ChatGPT is being used to lure victims into downloading malware

ChatGPT
(Image credit: CKA via Shutterstock)

Hackers are trying to capitalize on the enormous popularity of ChatGPT to distribute malware, security experts have warned.

A report from cybersecurity researchers CloudSEK has detailed an elaborate scheme that includes stolen Facebook accounts, groups, and pages, malicious Facebook ads, and fake ChatGPT software.

As per the report, threat actors are using stolen Facebook accounts to distribute malware. They would log into these accounts, and use them to run malicious ads. The ads would advertise a website where the “latest version” of ChatGPT can be downloaded - for free.

Fake sites, stolen Facebook groups

For the uninitiated, ChatGPT is a language-based artificial intelligence model, a chatbot whose revolutionary technology took the world by storm. 

The tool is mostly free and can be accessed via this link. There is no executable to be downloaded, and whoever is advertising one is a malicious actor. 

Victims that take the bait and download the malware risk compromising their personally identifiable data (PII), as well as payment data - if this happens, then using the best identity theft protection may be the best recourse. The researchers also say the malware can spread across systems through removable media, and escalate privileges to remain on the compromised endpoints. 

When they’re not running malicious ads, the attackers are using compromised Facebook accounts that administer different pages and groups. Admin accounts are quite valuable on the dark web, as they exponentially expand the reach of any malware campaign, and do so organically. For this campaign, the researchers discovered 13 Facebook pages/accounts with more than 500,000 followers. The oldest page was stolen in mid-February this year and has more than 23,000 followers. 

"Cybercriminals are capitalizing on the popularity of ChatGPT, exploiting Facebook's vast user base by compromising legitimate Facebook accounts to distribute malware via Facebook ads, putting users' security at risk. Our investigation has uncovered 13 compromised pages with over 500K followers, some of which have been hijacked since February 2023. We urge users to be vigilant and aware of such malicious activities on the platform,” said Bablu Kumar, Cyber Intelligence Analyst, CloudSEK.

Through these pages and groups, the attackers seem to be distributing a video to attract and engage the audience. Furthermore, CloudSEK discovered at least 25 websites that are impersonating OpenAI’s chatbot. The majority of compromised accounts were being controlled by Vietnamese actors, they concluded. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS