The popular OpenAI's ChatGPT is continually being targeted by cyber attackers through phishing scams. The scams are planned out to retrieve sensitive user information. These phishing attacks are carefully created using OpenAI or its associated services, playing on the user's trust.
Some of the common OpenAI phishing scams and provide actionable tips for protecting oneself is as follows:
In the latest OpenAI hacking campaign, hackers sent out many emails stating that the subscription payment for ChatGPT had failed. They told the recipients that they needed to click on an ‘update payment details’ link. The link took them to a fake version of the actual page on the 'fnjrolpa.com' domain, where users were compelled to enter login details.
The hackers used an effective scam strategy that bypassed the core email authentication checks of DKIM and SPF thus, appearing legitimate. It affected over 1,000 accounts and was part of a larger credential-harvesting campaign as reported by Barracuda Networks.
Protection Tip: Always ensure the domain from which the email was sent exists. Don't click links coming from unsolicited e-mails. However, go directly to the official company website in case the user account gets compromised.
In another recent OpenAI phishing attack, hackers hacked into the X (formerly known as ‘Twitter’) account of OpenAI, @OpenAINewsroom. These hackers posted a fake update of a new cryptocurrency token called $OPENAI. The message posted by hackers declared that all the users on OpenAI could buy a fake OpenAI crypto token in return for participation in beta programs.
The link in the tweet had taken people to a fake website from where hackers got their sensitive personal and financial information. More than 54,000 followers were hoodwinked before this scam was discovered and later taken down.
Protection Tip: Be wary of crypto offers, especially those trending on the social media page of any big company. Always check offers through genuine channels, such as the verified OpenAI website or customer care.
A particularly sophisticated spear-phishing attack targeted OpenAI employees. The attack was attributed to a group known as SweetSpecter, believed to be based in China. This attack involved emails masquerading as customer support communications from OpenAI’s ChatGPT with malware.
If opened, the malware stole sensitive data from the company, such as screenshots of confidential information. Fortunately, the security team at OpenAI caught this through advanced security measures before it could deal massive damage.
Protection Tip: Never open attachments in unsolicited e-mails from unknown sources. Your e-mail system should have filtering software to scan for malicious content.
As OpenAI popularity increases along with functionality and expansion in using AI technologies, attacks towards AI interfaces may increase at an unprecedented scale. Here’s a set of precautious practices for individuals and businesses to fight phishing attacks of this type.
Invest in AI-powered security solutions that utilize machine learning algorithms to detect phishing emails when they pass through traditional email filters. These tools can recognize suspicious email behaviour, unusual sender patterns, and other content, thus saving you from a potential phishing attack.
The simplest way to prevent account hacking is by using two-factor authentication, also known as 2FA. If hackers try to steal credentials, they cannot get into the user accounts as it will require double verification, such as a one-time code received via SMS. This provides a good amount of extra security against hackers.
Probably, training would be the best defence against phishing attacks. Educated employees and users would know hacking tactics, and therefore, they would make effective individuals in spotting scam attempts. Training should also include suspicious sender domains and how to spot fake URLs as well as handling unsolicited emails, especially those requesting sensitive information.
Sometimes, phishing may still penetrate the best defences. With automated remediation tools at the point of email delivery, malicious emails can easily be identified and then erased. This will help organisations in acting fast to mitigate possible damage if, the phishing attempt goes through.
Most phishing messages carry some form of urgency or threat with them. Whether it is a message claiming that it is an update about the payment information or asking for a click on a link regarding a supposed promotion, all these requests should be taken with extreme caution. Cross-reference such requests against official communications from the company. Do not respond to unsolicited messages that ask for personal information or login credentials.
More and more phishing attacks are targeted towards high-profile companies such as OpenAI. Whether it is credential theft, cryptocurrency scams, or spear-phishing attempts, cybercriminals are getting smarter day by day. What can better guard against these emerging threats is good security protocols, education, and vigilance. Such strong security measures would be two-factor authentication, advanced email security solutions, and training employees on how to recognize phishing attempts. The time now is to be proactive and vigilant.