Executive Summary

In October 2024, a sophisticated AI-driven phishing attack targeting Gmail users was identified, exploiting advanced social engineering techniques to compromise user accounts. This report delves into the intricacies of the threat, its potential impact, and recommended mitigation strategies. The attack leverages AI-generated voice calls, impersonating Google support, to deceive users into divulging sensitive information. This new threat underscores the evolving landscape of cyber threats and the critical need for robust security measures.

Technical Information

The AI-driven phishing attack targeting Gmail users is a testament to the increasing sophistication of cyber threats. The attackers employ a combination of phishing emails and AI-generated voice calls to create a compelling narrative that convinces users to disclose sensitive information. The attack begins with a phishing email or notification that prompts the user to approve a Gmail account recovery attempt. If the user does not respond, the attackers escalate their efforts by placing a phone call from a number that appears to be associated with Google. During the call, the AI-generated voice claims there is suspicious activity on the user's account and urges them to verify their identity by providing credentials.

The technical backbone of this attack involves a prompt injection vulnerability identified as CVE-2024-5184s. This vulnerability exists within the EmailGPT API service and the Google Chrome extension, allowing attackers to bypass authentication mechanisms. By exploiting this vulnerability, attackers can manipulate the service, potentially gaining unauthorized access to sensitive data. The use of deepfake technology in the AI-generated calls adds a layer of realism, making the attack more convincing and difficult to detect.

While no specific Advanced Persistent Threat (APT) group has been directly linked to this attack, the use of advanced AI techniques suggests the involvement of sophisticated threat actors. The attack's complexity and the resources required to execute it indicate that it is likely orchestrated by well-funded and highly skilled cybercriminals.

Exploitation in the Wild

The exploitation of this vulnerability has been observed in the wild, with attackers successfully deceiving users into providing their credentials. The attack's success hinges on the realistic nature of the AI-generated voice calls, which mimic human interaction convincingly. Indicators of Compromise (IOCs) include unexpected account recovery notifications, phone calls from numbers appearing to be associated with Google, and unauthorized access to Gmail accounts.

APT Groups using this vulnerability

While no specific APT groups have been identified as using this vulnerability, the sophistication of the attack suggests that it may be of interest to state-sponsored actors or organized cybercriminal groups. The use of AI and deepfake technology indicates a high level of technical expertise, which is characteristic of advanced threat actors.

Affected Product Versions

The vulnerability affects the EmailGPT API service and the Google Chrome extension. Users of these services are at risk of exploitation if they do not implement the recommended mitigation strategies.

Workaround and Mitigation

To mitigate the risk of this AI-driven phishing attack, several strategies can be employed. User awareness is paramount; educating users about the nature of AI-driven phishing attacks and the importance of verifying the authenticity of communications claiming to be from Google is crucial. Implementing multi-factor authentication (MFA) adds an additional layer of security, making it more difficult for attackers to gain unauthorized access. Regularly reviewing account activity for signs of unauthorized access can help detect and respond to potential breaches promptly. Technical controls, such as email filtering solutions, can be used to detect and block phishing attempts. Monitoring for unusual login patterns and device access can also help identify potential threats.

References

For further reading and detailed technical information, please refer to the following sources: Forbes Article on AI-Driven Gmail Hack (https://www.forbes.com/sites/daveywinder/2024/10/12/new-gmail-security-alert-for-billions-as-7-day-ai-hack-confirmed/), CyRC Advisory on CVE-2024-5184s (https://www.blackduck.com/blog/cyrc-advisory-prompt-injection-emailgpt.html), NVD Details on CVE-2024-5184 (https://nvd.nist.gov/vuln/detail/CVE-2024-5184), and Techzine on Google Workspace Vulnerability (https://www.techzine.eu/news/security/122857/vulnerability-in-google-workspace-made-email-authentication-open-to-hacking-attacks/).

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive protection against emerging threats. We are here to answer any questions you may have about this report or any other cybersecurity concerns. Please feel free to reach out to us at ops@rescana.com.