Accounts Payable Security Report: October 2023

WormGPT phishing sites signal growing demand for malicious AI

Kaspersky’s monitoring team has detected phishing websites that peddle counterfeit access to WormGPT, the AI chatbot that some have called the ‘evil twin’ of ChatGPT. Unlike the tightly moderated ChatGPT, WormGPT was specifically designed to aid illicit cyber activities like phishing and hacking.

But there’s rarely honour among thieves. Now, scammers are trying to scam users seeking out the malicious AI tool. Fake websites – which lure users looking to download WormGPT – vary in design, pricing structures and payment currencies, with some demanding upfront fees for trial access. While immediate risks to legitimate organisations are low, the development underscores an escalating demand for black-hat alternatives to large language models (LLMs) like ChatGPT.

Cyber insurance premiums flatten – for some

Cyber insurance premiums are finally stabilising after a turbulent period, but insurers are saying you’ll need to demonstrate robust cybersecurity measures to benefit from the shift. Kelly Butler, the leader of insurance broker Marsh McLennan’s UK cyber practice, notes that premiums are flattening, but a strong level of cyber maturity is crucial to maintain coverage.

The insurance industry grappled with a ransomware surge in 2021, which led to soaring premiums. The cost of cyber insurance more than doubled, ushering in a painful correction as insurers realised they had underestimated the true risk. While premiums have started to decline, insurers remain cautious. Many will require policy-holders to demonstrate strong cybersecurity measures for adequate coverage, akin to having deadlocks on doors and windows for home contents insurance.

In other words, businesses can’t simply take out a policy and call it a day. As we covered in an earlier analysis, cyber insurance is one way to protect your organisation, but it goes hand-in-hand with investing in preventive measures.

QLD moves forward with mandatory data breach notifications

The Queensland government has introduced mandatory data breach notification legislation, aligning with recommendations from the Coaldrake review of culture and accountability in the Queensland public sector.

This move follows recent high-profile data breaches and aims to tighten regulation around how the state’s government agencies handle future breaches, requiring clear, consistent notifications of data breaches. If an agency suspects a breach, it must take containment steps and assess the incident within 30 days, with provisions for extending the assessment period. Exemptions exist, including scenarios that may compromise cybersecurity or lead to further breaches. Additionally, agencies will be mandated to maintain a breach register and publish a data breach policy.

Currently, only New South Wales has introduced a similar scheme.

Home Affairs targeted in DDoS attack

In early October, a distributed denial-of-service (DDoS) incident disrupted the online operations of Australia’s Department of Home Affairs – this included users’ ability to access online visa and citizenship applications. In a DDoS attack, malicious actors flood a server with traffic to prevent users from accessing connected sites or services.

Shortly before the attack, a pro-Russia hacker group posted on Telegram that it would be targeting the department due to Australia’s support for Ukraine. The Home Affairs website was offline for approximately five hours before being restored, but the department has said that no personal or sensitive data was compromised.

This incident also affected the Administrative Appeals Tribunal (AAT) website, forcing it to temporarily shut down one of its systems. The AAT has since restored its services. As of this article’s publication, investigations are still ongoing.

Hackers tout stolen data from 23andMe

Genetic testing giant 23andMe is grappling with a security incident involving a potential data breach, which hackers advertised on a cybercrime forum. However, the stolen data may have been circulating for a much longer period.

On August 11, a hacker on the Hydra forum claimed to possess 300 terabytes of stolen 23andMe user data and sought $50 million for it. That user shared the genetic data of a senior Silicon Valley executive, matching information found in datasets advertised on BreachForums, albeit structured differently. The extent of the actual data compromised remains uncertain since hackers sometimes exaggerate their holdings to boost sales on hacking forums.

23andMe has not confirmed the legitimacy of the leaked data and is conducting an ongoing investigation. They declined to comment on their awareness of the earlier hacking forum post, although they’ve encouraged users to reset their passwords and enable multi-factor authentication.

“Good” deepfake startup goes rogue

Promising to “never reenact someone without their consent,” UK startup Yepic AI built its brand around the idea of only using deepfakes “for good.” However, in an unprompted email pitch to a TechCrunch reporter, a representative for Yepic AI shared two deepfaked videos of that same reporter – despite the reporter never giving consent to their likeness being reproduced.

The pitch email explained that Yepic used a “publicly available photo” to produce two deepfaked videos of the reporter speaking different languages. Although Yepic AI stated on its website and in a blog post that it wouldn’t create custom avatars without permission, it remains uncertain if they’ve created similar content without others’ consent.

The startup’s CEO explained that the videos were made by their PR team to showcase their technology, saying that all videos and related images were subsequently deleted.

But the incident reveals something much more concerning than an overzealous PR team. Deepfakes can deceive individuals, evade moderation systems and create a frightening new frontier of scams and cybercrime. This sort of media is also starting to look more and more realistic – and it’s easier than ever to produce. Are finance teams prepared for a world in which even video calls and verbal verifications are untrustworthy?