Threat Research

Fresh Phish: ChatGPT Impersonation Fuels a Clever Phishing Scam

Securonix

A clever phishing campaign impersonates OpenAI/ChatGPT branding and uses a personalized, IPFS-hosted link to harvest credentials. It combines brand forgery, display-address spoofing, and dynamic redirection to steal data while making takedown harder and avoiding easy back-navigation. #ChatGPT #OpenAI

Keypoints

  • Phishing campaign targets ChatGPT/OpenAI users with brand-accurate emails and account signup cues.
  • Display spoofing makes the email appear to come from the recipient’s IT support or a trusted domain.
  • Malicious links use InterPlanetary File System (IPFS) hosting to resist takedowns and persist across nodes.
  • URL parameters tailor the attack to a victim’s organization (e.g., [email protected] or [email protected]) for convincing impersonation.
  • Credential harvesting occurs when victims interact with a manipulated login flow; subsequent redirects redirect to the attacker’s domain.
  • Best practices call for verifying sender details, confirming requests with employers, and hovering links before clicking.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The attacker sends phishing email with a malicious link; “The initial email is branded with the OpenAI logo and the message is nearly identical to the one users receive when they sign up for a new ChatGPT OpenAI account.”
  • [T1036] Masquerading – Spoofing the display address to appear as though the email comes from the recipient’s IT department; “Phishers spoofed the employee’s domain in the display address as “Recipient Domain IT support” to make it appear as though the email came from the recipient’s IT department.”

Indicators of Compromise

  • [URL] malicious login link – hxxps://bafybeidqi4sn5nfnfxlgasem4gsdmbq6m55iu6gtouomdgfwu4fx7ps7oq.ipfs.dweb.link/login.htm#[email protected]
  • [Hash] content hash – bafybeidqi4sn5nfnfxlgasem4gsdmbq6m55iu6gtouomdgfwu4fx7ps7oq
  • [URL Parameter] – [email protected], [email protected]
  • [Domain] inky.com – used for impersonation and redirection in the credential-harvesting flow

Read more: https://www.inky.com/en/blog/fresh-phish-chatgpt-impersonation-fuels-a-clever-phishing-scam