Warning for those using ChatGPT

The federal government has recently issued an advisory warning users of the cyber security threats of ChatGPT, an artificial intelligence (AI) tool for writing launched last year.

In its advisory, the Cabinet Division warned that even though the Microsoft-backed AI tool has gained "explosive" popularity since its launch, it carried critical risks in the realms of leading cyber threats, such as phishing and malware development.

"To prevent the menace of such AI-enabled exploitation, extreme caution, due diligence and due care is to be practiced on a proactive basis," the advisory stated.

It further shared guidelines for users' safety.

ChatGPT-malicious capabilities

Following is a non-exhaustive list of ways malicious actors can use ChatGPT:

a. Malware generation: Malware generation by ChatGPT is no longer a mere theoretical possibility. Its use is already gaining traction and is under discussion in various Dark Web forums.

b. Phishing emails: ChatGPT has demonstrated capability to generate extremely convincing phishing and spear-phishing emails, which carry the possibility and probability of slipping through email provider’s spam-filters.

c. Scam website: With the lowered bar for code generation, ChatGPT can help less-skilled threat actors effortlessly build malicious websites such as masqueraded and phishing-landing pages. For example, malicious actors with zero to little skill can clone an existing website with ChatGPT and then modify it, build fake e-commerce websites or run a site with scareware scams, etc.

d. Disinformation campaigns: With ChatGPT, users have access to software that is able to write extremely convincing prose, generate thousands of fake news stories and social media posts in a fraction of time.

Guidelines/preventive measures

a. Prevention against phishing emails:

• Never open unknown, unanticipated and/or suspicious emails, links and attachments.
• Before downloading any attachments, including trusted attachments, scan them with the antivirus provided by the email service provider. If the email service does not provide virus scanning services, all downloaded files may be scanned with local antivirus before opening.
• Apply updates to Operating System and Software Applications on all computing devices such as PCs, laptops, mobiles, wearables etc.
• Use well-reputed and trusted antivirus/antimalware in all computing devices.
• Never use personal accounts on official devices.
• Use Multi Factor Authentication (MFA) wherever possible.
• Never share personal details and credentials with unauthorized/suspicious users, websites, applications etc.
• Always type URLs in the browser rather than clicking on links.
• Always open websites with HTTPS and avoid visiting HTTP websites.

b. Anti-masquerading guidelines

(1) Administrators

• Restrict incoming traffic and user permissions to the maximum-possible extent, by implementing system hardening at OS, BIOS and Applications level.
• Unauthorized storage media (such as USBs) be blocked via system hardening.
• Format removable media frequently to avoid lateral propagation of malware to the extent possible.
• Monitor network activity by (at-least) employing checks via file hashes, file locations, logins as well as unsuccessful login attempts.
• Use reputed and trusted Anti Malware, Antivirus, Firewalls, IPS, IDS, SIEM solutions.
• Use separate servers/routing for offline LAN and online networks.
• Allow internet access to specific users on need basis and restrict data usage/applications rights.
• Verify software and documents before downloading via digital code-signing technique.
• Implement MFA in mailing systems administrator controls and other critical systems.
• Always maintain back-up of critical data periodically.
• Regularly change passwords at administrator level.
• Regularly patch and update all OS, applications and other technical equipment.
• In order to reduce the attack surface of malicious code execution; it is advisable that the user should always login with the account having standard user privileges.

(2) End-users

• Always re-verify trusted users who have sent email/attachment via secondary means (call, SMS, verbal) before downloading.
• Report any suspicious activity to the Administrator immediately.
• Never store critical data on online systems, rather store it on standalone systems.

(3) Guidelines for ChatGPT users

• When using ChatGPT, be mindful of the information shared. Avoid sharing sensitive or confidential information, such as passwords, financial information or personal details.
• Use caution with links and attachments. ChatGPT may provide links or attachments as part of its answers, but it’s important to exercise caution before clicking on them. Always verify the source of the link or attachment and beware of suspicious/unknown sources.
• Official phones MUST NOT be used for ChatGPT.

(4) In case of encountering a security issue while using ChatGPT, please report it immediately to Open AI.

Prevention against disinformation campaigns all government

Departments to undertake following actions as preventive measures:

• Awareness campaigns and trainings be regularly arranged. 
• Always try to verify information from multiple sources.