AI Creates Phishing URLs That Can Beat Auto-Detection

A group of computer scientists from Florida-based cyber security company, Cyxtera Technologies, are reported to have built machine-learning software that can generate phishing URLs that can beat popular security tools.

Look Legitimate

Using the Phishtank database (a free community site where anyone can submit, verify, track and share phishing data) the scientists built the DeepPhish machine-learning software that is able to create URLs for web pages that appear to be legitimate (but are not) login pages for real websites.

In actual fact, the URLs, which can fool security tools, lead to web pages that can collect the entered username and passwords for malicious purposes e.g. to hijack accounts at a later date.


The so-called ‘DeepPhish’ machine-learning software that was able to produce the fake but convincing URLs is actually an AI algorithm. It was able to produce the URLs by learning effective patterns used by threat actors and using them to generate new, unseen, and effective attacks based on that attacker data.

Can Increase The Effectiveness of Phishing Attacks

Using Phishtank and the DeepPhish AI algorithm in tests, the scientists found that two uncovered attackers could increase their phishing attacks effectiveness from 0.69% to 20.9%, and 4.91% to 36.28%, respectively.

Training The AI Algorithm

The effectiveness of AI algorithms is improved by ‘training’ them. In this case, the training involved the team of scientist first inspecting more than a million URLs on Phishtank. From this, the team were able to identify three different phishing attacks that had generated web pages to steal people's credentials. These web addresses were then fed into the AI phishing detection algorithm to measure how effective the URLs were at bypassing a detection system.

The team then added all the text from effective, malicious URLs into a Long-Short-Term-Memory network (LSTM) so that the algorithm could learn the general structure of effective URLs, and extract relevant features.

All of this enabled the algorithm to learn how to generate the kind of phishing URLs that could beat popular security tools.

What Does This Mean For Your Business?

AI offers some exciting opportunities for businesses to save time and money, and improve the effectiveness of their services. Where cyber-security is concerned, AI-enhanced detection systems are more accurate than traditional manual classification, and the use of intelligent detection systems has enabled the identification of threat patterns and the detection of phishing URLs with 98.7% accuracy, thereby giving the battle advantage to defensive teams.

However, it has been feared for some time that if cyber-criminals were able to use a well-trained and sophisticated AI systems to defeat both traditional and AI-based cyber-defence systems, this could pose a major threat to Internet and data security, and could put many businesses in danger.

The tests by the Florida-based cyber-security scientists don’t show very high levels of accuracy in enabling effective defence-beating phishing URLs to be generated. This is a good thing for now, because it indicates that most cyber-criminals with even fewer resources may not yet be able to harness the full power to launch AI-based attacks. The hope is that the makers of detection and security systems will be able to use AI to stay one step ahead of attackers.

State-sponsored attackers, however, may have many more resources at their disposal, and it is highly likely that AI-based attack methods are already being used by state-sponsored players. Unfortunately, state-sponsored attacks can cause a lot of damage in the business and civilian worlds.

Tech Tip – Improve Phone Speed With Lightweight Apps

If your phone has limited memory storage and you regularly use Facebook and Twitter, installing lightweight versions of these apps could help to speed up your phone.

Facebook Lite, for example, works just as well as the full version yet uses a fraction of the resources of the full app. The Facebook Lite app is small and allows you to save space on your phone and use Facebook in 2G conditions. To use it:

– Go to

– Locate the app, and install it.

– n.b. Google also has lightweight versions of YouTube

Also, Twitter has a lightweight client which you can find at

Domain Names & GDPR

A recent ruling by a German court about GDPR also applies to personal information held in the worldwide whois service, and could mean that domain name admin and tech contact details may no longer be needed because of the GDPR ‘data minimisation principle’.

Up Until Now

Laws up until now have required ICANN, the Internet Corporation for Assigned Names and Numbers, to ask its accredited domain registrars to collect and store certain details of people who register / purchase domain names. These details include the owner’s name and address, and the name, postal address, e-mail address, telephone number, and (where available) fax number of the domain’s technical and administrative contacts. Many of these may, in fact, be the same person.

No More Collecting and Storing Details of Owners

The recent German court ruling came about because German registrar EPAG Domain services thought that one important aspect of GDPR, which came into force on May 25th, is the principle of data minimisation.

Under this key GDPR principle, personal data collected by companies should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In other words, under GDRR, companies should only collect the personal data that is absolutely necessary to provide the service.

The German registrar EPAG Domain services used this GDPR principle to argue that it no longer needed or wanted to collect the personal details for the technical and administrative contacts of domains, although it would still be happy to collect the personal details of the actual domain name owners.

ICANN Still Wanted Details Collected

ICANN didn’t agree with EPAG, and pushed for an injunction to ensure that EPAG either continued to collect administrative and technical contact details, or pay a €250,000 (US$291,000) fine!

The court came down on EPAG’s side, and refused to grant the injunction on the grounds that there was no evidence that the extra information was needed, especially since the same person could be listed as the owner, technical, and administrative contact.

ICANN’s Own Policy Proposal

ICANN had already published its own temporary policy to cover how information gathered by registrars should be made publicly available through the global whois service. ICANN’s policy was for tiered / layered access to personal information, limiting it to users with a legitimate and proportionate purpose e.g. law enforcement, competition regulation, consumer protection or rights protection.


One ironic aspect of the court’s ruling is that ICANN itself doesn’t register any personal details for administrative and technical contacts, and only lists a single number for both contacts’ phone and fax, which turns out to be the main number for its network operations centre. It could be argued that this is data minimisation in action from a company that appears to have argued against it.

What Does This Mean For Your Business?

This story is a practical example of how GDPR could affect aspects of company operations that may not have really been considered until now. It shows how current ways of doing things can be, relatively easily challenged in some courts, the results of which could spread across a whole industry.

If the ruling, in this case, is taken on board in other European countries e.g. most other EU countries, it could save domain registrars some time, and could cut through bureaucracy while protecting privacy at the same time.

It is still early days for GDPR, and there are likely to be many different challenges and changes to come across many industries as a result.

Fruit Robots

Tests are being completed of ‘robot’ fruit-picking machines that can pick strawberries as carefully and quickly as humans, and can help growers solve the labour shortage challenge next growing season.

Belgian Prototype Very Promising

European strawberry growers in Spain, Belgium and the UK are welcoming tests of robotic prototypes that can harvest soft fruit mechanically.

One example that has enjoyed some publicity is the ‘Octinion’ robotic arm on a self-driving trolley. Produced by a Belgian start-up, it is claimed that the Octinion can compete with a human in terms of price and speed as it is able to pick one strawberry every four seconds, collect between 70% and 100% of the ripe fruit, and leave the berry with only the calyx (and not the stalk), which is the way European consumers are used to buying their berries.

The success of this robot, which can grip and turns the fruit by 90 degrees to snap it off its stalk just like a human, means that it is now completing final tests in partnership with real-world growers in the UK and continental Europe, and looks like being a realistic option for next season.

Dogtooth From Cambridge

Another soft fruit-picking robot prototype that looks like being a serious competitor is the ‘Dogtooth’ which has been produced by a Cambridge-based start-up, has recently been tested in Australia, and is also made up of a robot arm mounted on a self-driving trolley.

The Dogtooth has been designed to be able to pick strawberries the way UK retailers prefer, by leaving around a centimetre of stem still attached, because it has been found to extend shelf life.

Unlike the Octinion’s machine which has been built to work on fruit grown on raised platforms in polytunnels, Dogtooth’s machine has been designed to be able to pick traditional British varieties in the field.

Genuine Labour Shortage

Some commentators have suggested that the motivation for producing the robots is simply to replace migrant labour with a cheaper, more efficient alternative, but strawberry producers across Europe and the US have insisted that they face a genuine shortage of workers to pick their fruit.

In the UK for example, the value of sterling following the Brexit vote has made it difficult to recruit overseas workers, and UK-based workers don’t appear to find seasonal picking work attractive or practical.

What Does This Mean For Your Business?

This is an example of how a range of technologies have been combined to produce a tool that can meet very real agricultural challenges, and could revolutionize a whole industry across the world. Although these machines may be expensive to buy, they can pay for themselves over time because, unlike humans, they don’t require wages, can work any number of hours, and they don’t take holidays, get sick or leave. They also mean that growers can plan their production with more certainty and don’t have to expend time, effort, and money on recruitment.

Automation, aided by huge technological advances, is a growing trend across most industry sectors. For example, a report by PwC from March 2017 claimed that over 30% of UK jobs could be lost to automation by the year 2030. According to the report, 44% jobs in manufacturing (where there are already many robots e.g. car manufacturing), especially those involving manual work, look likely to go to AI led software or robots. Transportation jobs are also in the high-risk category for robot replacements, and according to the report, 56% of jobs could be lost to autonomous vehicles. Jobs in the UK’s largest sectors, wholesale retail jobs, also look vulnerable to automation into the future.

AI and robotics will alter what jobs look like in the future, but it is also important to remember that, as with the strawberry-picking robots, they could provide huge advantages and opportunities for businesses.

Workers can only really try to insulate themselves from the worst effects of automation by seeking more education / lifelong learning, and by trying to remain positive towards and adapting to changes. How much automation and what kind of automation individual businesses adopt will, of course, depend upon a cost / benefit analysis compared to human workers, and whether automation is appropriate and is acceptable to their customers.

Smart Solar Power Savings From Google

Google, in partnership with energy supplier Eon, with help from German software firm Tetraeder, has released an online tool called ‘Project Sunroof’ that uses Google’s Earth and Maps apps to estimate how much money homeowners could by switching to solar power.


Smart ‘machine learning’ is at the heart of the tool, and it is able to examine factors like its roof area and angle, and weather data, and sun positioning to help it arrive at an estimate of the ‘solar potential’ of a house, and the total amount of sunlight that falls on a particular rooftop every year.

7 Million Rooftops

The partnership with E.On covers seven million rooftops across Germany. It uses E.On’s solar power and battery product offerings to calculate how much a specific household could save by installing solar panels and a battery pack.

Renewable Energy

The idea is part of a move towards countries, including the UK, adopting more renewable energy ideas, and is clearly a way to help inform and convince homeowners to cut energy bills, and help the environment by installing solar panels on their roofs.
International Energy Agency figures show that, even back in 2016, renewable energy accounted for two-thirds of new power added to the world’s grids. Solar power was the fastest-growing source of new energy worldwide that year, and is still growing in popularity now.

In the EU, the Renewable Energy Directive set out for all member countries to reach a 20% renewables target before 2020. Google’s shared project, therefore, helps to feed into that goal.

In recent years, many UK homeowners have taken advantage of grants and tariffs e.g. the Feed-in Tariff and Generation Tariff schemes to install and get money back / save money on the green energy they help produce and feed / sell into the grid.


Some fears have been expressed that the spread of renewables such as solar and wind across the US (for example) could suffer if the US International Trade Commission imposes tariffs on imports of Chinese solar panels.

What Does This Mean For Your Business?

There is wide agreement that sustainable, renewable, green energy sources are needed to meet world demand while minimising the impact on the environment, and not contributing to climate change. Many businesses, some of which are big polluters, are coming to accept the many benefits that renewables and involvement with green projects have to offer.

Google’s involvement with this scheme is consistent with its recent, public commitment to green energy, and having the Google brand name involved in the project is a positive association that could help to convince customers to adopt solar. For example, back in December 2016, Google announced that all of its data centres and the offices for its 60,000 staff would be powered entirely by renewable energy from 2017, a formidable target that it now claims to have met. Even when the announcement was made, Google was already the world’s biggest corporate buyer of renewable electricity.

Google’s image and brand can only benefit from its public commitment to renewable energy, as it will from ‘Project Sunroof’, although Google’s commitment is also based on reducing costs in the longer term, and being seen to pave the way for other corporations.

1 – 0 In England Vs World Cup Hackers

It has been reported that the England football team will be briefed before flying out to their World Cup base in St Petersburg about how they and UK fans can avoid falling victim to Russian hackers.

NCSC Advice

The briefing is being delivered by The National Cyber Security Centre (NCSC), which is part of GCHQ. The advice will focus upon cyber security e.g. for mobile devices and using Wi-Fi connections safely while in Russia.

The same advice has been included in an NCSC blog post that is aimed at anyone travelling to Russia to watch any of the World Cup game, and is entitled ‘Avoid scoring a cyber security own goal this summer”.

The NCSC suggests that is it should be read alongside other UK government online advice pages such as the “FCO Travel Advice” page relating to Russia (, and the “Be on the Ball: World Cup 2018” pages (


Many security experts and commentators have noted that sporting events have become a real target for cyber criminals in Russia in recent times. Russia-based security company, Kaspersky, reported seeing spikes in the number of phishing pages during match ticket sales for this year’s World Cup. Kaspersky reported that every time tickets went on sale, fraudsters mailed out spam and activated clones of official FIFA pages and sites offering fake giveaways, all claiming to be from partner companies.

Kaspersky says that criminals register domain names combining the words e.g. ‘world,’ ‘worldcup,’ ‘FIFA,’ ‘Russia,’ etc, and that if fans look closely they can see that the domains look unnatural and have a non-standard domain extension. The Security Company advises that fans should take a close look at the link in the email or the URL after opening the site to avoid falling victim to scammers.

The general advice from Kaspersky is to give cheap tickets a wide berth, not to buy goods from spammers in the run-up to kickoff (because the goods may not even exist), not to fall for spam about lotteries and giveaways because they may be used for phishing, not to visit dubious sites offering cheap accommodations or plane tickets, and only to watch broadcasts on official FIFA partner websites.

Kaspersky also advises visitors to use a VPN to connect to the Internet, because, in the aftermath of the government’s attempt to block Telegram, popular sites in Russia are either unavailable or unstable.

England Team’s Briefing

England team Manager, Gareth Southgate, has noted that the England team players are young people who will look for things to occupy their time while in hotel rooms e.g. playing video games, and using multiple devices such as smartphones, tablets and gaming devices. The fact that technology will play a big part in the England team’s downtime throughout the tournament is the main reason why the FA is taking cyber security so seriously.

It is understood, therefore, that the NCSC will be advising the players on the rules to follow on e.g. which devices they can safely use and where. Also, the devices belonging to players and staff will be thoroughly screened to make sure they have the right security software installed.

What Does This Mean For Your Business?

Anyone travelling abroad for business or pleasure, particularly to countries where certain cyber security threat levels are known to be high should read the UK government’s advice pages relating to cyber security while travelling.

In the case of travelling to Russia for the World Cup, some of the measures people can take before travelling are to check which network you will be using and what the costs are, to make sure all software and apps are up to date and antivirus is turned on, to turn on the ability to wipe your phone should it be lost, and to make sure all devices are password protected and use other security features e.g. fingerprint recognition.

On arriving in Russia, the advice is to remember that public and hotel Wi-Fi connections may not be safe and to be very careful about what information you share over these connections e.g. banking. Also, don’t share phones, laptops or USBs with anyone and be cautious with any IT related gifts e.g. USB sticks, and to keep your devices with you at all times if possible rather than leave them unattended.

The full UK government advice can be found here

Two More Security Holes In Voice Assistants

Researchers from Indiana University, the Chinese Academy of Science, and the University of Virginia have discovered 2 new security vulnerabilities in voice-powered assistants, like Amazon Alexa or Google Assistant, that could lead to the theft of personal information.

Voice Squatting

The first vulnerability, outlined in a recent white paper by researchers has been dubbed ‘voice squatting’ i.e. a method which exploits the way a skill or action is invoked. This method takes advantage of the way that VPAs like smart speakers work. The services used in smart speakers operate using apps called “skills” (by Amazon) or “actions” (by Google). A skill or an action is what gives a VPA additional features, so that a user can interact with a smart assistant via a virtual user interface (VUI), and can run that skill or action using just their voice.

The ‘voice squatting’ method essentially involves tricking VPAs by using simple homophones – words that sound the same but have different meanings. Using an example from the white paper, if a user gives the command “Alexa, open Capital One” to run the Capital One skill / action a cyber criminal could create a malicious app with a similarly pronounced name e.g. “Capital Won”. This could mean that a voice command for Capital One skill is then hijacked to run the malicious Capital Won skill instead.

Voice Masquerading

The second vulnerability identified by the research has been dubbed ‘voice masquerading’. This method of exploiting how VPAs operate involves using a malicious skill / action to impersonate a legitimate skill / action, with the intended result of tricking a user into reading out personal information / account credentials, or to listen-in on private conversations.

For example, the researchers were able to register 5 new fake skills with Amazon, which passed Amazon’s vetting process, used similar invocation names, and were found to have been invoked by a high proportion of users.

Private Conversation Sent To Phone Contact

These latest revelations come hot on the heels of recent reports of how a recording the private conversation of a woman in Portland (US) was sent to one of her phone contacts without her authorisation after her Amazon Echo misinterpreted what she was saying.

What Does This Mean For Your Business?

VPAs are popular but are still relatively new, and one positive aspect of this story is that at least these vulnerabilities have been identified now by researchers so that changes can (hopefully) be made to counter the threats. Amazon has said that it conducts security reviews as part of its skill certification process, and it is hoped that the researchers’ abilities to pass-off fake skills successfully may make Amazon, Alexa and others look more carefully at their vetting processes.

VPA’s are now destined for use in the workplace e.g. business-focused versions of popular models and bespoke versions. In this young market, there are however, genuine fears about the security of IoT devices, and businesses may be particularly nervous about VPAs being used by malicious players to listen-in on sensitive business information which could be used against them e.g. for fraud or extortion. The big producers of VPAs will need to reassure businesses that they have installed enough security features and safeguards in order for businesses to fully trust their use in sensitive areas of the workplace.

Tech Tip – Alexa Skills Commands That Could Help At Work

Amazon’s Echo speakers may be used mainly in the home, but putting the listening / privacy fears aside, they can be useful in a business setting, particularly in small business settings / home offices. With this in mind, here are four skills commands that could help you:

Create Reminders – Alexa can act like a personal assistant. For example, you can tell Alexa exactly what you need to remember e.g. business appointments on certain days / times and it will remind you of that task and time. To create a reminder, say the task and its time such as, “Alexa, remind me to review customer accounts 10 a.m. every Monday”.

Create Distinctive Voice Profiles – By setting up voice profiles, Alexa can distinguish who is issuing the command e.g. different people in the office can ask “Alexa, what’s on my calendar?” Ask Alexa for details of how to do it.

ChatBot Skill – By enabling the ChatBot skill, workers can audibly request Alexa to post on their behalf. This can aid productivity. It can be achieved by linking an Amazon account to a Slack account. Users can then post to a specific channel by asking simply Alexa.

Find Your Phone – You can use Alexa to help you find your phone by using your voice. This is a free skill available from Amazon here: The phone should ring even if it is on silent. It may not work if your phone is in Do Not Disturb mode, but you can add multiple people by name to call different phones instead of just one.

Fined For Using a Smart Watch At Traffic Lights

In a recent court case in Canada, an Apple smartwatch was classified as being the same kind of distraction as a mobile phone as a student was handed a fine for being observed looking at her Apple watch while waiting at traffic lights.

Distraction Law in Ontario

Student Victoria Ambrose is reported to have fallen foul of Ontario’s strict ‘distracted driving’ law.

In Ontario, the law states that using a phone to talk, text, check maps or choose a playlist while you’re behind the wheel all count as distracted driving, as do other activities like eating, reading or typing a destination into a GPS.

In the case of Victoria Ambrose, the judge likened the Apple smartwatch to being as much of a distraction as a “cell phone taped to someone’s wrist”.


In her defence, the student said that she had looked at the watch to tell the time, and that, because the watch was securely fastened to her wrist, it should be subject to an exemption in the Ontario law which covers devices that are “securely mounted”.
The Judge rejected both arguments, and said that the amount of time she was observed looking at the watch meant that she was distracted while driving, rather than simply glancing at her watch to find out the time.

According to Ontario’s Ministry of Transport data, deaths from collisions there, caused by distracted driving have doubled since 2000, and 2013 data shows that one person is injured in a distracted-driving collision every half hour, and a driver using a phone is four times more likely to crash than a driver focusing on the road


In this case, the student was fined Canadian $400 (£230).

Warning In The UK

Back in 2014, the UK Department for Transport (DfT) issued a warning about looking at smartwatches while driving, saying that smartwatches are covered by existing laws designed to stop people checking gadgets while on the move, and that drivers caught texting from a smartwatch will have given police enough material to be able to charge them.

What Does This Mean For Your Business?

This story illustrates that while technology can be helpful, it can also be potentially dangerous and / or costly distraction.

In the workplace, for example, studies show that smartphone-users touch their device somewhere between twice a minute to once every seven minutes, and that conducting tasks while receiving e-mails and phone calls can reduce a worker’s IQ by approximately ten points relative to working in uninterrupted quiet.

In an age where 85% of UK citizens use smartphones (Deloitte figures, Oct 2017), there are arguments as to whether they, and other gadgets e.g. with BOYD policies, are helping or hindering productivity.

For companies with employees who drive as part of their work, this story should illustrate the need to warn employees of the current law and safety recommendations regarding distraction, and if possible, to ensure that they have appropriate hands-free equipment to use while handling work calls.

Facebook Losing the Battle For Teenage Attention

A study by Pew in the US has found that Facebook is now lagging behind YouTube, Instagram and Snapchat, as a platform where teenagers spend their time.

Down To 4th Place

The study, which involved 750 teens in one month earlier this year, found that Facebook has experienced a 20% point drop since 2015 in its usage by teenagers. Even though 51% use Facebook, this is still a long way behind the 85% preferring YouTube (Google-owned), 72% preferring Instagram (which is owned by Facebook anyway), and the 69% preferring Snapchat.

What’s Been Happening?

An eMarketer report illustrates what’s been happening. The report predicts that in 2018, 2.2 million 12 to 17-year-olds and 4.5 million 18 to 24-year-olds will regularly use Facebook in the UK, but this is 700,000 fewer than in 2017. Most of the young defectors appear to be going instead to Snapchat.

The same report shows that there has been a surge in older users of Facebook, and over-55s will become the second-biggest demographic of Facebook users this year. For example, 500,000 new over-55s are expected to join Facebook in 2018, and this will bring the number of 55- to 65-year-old-plus regular Facebook users this year to 6.4 million.

Passing Over Instagram For Snapchat

One of the reasons why Facebook bought Instagram was so that it could at least keep some of the young people who were deserting Facebook as customers as of one of its services.

Unfortunately, what’s been happening is that young people appear to have been leaving Facebook, and going to Snapchat instead of Instagram. For example, in the last 3 years Snapchat has more than doubled its take-up rate among UK users of social networking sites and apps to 43%.


It is an age-old feature of teenagers and young people, because of a need for independence and privacy, they would prefer not to go to the same places as their parents, and this is what has been happening on Facebook to some extent.

Also, many more young people have smartphones, and they use them to go where other members of their age / peer group go i.e. on Snapchat. It doesn’t help also that Facebook has received a lot of bad publicity recently over its involvement with the sharing of user data with Cambridge Analytica, and the part it played in allegedly being used by representatives of certain foreign powers to help sway the election result towards Trump.

Facebook has also proved particularly attractive in recent years to older people who have found that its video and photo features are easy to use, and enable them to keep up with the social lives of their older children, and grandchildren,

Facebook For Kids

Facebook has long known that it has been attracting an older demographic, and that young people have been leaving the platform in pursuit of a new experience, and to stay in touch with other members of their peer group.

Attracting a new, young group of Facebook users looks likely, therefore, to be one of the main reasons why, back in December 2017, Facebook announced that it was launching a kind of Facebook for children the form of ‘Messenger Kids’. Some commentators said at the time that it appeared to be a way for Facebook to recruit its next generation of users, and to capture the attention of 6 to 12-year-olds before Snapchat or a similar social network competitor

What Does This Mean For Your Business?

For Facebook, even though it recognises (and is trying to solve) the problem that it faces in attracting teenage users, it still remains the most popular social networking sites in the UK by a long way, boasting 32.6 million total regular users this year. Also, Facebook’s Instagram is looks likely to grow its user base from 15.7 million to 18.4 million this year, although it also appears to be losing young users to Snapchat.

For businesses wishing to advertise, Facebook is likely, therefore, to be a way to advertise to older age groups e.g. those in their 40,s, 50s, and above. In fact, Facebook has also announced an overhaul of its news feed algorithm to prioritise what friends and family share, and to reduce the amount of non-advertising content from publishers and brands.

Businesses with older customer demographics may also want to keep making the most of their company Facebook business page.