Scammers Are Using AI Phishing and ‘Juice Jacking’ to Target Travelers - Decrypt

06/20/2024 22:50
Scammers Are Using AI Phishing and ‘Juice Jacking’ to Target Travelers - Decrypt

Email attacks are up 4,151%, says security firm SlashNext, as fake USB chargers threaten to steal smartphone data.

With the summer travel season ramping up and travelers hitting the road, cybercriminals are turning to new tech to execute scams and steal data, from artificial intelligence email attacks to fake smartphone chargers that ensnare power-hungry travelers.

The number of phishing email attacks has increased by 856% over the last year, according to a recent report by cybersecurity firm SlashNext, which said the surge is driven in part by generative AI. The tech allows scammers to craft phishing emails in multiple languages at the same time, leading to a 4151% increase in malicious emails since the launch of ChatGPT in 2022.

“A threat actor can prompt AI to write an email very quickly, and in any language, with almost zero cost,” SlashNext CEO Patrick Harr told Decrypt in an interview. “You will see these [phishing emails] are not just in English only—I can write in a number of languages and target a number of people in different parts of the world, and I can do it literally within seconds.”

A recent report by the International Business Times highlighted a sharp increase in phishing attacks targeting both business and leisure travelers with fake website listings and offering massive discounts—for example, an offering of $200 a night in the Swiss Alps when other sites say $1,000 a night.

“If there's even a little bit of doubt, call the property, hosts, and customer support," Booking.com’s chief information security officer Marnie Wilking told IBT.

Booking.com did not immediately respond to a request for comment from Decrypt.

A phishing attack involves messages sent to unsuspecting victims who click on a link that connects to a malicious website or application, tricking users to submit personal or security information, such as passwords.

In January, cybercriminals targeted crypto email lists using the Mailerlite service, taking over $700,000 from phishing victims.

A newer form of phishing, “smishing” or text message phishing, Harr said, is an increasingly popular and dangerous way to attack mobile phones.

“We have obviously shifted to a mobile world long ago and people are so used to using text messages, and these bad actors always go to where you're comfortable and try to interject themselves,” Harr said. “The thing we've seen as a change inside of ‘smishing’ is it's no longer just a ‘click here’ because your gift package is on the doorstep.”

After businesses embraced QR codes during the COVID-19 pandemic, Harr said the ubiquitous symbols are now being deployed by scammers.

“80% of all phones have really no protection at all from phishing,” Harr said, citing a recent report by Verizon. “So that's the reason why they're using QR codes—trying to either get you to pay for something, reveal sensitive information about yourself, or steal your password.”

Juice jacking

While phishing attacks remain far and away the most prevalent attack vector used by cybercriminals, the U.S. Federal Communications Commission (FCC) recently issued a warning about “juice jacking,” which often targets travelers looking to recharge their devices at airports and hotels.

Attackers are taking advantage of the technology built into the universal USB standard, which provides for transmitting power as well as data. A maliciously configured USB port or cable could, when plugged into a victim’s device, steal information or install unwanted software.

Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T

— FBI Denver (@FBIDenver) April 6, 2023

To avoid this emerging type of attack, the FCC suggests using personal chargers plugged into basic power outlets, using portable batteries, or using data blockers that ensure a USB connection is limited only to power transfer.

Year-round vigilance

Decrypt reached out to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for more advice.

A CISA spokesperson pointed to resources it provides to help consumers better protect themselves from phishing scams, including recognizing common phishing signs like urgent or emotional language, requests for personal information, and incorrect email addresses.

Misspelled words used to be a clear sign of a phishing attack, but the CISA said this was no longer the case due to the widespread use of AI.

“This isn’t just for summer, this is something people can do all year round to be more secure,” the CISA spokesperson told Decrypt.

Edited by Ryan Ozawa.

Generally Intelligent Newsletter

A weekly AI journey narrated by Gen, a generative AI model.

Read more --->