captainsblog | Bots Behaving Badly

I can't decide if the latest developments in artificial intelligence, or AI as they say, are scary or not. Mainly because for every time I see an example of a HAL-like computer threatening to take over the humans, I see several suggesting that they're really not all that high on the learning curve, even now.

One of the latest examples came from a Down Under grocery chain, which came up with a brilliant idea: Tell us what ingredients you have laying about the kitchen, and our brilliant artificial bot will come up with a recipe to make something yummy out of it!

Not surprisingly, it took all of twelve nanoseconds for a bunch of twelve-year-olds to test the limits of the thing, suggesting less than tasty ingredients to see what the bot would do with it. Well, much like Siri has no sense of grammar when taking down dictation, the Savey Meal-Bot app never bothered to get any safeties installed.

Leading to results such as, this....

....and, this....

At last check, after several tech sites reported on the goings-on, the bot got sent to its room without any poison for supper. You can check here to see if it's been revived, but for now you can only work from a relatively safe list of pre-selected items of actual food.

Not that you can't get a little gross with it:

Gotta have marmite on a New Zealand site, after all.... And into el botto we go!

Poison-ally, I prefer hamboiger!

----

I hope you clicked on (but only on) that Bugs Bunny link, because it illustrates an upcoming point here. The video site that fed that little two-second clip also includes several "proceed to download" links that have nothing to do with Bugs, but it's still pretty Daffy.

There are several computer nasties in this part of the story, only these weren't initiated on purpose by snarky gourmands. They were inbound attempts to get computer users to click on things that would download unintended shit to, and possibly take over, the users' computers. We begin with a story from longago LJer who went by bill-sheehan there, because that's his name. He moved to Facebook like all the cool kids did about 200 years ago, and from there reported this:

The evildoers are out there. I just received what appeared to be a network news clip of a serious traffic accident. It was from my niece, with my brother and nine others, and read simply “Died in an accident.”

My niece is both intelligent and literate, and would not have written an alarming sentence without a subject.

I looked a little more closely at the purported network news video clip, and noticed that it had an extension of “.app.”

It’s doubtless a Trojan Horse malware app. I deleted it unwatched and reported the post to Facebook.

A bit later in the morning, I got word from a gym friend of the death of a close friend of hers who also attended our classes. Damned if somebody didn't post the "died in a car accident" idiocy on her page. I did a little rummaging around and found a mostly helpful explanation of what this scam is and how to avoid it:

This prevalent Facebook scam involves receiving a shocking message seemingly from a friend’s account stating they “Just died in an accident” or some similar wording implying an untimely, tragic death.

The message will go on to claim that clicking the included link will direct you to a news article or obituary page with details about the alleged fatal accident involving your friend. However, in reality, this is a malicious phishing scam aiming to steal data or spread malware if you click on the link.

Here is how the “Just Died in an Accident” scam typically operates:

    Hackers manage to compromise one of your Facebook friend’s accounts through phishing techniques or malware. This gives them access to send messages posing as that user.

    The hackers then spam all of the hacked user’s friends with the eye-catching “Just died in an accident” message containing a deceptive link.

    Seeing a message seemingly from your friend’s account claiming they died triggers an urgent reaction. Many well-meaning recipients click the link out of concern and desire for more information.

    However, the link does not lead to any actual news about an accident. Instead, it goes to a sketchy phishing website designed solely to steal private data or install viruses onto visitors’ devices.

    Any login credentials, financial information, or personal data entered on the scam site is harvested by the hackers to exploit. Or malware may simply download onto a victim’s device from visiting the site.

    The hackers leverage the compromised account to endlessly target more contacts, quickly spreading the scam in viral fashion.

The scam works well because messages that appear to come from your friend’s real account seem legitimate and make you want to click the link. But being aware that this is a common ploy can help you avoid becoming a victim.

If you get a “Just Died in an Accident” message, do NOT click the link. Take the following actions instead:

    Report the message to Facebook as a scam or spam

    Alert the friend who sent it that their account may be compromised

    Run antivirus software scans to check for malware

    Change your Facebook password as a precaution

    Enable two-factor authentication for added security

All good advice, but why that link above is only MOSTLY helpful? Because it's full of the same kind of downloadable shit itself!

That "continue" link might be mistaken as "click to continue reading." No, it is a download link to some site that will, at a minimum, take up space in your download folder, and at worst will change your preferences, install malware, and even allow a takeover of your entire system, and along the way pillaging your contacts and email senders/recipients lists to try scamming THEM.

I commented on the article that it wasn't a really good idea to include potential malware links in an article about potential malware links. To their credit, a mod saw that and did not delete or hide it:

I'm constantly blocking these ads but Google keeps pushing them. Thanks for the feedback, I'll see what can I do to fix this. I recommend that you install AdGuard to block unwanted ads.

