#FactCheck - Suryakumar Yadav–Salman Ali Agha Handshake Row: Viral Image Found AI-Generated

Executive Summary:

Traditional Business Email Compromise(BEC) attacks have become smarter, using advanced technologies to enhance their capability. Another such technology which is on the rise is WormGPT, which is a generative AI tool that is being leveraged by the cybercriminals for the purpose of BEC. This research aims at discussing WormGPT and its features as well as the risks associated with the application of the WormGPT in criminal activities. The purpose is to give a general overview of how WormGPT is involved in BEC attacks and give some advice on how to prevent it.

 Introduction

BEC(Business Email Compromise) in simple terms can be defined as a kind of cybercrime whereby the attackers target the business in an effort to defraud through the use of emails. Earlier on, BEC attacks were executed through simple email scams and phishing. However, in recent days due to the advancement of AI tools like WormGPT such malicious activities have become sophisticated and difficult to identify. This paper seeks to discuss WormGPT, a generative artificial intelligence, and how it is used in the BEC attacks to make the attacks more effective.

What is WormGPT?

Definition and Overview

WormGPT is a generative AI model designed to create human-like text. It is built on advanced machine learning algorithms, specifically leveraging large language models (LLMs). These models are trained on vast amounts of text data to generate coherent and contextually relevant content. WormGPT is notable for its ability to produce highly convincing and personalised email content, making it a potent tool in the hands of cybercriminals.

How WormGPT Works

1. Training Data: Here the WormGPT is trained with the arrays of data sets, like emails, articles, and other writing material. This extensive training enables it to understand and to mimic different writing styles and recognizable textual content.

 2. Generative Capabilities: Upon training, WormGPT can then generate text based on specific prompts, as in the following examples in response to prompts. For example, if a cybercriminal comes up with a prompt concerning the company’s financial information, WormGPT is capable of releasing an appearance of a genuine email asking for more details.

 3. Customization: WormGPT can be retrained any time with an industry or an organisation of interest in mind. This customization enables the attackers to make their emails resemble the business activities of the target thus enhancing the chances for an attack to succeed.

Enhanced Phishing Techniques

Traditional phishing emails are often identifiable by their generic and unconvincing content. WormGPT improves upon this by generating highly personalised and contextually accurate emails. This personalization makes it harder for recipients to identify malicious intent.

Automation of Email Crafting

Previously, creating convincing phishing emails required significant manual effort. WormGPT automates this process, allowing attackers to generate large volumes of realistic emails quickly. This automation increases the scale and frequency of BEC attacks.

Exploitation of Contextual Information

WormGPT can be fed with contextual information about the target, such as recent company news or employee details. This capability enables the generation of emails that appear highly relevant and urgent, further deceiving recipients into taking harmful actions.

Implications for Cybersecurity

Challenges in Detection

The use of WormGPT complicates the detection of BEC attacks. Traditional email security solutions may struggle to identify malicious emails generated by advanced AI, as they can closely mimic legitimate correspondence. This necessitates the development of more sophisticated detection mechanisms.

Need for Enhanced Training

Organisations must invest in training their employees to recognize signs of BEC attacks. Awareness programs should emphasise the importance of verifying email requests for sensitive information, especially when such requests come from unfamiliar or unexpected sources.

Implementation of Robust Security Measures

1. Multi-Factor Authentication (MFA): MFA can add an additional layer of security, making it harder for attackers to gain unauthorised access even if they successfully deceive an employee.
2. Email Filtering Solutions: Advanced email filtering solutions that use AI and machine learning to detect anomalies and suspicious patterns can help identify and block malicious emails.
3. Regular Security Audits: Conducting regular security audits can help identify vulnerabilities and ensure that security measures are up to date.

Case Studies

Case Study 1: Financial Institution

A financial institution fell victim to a BEC attack orchestrated using WormGPT. The attacker used the tool to craft a convincing email that appeared to come from the institution’s CEO, requesting a large wire transfer. The email’s convincing nature led to the transfer of funds before the scam was discovered.

Case Study 2: Manufacturing Company

In another instance, a manufacturing company was targeted by a BEC attack using WormGPT. The attacker generated emails that appeared to come from a key supplier, requesting sensitive business information. The attack exploited the company’s lack of awareness about BEC threats, resulting in a significant data breach.

