Highlights from CPR’s report on ChatGPT, cybersecurity
- Check Point Research (CPR) sees a surge in malware distributed through websites appearing to be related to ChatGPT
- Since the beginning of 2023, 1 out of 25 new ChatGPT-related domain was either malicious or potentially malicious
- CPR provides examples of websites that mimic ChatGPT, intending to lure users to download malicious files, and warns users to be aware and to refrain from accessing similar websites
The age of AI – Anxiety or Aid?
In December 2022, Check Point Research (CPR) started raising concerns about ChatGPT’s implications for cybersecurity.
In its previous report, CPR put a spotlight on an increase in the trade of stolen ChatGPT Premium accounts, which enable cyber criminals to get around OpenAI’s geofencing restrictions to secure unlimited access to ChatGPT.
A surge in cyberattacks has recently been noticed by Check Point Research, leveraging websites associated with the ChatGPT brand. These attacks involve the distribution of malware and phishing attempts through websites that appear to be related to ChatGPT.
The firm has identified numerous campaigns that mimic the ChatGPT website with the intention of luring users into downloading malicious files or disclosing sensitive information. The frequency of these attack attempts has been steadily increasing over the past few months, with tens of thousands of attempts to access these malicious ChatGPT websites.
Since the beginning of 2023 until the end of April, out of 13,296 new domains created related to ChatGPT or OpenAI, 1 out of every 25 new domains were either malicious or potentially malicious.
One of the most common techniques used in phishing schemes are lookalike or fake domains. Lookalike domains are designed to appear to be a legitimate or trusted domain at a casual glance. For example, instead of the email address email@example.com, a phishing email may use firstname.lastname@example.org. The email substitutes ‘rn’ for ‘m’. While these emails may look authentic, they belong to a completely different domain that may be under the attacker’s control.
Phishers may also use fake but believable domains in their attacks. For example, an email claiming to be from Netflix may be from email@example.com. While this email address may seem legitimate, it is not necessarily owned by or associated with Netflix.
Here are some examples of the malicious websites we have identified:
Once a victim clicks on these malicious links, they are redirected to these websites and potentially exposed to further attacks:
What to Do if You Suspect a Phishing Attack
If you suspect that a website or email may be a phishing attempt, take the following steps:
- Don’t Reply, Click Links, or Open Attachments: Never do what a phisher wants. If there is a suspicious link, attachment, or request for a reply do not click, open, or send it.
- Report the Email to IT or Security Team: Phishing attacks are commonly part of distributed campaigns, and just because you fell victim to the scam does not mean that everyone did. Report the email to IT or the security team immediately, so that they can start an investigation and perform damage control as quickly as possible.
- Delete the Suspicious Email: After reporting, delete the suspicious email from your Inbox. This lessens the chance that you will accidentally click on it, without realizing it later.
- Beware of lookalike and fake domains: Note the language, the spelling and content within the website you are clicking on. Note “small” mistakes in spelling and content that requires you to download files.
While awareness of common phishing tactics and knowledge of anti-phishing best practices is important, modern phishing attacks are sophisticated enough that some will always slip through.
Check Point Harmony Email & Office provides visibility and protection across email phishing techniques. To learn more, you’re welcome to request a free demo.
Pre-Emptive User Protection
Check Point Anti-Phishing solutions eliminate potential threats before they reach users without affecting workflows or productivity.
- Click-time URL protection examines and blocks suspicious links in real time, removing the risk of URLs that are weaponized after the email has been sent
- Zero-day phishing protection identifies and blocks new and known phishing sites by analyzing the characteristics of the page and URL
- Eliminates risk from incoming email by inspecting all aspects of messages before they enter the mailbox, including attachments, links, and email text