This article first appeared in Digital Edge, The Edge Malaysia Weekly on October 23, 2023 - October 29, 2023

Artificial intelligence (AI) has made it easier for bad actors to find ways to attack organisations. Kaspersky’s general manager for Southeast Asia Yeo Siang Tiong says cybercriminals can develop new malware, which can be difficult to detect. Some also use AI to create fake social media profiles or identities for phishing.

“[Cybercriminals can create] realistic phishing emails and messages, [making it seem] like they are from a legitimate person or company, and making them more likely to be opened by victims,” says Yeo.

Some examples include creating deep fake videos of politicians, celebrities or high-profile individuals where they are saying or doing things they have never said or done before. This makes it easier to defraud people, spread misinformation and damage someone’s reputation.

AI-powered chatbots are also used to impersonate customer service representatives, bank tellers or other trusted individuals to gather personal information from victims, tricking them into making payments or even taking control of their accounts.

In terms of sector, Yeo says the financial, government and healthcare sectors see the most cyberattacks because money and data are involved. “While [cybercriminals] may not be able to immediately get money from stolen data, data is very valuable when sold and that’s where money is made.”

Phishing is still the most prevalent form of attack, says Yeo, probably because it is the easiest to carry out. Ransomware is on the rise too, specifically ransomware 3.0 or ransomware-as-a-service.

Ransomware-as-a-service is a cybercrime business model in which ransomware operators write the software while affiliates pay the operators to launch attacks using the said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.

Cryptojacking, a type of cybercrime that involves the unauthorised use of people’s devices — computers, smartphones, tablets or even servers — by cybercriminals to mine cryptocurrency, is another type of attack carried out.

“Cryptojacking may not directly affect victims but nevertheless, once [cybercriminals are] in, it also means that you could potentially be compromised for other purposes,” says Yeo.

As cybercriminals grow more sophisticated, personal data protection has been propelled into the spotlight. On top of that, as generative AI tools become increasingly accessible to the public, concerns over the legal parameters of copyright infringement have emerged.

Yeo points out that to date, there is no legislation that deals specifically with AI in Malaysia. For data protection, the country has the Personal Data Protection Act (PDPA) 2010.

“New laws and regulations need to be put in place to address the potential risks and challenges posed by AI,” he stresses.

“We suggest that it is essential for lawmakers to listen to AI/machine learning (ML) industry experts and discuss potential regulation in a specific and focused manner. We should not fear it, but accept and embrace the progress of adopting it, and keeping the conversation open.”

In order to safeguard themselves, companies and businesses need to invest in staying future-focused with their technology, as this can help mitigate risk. “[It is also important] to supplement your teams with AI and ML [skills], but do not replace them as no system is foolproof,” says Yeo, adding that companies should also update their data policies routinely to comply with evolving legislation.

As for the public, Yeo advises them to report any AI- and cyber-related incidents to the Malaysian Communications and Multimedia Commission, so that it can investigate the matter and take the necessary action. Individuals should also be aware of their rights within the PDPA and request for data to be deleted when in doubt.

“They should also be extra careful with sharing personal information online and be suspicious of any emails or text messages received from unknown people. Be sure to use strong passwords, update them from time to time or opt for multi-factor authentication.”

Malaysia faces a slew of challenges on the cybersecurity front, especially since the country has the most cases of leaked phone numbers sold to scammers in the world. Yeo says the nation is expected to experience cumulative losses from cyberattacks of up to RM1.2 billion by the end of this year.

There is also a shortage of skilled cybersecurity professionals in Malaysia. Communications and Digital Minister Fahmi Fadzil said the country needs 27,000 cybersecurity knowledge workers by the end of 2025.

Looking at Malaysia’s and Southeast Asia’s cybercrime landscape, Yeo says people need to be cautious of cybercriminals who post about fake leaks to boost their reputation. The reason they do this is to blackmail and extort certain people or companies, and to attract media attention.

“[Regardless of] whether the hack had actually happened, news of a leak might hurt the business anyway,” says Yeo.

He adds that more personal data leaks should be anticipated and that corporate emails are at risk. “[People] often use their work email to register on third-party sites, which could potentially expose [companies] to a data leak. It also invokes the interest of cybercriminals and triggers discussions of potential attacks on the darknet.”

Yeo advises people to be aware of crypto-stealing browser extensions. As the reliance on cryptocurrencies for online transactions continues to rise, cybercriminals are now targeting unsuspecting crypto users through malicious browser extensions.

These extensions interfere with browser functionality and mimic legitimate software, making detection difficult for antivirus software. The alarming reality is that the number of such malicious browser extensions has doubled recently, posing a significant risk to individuals and their crypto assets.

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.