Utilising AI technology in phishing scams, what to watch out for.

Mar 10 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s got that Friday feeling!

Today’s hottest cyber security stories:

  • AI-enhanced phishing scams may just be ChatGPTeeing off
  • Parallax RAT: Don’t get Bit… coins stolen
  • R3NIN sniffer sniffs out your card details!


AI technology is officially mainstream. Everybody seems to be talking about it, from builders to office workers to your mum, and even your nan! Unfortunately, but certainly not surprisingly, scammers the world over have taken note and some have begun utilising AI technology in their pesky phishing scams.

Cybersecurity firm Darktrace has reported an increase in what they suspect are AI-assisted scams and the Cambridge-based company reckons the problem will only get worse.

Indeed, when it comes to phishing scams, we’re a long way from the proverbial Nigerian prince now, aren’t we? According to research carried out by Darktrace,  AI is further enabling “hacktivist” cyber-attacks using ransomware to extort money from businesses.

We know all about ransomware here at Gone Phishing; we report on instances of them almost everyday. For those who aren’t familiar, ransomware attacks lock users out of their files and demand money (usually cryptocurrency; usually Monero) for re-access.

Darktrace said: “Darktrace has found that while the number of email attacks across its own customer base remained steady since ChatGPT’s release, those that rely on tricking victims into clicking malicious links have declined while linguistic complexity, including text volume, punctuation and sentence length among others, have increased.”

“This indicates that cybercriminals may be redirecting their focus to crafting more sophisticated social engineering scams that exploit user trust.”

However, Darktrace said that the phenomenon had not yet resulted in a new wave of cybercriminals emerging, merely changing the tactics of the existing cohort.

Basically, folks, it’s good news and bad news. The good news is that cybercrime apparently has decreased; the bad news is the complexity and sophistication of phishing attacks (generally-speaking) has increased, which suggests the presence of AI.

So, this could be the calm before the storm… But, then again, Darktrace isn’t doing a lot of business at the moment so are they prophesying doom in the hope that businesses will start ringing them for services again? Let’s hope not. Sorry Darktrace. Nice try, though.

In all seriousness, we do all need to be extra vigilant when it comes to phishing scams. Even if AI hasn’t been fully utilised by cybercriminals, as of yet; Darktrace is right, it’s a matter of when, not if.

Stay safe out there!


Hold onto your hats and tuck your trousers into your socks ladies and gents, because there’s another RAT on the loose.


Remember, when we say RAT we mean a Remote Access Trojan… What’s that? Ugh, last time: A RAT is malware an attacker uses to gain full administrative privileges and remote control of a target computer.

RATs are often downloaded along with seemingly legitimate user-requested programs (such as video games) or are sent to their target as an email attachment via a phishing email.

The latest RAT-attack is called Parallax and is out for cryptocurrency! It’s an advanced RAT (or an evolved RAT: think Raticate – those who know, know lol) that supports all Windows OS versions.

It functions as a MaaS and is now targeting cryptocurrency companies in a new campaign. It is using sophisticated injection techniques to hide within legitimate processes, making it difficult to detect.

What’s a Maas?

It stands for Malware-as-a-service and what it basically means is a scam that’s being mass marketed. Hackers develop these things and then sell them to criminals who presumably aren’t smart enough to write them themselves. Honestly, there are countless websites dedicated to the buying and selling of these out-of-the-box factory-fitted scams.

It’s a Scam-in-a-box!


Uh-oh, it’s another Scam-in-a-box. We’re starting to sense a trend here. This one is a sniffer that creeps into your system and sniffs out your card details. It then compiles its findings into a neat little string file and, Bob’s your Uncle, another one bites the dust.

Add that to your Magecart

Magecart’s success in cyberattacks has led threat actors to actively develop and advertise sniffers that can be injected into e-commerce web pages to exfiltrate payment card data.

One such sniffer, named R3NIN, has emerged on the threat landscape with notable features and the sniffer-as-a-service model.

Sniffing the e-Commerce

  • The sniffer’s attack sequence begins when an attacker injects a self-contained malicious script directly into a payment page of an already compromised merchant site.
  • The sniffer malware collects the input variables, converts them to a string, and sends them to the sniffer panel maintained by the attacker for further analysis and exploitation.
  • The attacker leverages iFrame by tricking the victims into entering additional data asked by a fake pop-up window, which is typically not required on a legitimate page.
  • The stolen data is processed in a commercialised format to either sell in underground forums or use it as phishing bait in different attacks.

FYI, R3NIN was going for $1,500 initially; now it’s fetching between $3,000 and $4,500. Business is booming.

Scammers gon’ scam, ya’ll! Stay safe.

So long and thanks for reading all the phish!

Cyber Dawgs top picks from the week, he’s your Dawg, he got you.

footer graphic cyber security newsletter

Recent articles