Recommendations for Mitigation

1. Strengthen Email Security Protocols: Implement advanced email security solutions that incorporate AI-driven threat detection.
2. Promote Cyber Hygiene: Educate employees on recognizing phishing attempts and practising safe email habits.
3. Invest in AI for Defense: Explore the use of AI and machine learning in developing defences against generative AI-driven attacks.
4. Implement Verification Procedures: Establish procedures for verifying the authenticity of sensitive requests, especially those received via email.

Conclusion

WormGPT is a new tool in the arsenal of cybercriminals which improved their options to perform Business Email Compromise attacks more effectively and effectively. Therefore, it is critical to provide the defence community with information regarding the potential of WormGPT and its implications for enhancing the threat landscape and strengthening the protection systems against advanced and constantly evolving threats. 

This means the development of rigorous security protocols, general awareness of security solutions, and incorporating technologies such as artificial intelligence to mitigate the risk factors that arise from generative AI tools to the best extent possible.

Procedural History: 

‍

The case started with a 2011 Madras High Court ruling that included the appellant’s personal information. In the case discussed, the court decided in 2024, the appellant went to the Madurai Bench of the Madras High Court to request that his name and other identifying information from that previous ruling be redacted. He argued that his right to privacy under Article 21 of the Indian Constitution was violated by the ongoing release of such private information into the public arena. He claimed that the revelation had hurt him in real ways, such as having his application for an Australian visa denied. Therefore, without compromising the ideals of open justice, the current procedures aimed to have the court recognize a person’s “Right to be Forgotten” within a broader framework of privacy and data protection.

‍

Background and Factual Matrix

‍

The appellant was charged under Sections 417 and 376 of the IPC. The trial court convicted him in 201, but later, the High Court in 2014 fully, completely and unconditionally acquitted him, which was not based on the benefit of doubt. Following the acquittal, he remarried and has three children. The judgment of both the High Court and the Trial Court has personal and intimate details about him. Being available in the public domain has caused him significant repercussions, as he was denied a visa to travel to Australia by authorities, citing the criminal cases. The appellant has filed a plea seeking a mandamus directing the Registrar General, Additional Registrar General, and Registrar (IT-Statistics) as R1, R2, R3 to redact his name and other identities from the acquittal judgment. He has sought a direction from Ikanoon Software Development Private Limited (R4) to reflect the redaction in its publication. 

‍

Issue 

‍

1. Whether a writ of mandamus can lie against a High Court for redaction of personal details from its own judgment, or does such a prayer tantamount to a High Court issuing a writ against itself?
2. Whether the High Court, being a Court of Record under Article 215 of the Indian Constitution, is entitled to preserve its record for perpetuity in its original form without any modification or redaction?
3. Whether the ‘Right to be Forgotten' can be recognised and enforced in the absence of a specific statutory provision or Supreme Court direction, given that it constitutes an exception to the fundamental principle of open courts and open justice?

‍

Adjudication and Reasoning

The division bench has allowed the Writ appeal and granted the following relief:

1. R4 directed to take down the judgment in Crl.A. (MD) No.321 of 2011 dated 30.04.2014 forthwith.
2. R1 to R3 directed to redact the name and other details of the Writ Petitioner relating to his identity from the judgment dated 30.04.2014 in Crl.A.(MD) No. 321 of 2011 and ensure that only the redacted judgment is available for publication or for uploading.

‍

Rule 

‍

1. Courts have a wide discretion in deciding whether to allow redaction or not. Such discretion can either be granted at the request of the party seeking redaction or, in appropriate cases, even suo moto by the court.
2. The accused who have earned full, complete and unconditional acquittal without any benefit of doubt have a legitimate claim to move forward for redaction of personal information.
3. The open Court doesn’t require absolute disclosure of all personal information, and the courts, while deciding the concern of privacy and the right to ensure that in litigations to leave behind parts of their past which are no longer relevant, have to balance the concept of open Court on the one hand and privacy concerns of a citizen on the other.
4. As the High Court is the repository of a wide range of information and is entitled to preserve the original record in perpetuity. However, without diluting the sanctity of the original record, the public reflection of that record can be moderated to preserve the privacy of the person to whom that record pertains.

