Phishing with ChatGPT: Stealing Passwords Using QR Codes and Chatbots
ChatGPT is everywhere these days—almost in your burger patties! In this article, we’ll explain how, in a social engineering project, we used a fork of the Gophish library to send QR codes instead of regular links. The goal: lure employees out of their secure work environment onto personal devices. As a catchy phishing scenario, we’ll look at a “Telegram IT Support Bot with ChatGPT,” actually using the neural network to generate the bot’s code and integrating it with the OpenAI API for user interaction.
Pentest Award
In August 2023, the Pentest Award ceremony was held—a prize for penetration testing specialists, established by Awillix. We’re publishing the best works from each category. This article took first place in the “Catch the Phish” category, dedicated to phishing.
Authors
- Idea, scenarios: Sergey Lukinykh, @IBcrew
- Infrastructure, domains, email, Gophish: Ilya Georgievsky, @igeorgievsky
- QR and chatbot code: Dmitry Maryushkin, @dmarushkin
The Task
The task: run a social engineering project in a large financial organization to raise employee awareness about information security.
We knew the client’s employees used corporate Outlook, antispam, and Chrome as the default browser. Both the InfoSec team and regular staff had a high level of social responsibility and readiness.
We planned to use the open-source Gophish framework. The idea was to lure users to an external resource with a domain similar to the corporate one, present a login form, and then ask for credentials.
Problems
What could go wrong with the mailing?
- Antispam might flag emails for a poorly configured mail domain (DKIM, DMARC, etc.), a recently registered domain, suspicious headers (hello, default
X-Mailer: gophish), and too many links (login form link with RID tag and image link for open tracking). - Chrome on users’ workstations, when following links to a fresh domain, might show a big red warning, reducing the conversion rate from clickers to those who actually enter their password.
Configuring the mail domain, waiting after domain registration, and tweaking headers is relatively straightforward. You can even remove the image link—corporate Outlook won’t display it in emails from external senders anyway.
But how do you avoid an external link to a form in the email and the browser’s sudden paranoia?
The Solution
Why not lure the user out of the secure work environment to a phishing resource opened on a personal device by offering a QR code in the email?
This way, we kill two birds with one stone: antispam is less strict since there are no external links in the email, and the browser on a personal phone is less likely to panic at a new domain than desktop Chrome.
But how do you insert a QR code into the email? It’s still an image, and corporate Outlook will block it just like a Gophish image.
Yandex, for example, sends QR links to receipts using layers (div elements).
Another option: create a QR code from Unicode characters.
We tried both options in Gophish to see which looked better in Outlook. First, we added two new methods to the go-qrcode library (commonly used for QR in Go) to generate QR in Unicode and HTML.
Next, we added QR link generation to a variable for the email template in Gophish.
During testing, we found that Unicode display worked best for Outlook, while HTML QR looked better for web clients (Gmail, Mail.ru, Yandex) and mobile clients. The mailing can support both options using a specific construction.
We now had a working way to insert a QR code with a link into the email. Smartphones read it without issue and open the Gophish web login form without any warning. Success!
Phishing Scenario
So, we have a new “bike”—where do we ride it?
We needed a believable reason for the user to want to scan the QR code with their smartphone and enter their credentials there.
At the time, everyone was talking about new uses for ChatGPT. Why not play on that? Thus, the scenario was born: “New Telegram IT Support Bot for Employees with ChatGPT.”
The email also included examples of the bot’s responses (real ChatGPT answers) and a message about gifts for the first to register.
And since we were using ChatGPT in the scenario, why not have it write the bot’s logic too? After a couple of hours and a dozen prompts, we had a fully working bot code.
The bot greeted users who followed the link from the email (with RID tag) and asked them to authorize via a link to the form.
After going to the web login form, employees were prompted to enter their corporate email and password.
Once credentials were entered, the user returned to the bot. The collected credentials were saved on our server.
After authorization (and only then), the bot received a callback from the Gophish form and continued to interact with the user in the role of the organization’s IT support bot.
The OpenAI API correctly interpreted the initial prompt (“You are a cheerful IT support bot for Bank X, located in Y”) and provided relevant answers to employees who fell for the phishing email.
Conclusions
We taught Gophish to generate text-based QR links using Unicode characters and div elements, and found that Unicode QR codes worked best for corporate Outlook.
To justify the need to scan the QR code with a smartphone, we chose the “Telegram IT Support Bot with ChatGPT” scenario and used the neural network to write a fully functional IT support bot, leveraging the OpenAI API. By giving the bot minimal starting context about the organization, we taught it to provide relevant answers about office addresses and phone numbers, and by increasing its humor level, we achieved a viral effect. Such a bot can attract even employees not included in the mailing.
Our client received a new tool for training employees to be vigilant, which should help protect them from the growing trend of phishing attacks in messengers. A separate challenge for the client is to develop mechanisms to detect scenarios where employees switch to personal devices.
Source
Onion Market — a free P2P exchange on Telegram. We have XMR, BTC, USDT, TRX, and TON!