GenAI-related domain registrations and DNS traffic show scammers rapidly exploiting GenAI trends (e.g., ChatGPT, GPT-4) to lure users, deliver PUP and spam, and monetize visits via parked domains. The analysis reveals patterns in keyword usage, traffic volume, and several case studies that underscore the need for proactive GenAI keyword monitoring and defense. #GenAI #ChatGPT #OpenAI #Unit42
Keypoints
- GenAI-related newly registered domains (NRDs) run at about 225 domains per day since November 2022, with roughly 28.75% labeled suspicious—far higher than baseline NRDs.
- Domain registrations peak in line with GenAI milestones (ChatGPT/Bing integration Feb 7, 2023; GPT-4 Mar 14, 2023; GPTs Nov 6, 2023; Sora Feb 15, 2024).
- Text patterns show heavy use of GenAI keywords; over 72% of NRDs include terms like gpt or chatgpt, signaling deliberate topic hijacking.
- GenAI-related DNS traffic trends upward, with 35% directed to suspicious domains and two notable spikes in March and October 2023; elevated since Dec 2023.
- Traffic concentrates on a few major domains; OpenAI, Midjourney, and Stability AI account for ~92.37% of GenAI-related traffic, with the top 15 and top 50 domains capturing the majority of visits.
- Attack scenarios include PUP delivery in regions with restricted GenAI access (e.g., China), spam campaigns using GenAI keywords, and monetized domain parking leading to phishing and malware landing pages.
MITRE Techniques
- [T1566] Phishing – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’) – “Adversaries use GenAI-related keywords in spam campaigns to attract users and distribute malicious links.”
- [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’) – “Domains registered with GenAI keywords are used for command and control purposes, directing users to malicious services.”
- [T1203] Malware – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’) – “Potentially unwanted programs (PUP) are delivered through domains masquerading as legitimate GenAI services.”
- [T1566.001] Spam – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’) – “Adversaries use GenAI-related keywords in spam campaigns to attract users and distribute malicious links.”
- [T1483] Domain Generation Algorithms – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’) – “Adversaries register numerous domains with GenAI keywords to create a large pool of potential malicious sites.”
- [T1003] Credential Dumping – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’) – “Phishing campaigns target users seeking information on GenAI, aiming to collect credentials through deceptive tactics.”
Indicators of Compromise
- [Domain] Suspicious GenAI Domains – gptsotre[.]com, msftchatgpt[.]com
- [Domain] PUP Delivery Domains – chatgpt0002[.]cn, chatgpt000[.]cn, and 12 more domains
- [Domain] Spam Distribution Domains – 33115c[.]com, internationaljobsite[.]com
- [Domain] Monetized Domain Parking – bardassai[.]com, gemini-addons[.]com
- [Hash] PUP SHA256 – bad2294523c7abd42c3184d1e513bf851cb649a4acd9543cdf5d54d21f52c937
Read more: https://unit42.paloaltonetworks.com/cybersquatting-using-genai-keywords/