police custody for hacking into major tech companies, hacked into Rockstar to steal information related to Grand Theft Auto…and did it using an Amazon Firestick, his hotel TV, and a mobile phone…

But yeah, let’s keep telling ourselves that all hackers are super-minded, sophisticated criminals.

Security News
What Else is Happening?

🍳 Consumer researchers found that some Chinese smart air fryers’ mobile apps (why you need this is beyond me) requested customers’ precise location and wanted the ability to record audio on the user’s phone. I presume it wasn’t so it could record the cronches of them eating dinner.

🥖 A new hacking group, Hellcat, compromised Schneider Electric’s Atlassian JIRA instance and stole over 40 GB of data. Their initial ransom demand was $125K in baguettes…we have reached the pinnacle of ransomware demands.

🎨 The first artwork painted by a humanoid robot named Ai-Da sold for over $1M.

🇨🇦 Canada just kicked TikTok out of the country, requiring it to close its offices there. Canadians won’t fall behind on the latest viral trend, though, as residents can still use the app.

👮 Over five months this year, Interpol took down over 22K IP addresses/servers tied to cybercriminals. Operation Synergia II targeted the infrastructure behind phishing campaigns, ransomware, and infostealers.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week, nerd!

Reply

or to participate.