‍

Reasoning 

‍

1. Drawing on the judgment K.S. Puttaswamy v. Union of India, the court found Article 21 to protect not only informational privacy but also the "right to be forgotten," which gives individuals the right to request the deletion of any personal data when there is no longer any legitimate public interest in retaining such information. Such irreparable reputational damage is thus an infringement on constitutional privacy that demands judicial redaction. 
2. The court rejected the argument that a writ against its own order is impermissible, drawing a distinction between challenging the legal correctness of a judgment and seeking redaction of personal information. Allowing redaction will not question the validity of the judgment; rather, it will simply change its public appearance to ensure privacy.
3. Since a High Court is a Court of Record with an obligation to preserve its judgments in their unaltered form forever, the court held here that such internal maintenance of complete records was not incompatible with the issuance of a redacted public version. Institutional integrity is maintained when the original kept in the archives is supplemented with a public version that masks the privacy areas.
4. Open justice principles work to establish transparency, accountability, and public confidence, but these are not absolute. The court took a proportionality stance: personal identifiers, where they neither educate nor have precedential value and continue to inflict harm, may be expunged without affecting the established legal principles of judgment.
5. Although the DPDP Act exempts courts from several statutory obligations, the court held that it can, by virtue of its inherent discretion, protect personal data, and in so doing, exercise that power without the need for any legislative command. Traditionally the Madras High Court rules provide for the possibility of restriction of certified copies, thus establishing redaction as feasible both legally and administratively.

‍

Executive Summary:

‍

Our team has come across a recent social media post highlighting a report on fraudulent activities involving deceptive websites and emails impersonating India’s Oil Marketing Companies (OMCs). These phishing scams falsely promise LPG distributorships and retail outlet dealerships, aiming to extract money and personal information from unsuspecting individuals. We strongly urge the public to exercise caution and verify all information exclusively through official OMC channels to avoid falling victim to such fraudulent schemes.

‍

‍

‍

Claim:

‍

It has been reported that fraudsters are impersonating Indian Oil, Bharat Petroleum, and Hindustan Petroleum through fake websites and emails, promising LPG distributorships and seeking money from victims.

‍

‍

‍

‍

Fact Check:

‍

‍

After our research, we came upon more information about this topic and found out that the Press Information Bureau (PIB) has released an official notice confirming that fraudulent websites and emails are impersonating India's Oil Marketing Companies (OMCs), which include Indian Oil Corporation Ltd., Bharat Petroleum Corporation Ltd., and Hindustan Petroleum Corporation Ltd. The scams falsely promise LPG distributorships and retail outlet dealerships while demanding large sums of money from unsuspecting individuals. On June 19, 2019, this was confirmed. The PIB highlighted that OMCs have not allowed any person or organization to charge a fee for dealership selection. All authentic information on these offers is available at the websites of the OMCs: www.iocl.com, www.bharatpetroleum.com, and www.hindustanpetroleum.com. The general public is cautioned to rely only on these sources and report suspicious approaches to the offices of concerned OMCs. If someone finds such an approach, he should immediately contact the cybercrime branch. HPCL has issued alerts on fake websites and emails that promise LPG distributorships and jobs, mimicking official HPCL sites to deceive people.

‍

‍

‍

On the official website of HPCL list down the malicious URLs. They are mentioned below:

• https://kskdealerchayan.com/
• bajajgas.com/index
• hindustanbiofuel.in
• petrolpumpchayanonline.com
• dealerchayanpetrolpump.in
• petrolpumpdealarchayan.com
• petrolpumpsdealerchayan.co.in
• petrolpumpdealershipchayan.org.in
• petrolpumpdealerchayangov.in
• petrolpumpdealership.info
• petrolpumpsdealershipchayan.in
• allindiagasdealership.com
• hindustanpetroleum.online
• hindustanpetroleumcorp.com
• hpcldelership.com
• ujjwalalpgvitarak.org
• ujjwaladealership.com
• lpgvitrakkendra.com
• kissansevakendra.org
• lpgvitarakchayanltd.org
• petrolpumpdelerchayan.in
• petrolpumpdealerschayan.in
• petrolepumpsdelearchayan.in
• kissansevakendra.org
• petrolpumpdealerchayanpro.com
• petrolpumchayanweb.com
• onlinepetrolpumpdealerchayan.com/

‍

HPCL also shared an advisory for their applicants regarding Beware Of Fraudsters.

‍

‍

Conclusion:

‍

It has been proven that fraud offers for LPG distributorships and retail outlet dealerships are being made through fake websites and emails. To avoid such scams, people are advised to be more vigilant, verify all information through official OMC platforms, and immediately report any suspicious activities to the concerned authorities. Being alert and informed is the key to preventing financial loss and protecting personal data from exploitation.

• Claim: Is this HPCL approval letter for an LPG agency dealership legit?
• Claimed On: Social Media 
• Fact Check: False and Misleading