SMS phishing, also known as "smishing", is a growing threat that tricks users into disclosing private information or clicking into URLs with malicious content through fraudulent mobile text messages. In recent past, we have also observed a rapid advancement of conversational generative AI chatbot services (e.g., OpenAI's ChatGPT, Google's BARD), which are powered by pre-trained large language models (LLMs). These AI chatbots certainly have a lot of utilities but it is not systematically understood how they can play a role in creating threats and attacks. In this paper, we propose AbuseGPT method to show how the existing generative AI-based chatbot services can be exploited by attackers in real world to create smishing texts and eventually lead to craftier smishing campaigns. To the best of our knowledge, there is no pre-existing work that evidently shows the impacts of these generative text-based models on creating SMS phishing. Thus, we believe this study is the first of its kind to shed light on this emerging cybersecurity threat. We have found strong empirical evidences to show that attackers can exploit ethical standards in the existing generative AI-based chatbot services by crafting prompt injection attacks to create newer smishing campaigns. We also discuss some future research directions and guidelines to protect the abuse of generative AI-based services and safeguard users from smishing attacks.

翻译：短信钓鱼（又称"smishing"）是一种通过欺诈性手机短信诱骗用户泄露隐私信息或点击恶意内容URL的日益严重的威胁。近年来，我们观察到由预训练大语言模型驱动的对话式生成式AI聊天机器人服务（如OpenAI的ChatGPT、Google的BARD）取得了快速发展。这些AI聊天机器人固然具有诸多实用价值，但其在威胁与攻击生成中的潜在作用尚未得到系统性认知。本文提出AbuseGPT方法，旨在展示攻击者如何在实际场景中利用现有基于生成式AI的聊天机器人服务创建短信钓鱼文本，并最终策划出更具欺骗性的钓鱼活动。据我们所知，目前尚无研究明确揭示这些基于文本的生成式模型对创建短信钓鱼的影响。因此，我们认为本研究是首次揭示这一新兴网络安全威胁的开创性工作。我们通过强有力的实证证据表明，攻击者可通过构造提示注入攻击，利用现有基于生成式AI的聊天机器人服务中的伦理标准漏洞，创建新型短信钓鱼活动。最后，我们探讨了防范生成式AI服务滥用、保护用户免受短信钓鱼攻击的未来研究方向与指南建议。