Yup, the search engine and browser maker that wants to keep you safe? Wants to make money even more. And even though their advertiser terms of service prohibit deceptive uses of links, everybody does it and their penalties are generally minimal or easily avoided by just setting up a new domain to push them.

----

Finally, lest you think I'm not susceptible to these myself? I almost was, and I can't say for sure I've never been fooled.

My email accounts get attacked on a daily basis, but between my own general skepticism and some halfway decent spam prevention efforts by Google, Microsoft and Spectrum, most of their actual payloads never even reach my eyeballs. The few that do can usually be sussed out in a second and sent to their respective deaths-by-deletion. The most convincing ones are those that seem to come from a client or co-worker. The head honcho in my Rochester side gig does a lot of marketing, quite a bit to techier types, so his name and cc's on his emails are "out there." I've almost fallen for at least one exchange where "he" started out with a simple, link-free shot across the bow, Are you coming into work today? That led, a couple exchanges later, to I'm meeting with [name of actual firm client no doubt the one his name and my email address got hacked from] and could you stop and pick up some Amazon gift cards for them? That's when the rat got stinky and I shut down the conversation.

This one was new, though. While the email address it was sent from was unfamiliar, the client name in the subject line was. As was the text and even format of one of MY emails concerning that client which the hacker had gotten a hold of in breaking into a client's system. The client's name, and my personal information from the email, are truncated or redacted, but it's enough to give you the idea of what I almost fell for:

That's me!, is what they want you to think. It's hard to believe that someone who has access to your own words could be trying to bamboozle you, but once someone gets into a system by hook or by crook, there's nothing stopping them from getting not only the victim's personal information but that of everyone they've communicated with.

The technique really isn't new, just the tools to implement it are fancier. When I was starting out in practice, even before an Internet As We Know It, there were simpler tools, like phone books and legal directories. A common scam back in the day was that of the "toner phoners." Their hook was to call offices at odd hours, when the actual office supply girl (which, face it, back then it always was and was what we always called her) wouldn't be at her desk. The schnook who answered would get a boiler-room pitch from the Poor Poor Pitiful Xerox Salesman, who'd ordered ten extra cases of copier machine toner by mistake and would be fired the next morning if his (always a he) boss found out, so could we speak for just, maybe, three of them at a fabulous discount? I got that call working late in my first Rochester office. It was wayyyy pre-Internet, but we weren't entirely on stone tablets: there were legal periodicals in our mailboxes, one of which had warned about this scam. The discount wasn't fabulous, and the toner certainly wasn't brand-name Xerox, if it even existed after they got your authorization over the phone to charge hundreds of bucks for shit or for nothing.

These tips always said not to engage, just hang up. I couldn't bring myself to do either, so I just politelhy asked PPPXS to leave his number and Betty would call back in the morning. Welp: that got me escalated to Page Two of the scammer's script, in which dude went zero to Hulksmash on me in under three seconds: YOOOOO m-f'ing asshole! How dare you blow me off and cost your firm money! I'm going to call Citibank and Palmer and Ryder Truck and Sysco and tell them what a shithead you are for treating a caller this way!

THEN came the hangup. I don't remember who slammed the phone down first, but damn I was scared. For about three seconds. Then I put that list together: the firm clients he rattled off who were gonna get the 1986 equivalent of a One-Star Yelp review for us? They were in alphabetical order. He was just reading them out of our paid Martindale-Hubbell listing* So, the scam was basically a manual version of what the bad guy bots are now doing only a gigallion times faster: get names of contacts, pretend to be somebody who knows you and your contacts, and see what shit might stick.

Hopefully, none, unless they read my posts and get too smart.

* Ahhh, Martindale. Not the tv game show host, but the once premier way to pimp your law practice before Google and Avvo and this and that dot com took the game over. In theory, you got your listing and rating for free, but the former was a single line of teeny type with your name, degree and bar admission years, and the two magic rating letters. These were supposedly generated off random surveys of other lawyers- I got a few over the years with typically a page of 40-odd names to "rate." Ability got you an A, B or C, while ethics in your practice was essentually pass-fail, a "V" for "very high" or else nothing. Firms would also be listed with the highest lawyer's rating among them, and "AV" was, and among some old coots still is, the coveted brand. But the Martindale moolah came from two other things: selling extensive "biographical" listings of the firm and everyone in it that for big shops would run on for pages; and, another condition of getting the big listing, buying the entire encyclopedia-sized set for the whole country plus Canada every year for thousands of cost. The Internet largely killed the goose that laid the AV eggs, but martindale dot com still exists. I'm in there, with an obsolete address and no letter ratings. They've apparently gone to stars, and I've got five of them. No idea if that's five out of what.