🎄 AI-fueled holiday scams

Plus: Surveillance showdown | Tuesday, December 12, 2023

Open in app View in browser   Presented By Wiz   Axios Codebook By Sam Sabin · Dec 12, 2023 Happy Tuesday! Welcome back to Codebook. 📆 I blinked and the year is nearly over! What's your biggest lesson from this year's cyber happenings? 📬 Have thoughts, feedback or scoops to share? codebook@axios.com. Today's newsletter is 1,247 words, a 5-minute read.     1 big thing: Beware ChatGPT-crafted holiday scams Illustration: Sarah Grillo/Axios   ChatGPT and similar tools aren't just helping craft letters to Santa — scammers are also using them to perfect their phishing lures with fake discount codes and shopping deals. Why it matters: The end-of-year holiday shopping season has long been a popular time for cyberattacks and online scams targeting retailers and shoppers. Scammers can use ChatGPT and other AI chatbots to speed up the development of their phishing lures to launch even more attacks, experts warn. The big picture: Scammers typically target consumers using emails that purport to offer alluring discount codes and deals on popular gifts. But the cybercriminals behind these schemes often aren't native English speakers, leaving their emails littered with typos and other grammatical errors that consumers can easily detect. Between the lines: With AI chatbots, those grammatical errors can be greatly reduced — making it harder for consumers to detect fraudulent offers. ChatGPT and similar chatbots are able to help those who are already technically savvy enough to launch an online scam put the finishing touches on their messaging, Jim Taylor, chief product officer at RSA, told Axios. "It's gotten a whole lot easier, the barrier to entry is lower — but there is still a barrier of entry," Taylor said. The intrigue: Scammers can use AI chatbots for more than just spellchecks, Taylor added. Bad actors can use these tools to help tailor an email to a specific demographic, he said. Details: Retailers are experiencing an influx of phishing lures across the board this holiday season, including some targeting retail employees, said Bryon Hundley, vice president of intelligence operations at the Retail & Hospitality Information Sharing and Analysis Center. Zoom out: Improved phishing scams hit consumers' and retailers' inboxes at a time when they're being inundated with emails and texts about potential deals — making them more susceptible to opening a seemingly weird email. Spoofing retailers' email addresses is pretty easy: Less than half of U.S. online retailers have implemented a high-level security tool that authenticates that an email was actually sent by the retailer, according to email security company Proofpoint. What they're saying: "We have this massive proliferation that's happened of consumer brands, all of whom are totally reliant on emails to get out marketing offers," Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, told Axios. "That is the easiest thing in the world to impersonate — it's probably harder to set up a fake email account at this point, which is also not hard," he added. Meanwhile, local law enforcement doesn't always have the resources to help address online scams that consumers fall for. The FBI, which has more resources to track international scammers, often can't respond to low-level schemes where consumers lose around $5,000, even though that can be catastrophic for a victim, Kalember said. Yes, but: It's impossible to know for certain if scammers are using AI tools, Hundley said. "We're just speculating right now," he said. "Until we have something that we can run a phishing email through and go, 'This was definitely generated by ChatGPT' or something like that, we can't tell." Be smart: As scammers improve their tricks, security experts say consumers need to be even more careful when clicking on emailed links. Check to see who sent the email, and take advantage of link previews to see if they're going to the retailer's authentic website. Verify if a discount is real by going directly to the retailer's website rather than relying on a link in an email. You can also call a retailer's customer service department to verify email promotions or report potential scams.     2. Lawmakers eye a surveillance showdown Illustration: Aïda Amer/Axios   House lawmakers are weighing two bills that could decide the fate of a controversial surveillance program. Driving the news: House lawmakers were expected to debate the two bills, which would reauthorize Section 702 of the Foreign Intelligence Surveillance Act, in a rare showdown on the House floor this week. The bills would reauthorize the program under a completely different set of circumstances from each other. But Monday, House Rules Committee Chair Tom Cole (R-Okla.) said it was unlikely his panel would pass a rule needed to consider the two measures at the same time on the floor this week. The big picture: Lawmakers have spent the last year debating the fate of Section 702, an intelligence community