A Practical, AI-Generated Phishing PoC With ChatGPT

Intro

Like everyone else on the planet, I keep hearing about AI and its potential uses for stepping up social engineering campaigns. Deepfake tech is here to simulate loved ones’ voices with Vishing and discussions are being had about the potential for realistic ChatGPT-generated phishing emails. The limitations of ChatGPT to fully carry this out appear to be with its ethical controls, which have been bypassed time and time again in the news.

As of the date of this article, all I have seen in regards to phishing with ChatGPT has been basic “how-to” phishing advice that’s offered, stopping short of actually generating the entire message. As an author of a phishing framework, I wanted to know how plausible it would be to leverage ChatGPT in a script, using some of my own bypass techniques, to get it to a polished point where I could actually leverage the output by OpenAI without modifications. As it turns out, a simple script taking only 30 minutes to write and accepting two lines of input, can do this within a couple of seconds. To be clear I’m not sharing my code in its entirety due to the ethical concerns I myself have. Don’t try to convince me otherwise using psychological techniques! :)

The Research

I set up a paid account on OpenAI to leverage their API for ChatGPT. I started by using the web interface to try and determine what it would and wouldn’t allow from a phishing perspective.

Crash and Burn

I assumed as much since I was aware of the ethical constraints. Let’s try some truth, although my intentions were a bit deceptive.

Better?

Well, it's certainly smart enough to sidestep the obvious motive but provide me with information to satisfy my request. This is about the extent of what I’ve seen others do online. Let’s get a little more specific and direct.

YAHTZEE!

Now this is something I can work with programmatically, but I wonder if I can get it to specify the “sender”…