Perverse Incentives and Bad Outcomes
An AI training data exposure that led to an Emotet campaign - the story of a brand marketing agency in Orlando, Florida
In Orlando, Florida, a medium-sized brand marketing agency (successfully) jumped on the generative artificial intelligence (AI) bandwagon very early. Shortly after ChatGPT was released in November 2022, the agency began exploring its use in enhancing creativity and productivity to stay competitive in Orlando’s highly competitive marketing/advertising market.
Their revenue increased every quarter, and their client base expanded significantly within Florida’s lucrative tourism industry. They even signed long-term contracts with new partners in the health and fitness industry and VIP contracts with professional athletes, sports figures, and B-list artists from Hollywood who maintain business footprints across Florida.
Around June-July 2023, rumor had it that the brand marketing agency was in talks to acquire a smaller ad agency based in Tampa, Florida. There were official high-level meetings, unofficial meetings, and meetings on the sidelines of summits held in faraway cities like Minneapolis and New York City. By the end of the fourth quarter of 2023, all signs pointed to a successful year for the brand marketing agency.
Spear-Phishing Emails
Typically, phishing emails would only go to the brand marketing agency’s public relations department - and they were usually the common, run-of-the-mill package delivery-themed phishing emails. However, beginning around the first weekend of January 2024, almost every employee of the brand marketing agency began receiving way more phishing emails than usual, and the emails appeared to be spear-phishing: specifically meant for the agency.
Some of the spear-phishing emails were from senders asking for follow-up meetings with the agency’s employees with a pretext of having met at a virtual seminar a few weeks prior, except the recipients never attended any virtual seminar. Other spear-phishing emails asked the recipients to confirm they had signed up for corporate food delivery accounts. However, no employee had signed up for food delivery accounts. The brand marketing agency has its own in-house catering service.
At first, the increased frequency of spear-phishing emails did not elicit any major response/reaction from recipients across the agency. However, on Thursday, January 18, the CEO received an email that continued an earlier thread between the agency and a prospective client—a law firm—discussing operational plans for a pending contract to manage a Q1-Q4 2024 search engine marketing campaign for the law firm.
That email got everyone’s attention.
Keep reading with a 7-day free trial
Subscribe to IntelEdge360 with Bidemi Ologunde to keep reading this post and get 7 days of free access to the full post archives.