program that expires at the end of the year. The White House and intelligence community have argued that the program, which allows the government to collect online communications by non-U.S. citizens abroad, is key to foiling terrorist and hacking plots. But privacy advocates and surveillance hawks warn that the program can too easily include Americans' communications without a warrant. Between the lines: The two House bills take different approaches that have divided advocates. The House Intelligence Committee's bill includes a few reforms to crack down on potential abuses of information collected through the program, including a new warrant requirement to search the 702 database for evidence of a crime. However, the House Judiciary Committee's bill goes a step further and adds a warrant requirement for searches in the 702 database for any information about Americans. The intrigue: Biden administration officials are actively lobbying on the Hill this week against the House Judiciary Committee's bill. Officials briefed minority committee members Monday on the "grave concerns" they have about the bill, a source familiar with the briefing told reporters, arguing that the new warrant requirement would "fundamentally undermine the efficacy of Section 702." Meanwhile, privacy advocates are pushing hard against the provisions in the House Intelligence Committee's bill, noting that it seems to expand the scope of the 702 program. "Hotels, libraries, coffee shops, and other places that offer wifi to their customers could be forced to serve as surrogate spies," Elizabeth Goitein, co-director of the Brennan Center for Justice's liberty and national security program, said on X, formerly known as Twitter. "They could be required to configure their systems to ensure that they can provide the government access to entire streams of communications," she added. Yes, but: Even if the House passes a bill, it's likely the reauthorization debate gets punted to early 2024. A provision in the latest version of the must-pass National Defense Authorization Act would renew FISA Section 702 without changes until April 19.     3. Catch up quick @ D.C. 🪖 The U.S. Air Force disciplined 15 people who "intentionally failed" to report concerns about Jack Teixeira, who leaked troves of confidential documents this year. (CNN) 📝 The FBI has released guidance for how companies can request a reporting delay for national security reasons under new Securities and Exchange Commission rules going into effect next week. (The Record) @ Industry 👔 BlackBerry has named John Giamatteo, mostly recently the head of its cybersecurity business, as chief executive officer. (Bloomberg) 🗣️ Ex-Uber CISO Joe Sullivan shared in a recent interview what he's learned following his conviction on charges related to concealing a 2016 cyberattack. (TechCrunch) @ Hackers and hacks 🇨🇳 China-backed hackers have hacked at least two dozen critical infrastructure systems in the last year, including a water utility in Hawaii and a major West Coast port, according to U.S. and industry officials. (Washington Post) 🌐 A cyberattack against Ukraine's largest telecom operator, Kyivstar, has caused network and internet outages throughout the week. (The Record) 🤠 Cybercriminals appear to be creating shell companies in Wyoming to launch attacks, taking advantage of the state's lax rules for registering anonymous shell companies. (Reuters)     A message from Wiz AWS security 101     Data, applications, and services are all moving to the cloud. That means businesses must take a new approach to protect against cyberattacks. How it's done: AWS Security Foundations for Dummies explains everything you need to know to protect your AWS environment. Download the book now.     4. 1 fun thing Screenshot: @SaasyEngineer/X   🎅🏻 📝 The security community is starting to get into the holiday spirit!     A message from Wiz Protect your AWS business — and customers — against cyberattacks     Businesses must keep up with the speed of the cloud. AWS Security Foundations for Dummies walks through important security principles, including how to: Monitor your AWS security posture. Protect AWS data in transit and at rest. Respond to and fix security incidents. And more. Get the e-book.   ☀️ See y'all Friday! Thanks to Scott Rosenberg and Megan Morrone for editing and Khalid Adad for copy editing this newsletter. If you like Axios Codebook, spread the word. Are you a fan of this email format? Your essential communications — to staff, clients and other stakeholders — can have the same style. Axios HQ, a powerful platform, will help you do it.   Axios thanks our partners for supporting our newsletters. Sponsorship has no influence on editorial content. Axios, 3100 Clarendon B‌lvd, Arlington VA 22201   You received this email because you signed up for newsletters from Axios. To stop receiving this newsletter, unsubscribe or manage your email preferences.   Was this email forwarded to you? Sign up now to get Axios in your inbox.   Follow Axios on social media: