Threat Research

ChatGPT-Themed Scam Attacks Are on the Rise

Securonix

Unit 42 researchers document a surge in ChatGPT-related scams, including domain squatting and copycat services that abuse OpenAI branding to lure users into malware or data theft. The article presents phishing, malware delivery, crypto and financial scams, and browser-extension abuse, with guidance to stay vigilant and use official OpenAI channels. #ChatGPT #OpenAI

Keypoints

  • 910% increase in monthly registrations of domains related to ChatGPT from Nov 2022 to Apr 2023.
  • 17,818% growth in related squatting domains observed in DNS logs during the same period.
  • Up to 118 daily detections of ChatGPT-related malicious URLs in Advanced URL Filtering.
  • Phishing URLs impersonating OpenAI/OpenAI sites used to lure victims into downloading malware or sharing information.
  • Malware delivery via a fake “DOWNLOAD FOR WINDOWS” button (Trojan, SHA256: ab68a3d42cb0f6f93f14e2551cac7fb1451a49bc876d3c1204ad53357ebf745f).
  • Crypto and financial scams leveraging the OpenAI branding (e.g., Elon Musk imagery) and fake paid chatbot services (e.g., chatgpt.appleshop.top).
  • Risks of copycat chatbots include data input collection and potential manipulation of responses; users are urged to access ChatGPT only through the official OpenAI site.

MITRE Techniques

  • [T1583] Acquire Infrastructure – Domains – threat actors register and use squatting domains using “openai”/“chatgpt” (e.g., openai[.]us, openai[.]xyz, chatgpt[.]jobs) to abuse brand reach. “threat actors registering and using squatting domains in the wild that use “openai” and “chatgpt” as their domain name (e.g., openai[.]us, openai[.]xyz and chatgpt[.]jobs).”
  • [T1566.001] Phishing – Spearphishing Link – scammers create fake sites mimicking the ChatGPT official site to trick users into downloading malware or revealing information. “phishing URLs attempting to impersonate official OpenAI sites. Typically, scammers create a fake website that closely mimics the appearance of the ChatGPT official website, then trick users into downloading malware or sharing sensitive information.”
  • [T1204.002] User Execution – Malicious File – a user clicks a button that downloads malware (Trojan) to their device. “DOWNLOAD FOR WINDOWS” button that, once clicked, downloads the Trojan malware (SHA256: ab68a3d42cb0f6f93f14e2551cac7fb1451a49bc876d3c1204ad53357ebf745f) to their devices without the victims realizing the risk.”
  • [T1555.003] Credentials from Web Browsers – The plugin/extension example collects user data by interacting with web services (e.g., Facebook Graph API) and could steal account details. “they might collect and steal the input you provide.”

Indicators of Compromise

  • [Domain] Squatting Domains – openai[.]us, openai[.]xyz
  • [Domain] ChatGPT Scams – chat-gpt-online-pc[.]com, x2chatgpt[.]org
  • [Domain] ChatBot – chatgpt[.]appleshop[.]top
  • [URL] Chrome Extensions – chatgptforchrome[.]com, chrome[.]google[.]com/webstore/detail/ai-chatgpt/boofekcjiojcpcehaldjhjfhcienopme
  • [SHA256] Trojan/Malware – ab68a3d42cb0f6f93f14e2551cac7fb1451a49bc876d3c1204ad53357ebf745f
  • [SHA256] Chrome Extension Hash – 94a064bf46e26aafe2accb2bf490916a27eba5ba49e253d1afd1257188b05600

Read more: https://unit42.paloaltonetworks.com/chatgpt-scam-attacks-increasing/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint