The attackers, believed to be linked to the ransomware gang known as Cl0p, have launched a large-scale email campaign directed at organisations running Oracle E-Business Suite. The system underpins critical functions such as finance, supply chain, and customer management, making it an attractive target for cybercriminals.

According to Google, the extortion emails have been arriving in high volumes and are being sent from hundreds of hijacked accounts. Some of these accounts were previously connected to FIN11, a financially motivated group associated with Cl0p. The messages threaten exposure of allegedly stolen data, with some demands reported to be as high as $50 million.

Cybersecurity firm Halcyon confirmed that certain emails contained screenshots and file directories as supposed evidence of the breach. Experts, however, caution that these materials may be fabricated or recycled from past attacks. “Google does not currently have sufficient evidence to definitively assess the veracity of these claims,” the company stated.

However, neither Google nor its security subsidiary, Mandiant, has found proof that Oracle’s software was compromised or that data theft actually occurred. No zero-day vulnerabilities have been confirmed. Oracle has yet to issue a public statement.

Experts note that even unverified claims can destabilise businesses, trigger panic, and tarnish reputations. Recent campaigns by ransomware groups show a change in tactics, using threats and psychological pressure instead of traditional file encryption.

Security experts advise organisations to closely monitor Oracle environments for unusual logins or credential misuse, strengthen phishing defences, and review their incident response strategies. Multi-factor authentication, they warn, is no longer optional but essential.

• Check Point Research (CPR) sees a surge in malware distributed through websites appearing to be related to ChatGPT
• Since the beginning of 2023,  1 out of 25 new ChatGPT-related domain was either malicious or potentially malicious
• CPR provides examples of websites that mimic ChatGPT, intending to lure users to download malicious files, and warns users to be aware and to refrain from accessing similar websites

The age of AI – Anxiety or Aid?

In December 2022, Check Point Research (CPR) started raising concerns about ChatGPT’s implications for cybersecurity.

In its previous report, CPR put a spotlight on an increase in the trade of stolen ChatGPT Premium accounts, which enable cyber criminals to get around OpenAI’s geofencing restrictions to secure unlimited access to ChatGPT. 

A surge in cyberattacks has recently been noticed by Check Point Research, leveraging websites associated with the ChatGPT brand. These attacks involve the distribution of malware and phishing attempts through websites that appear to be related to ChatGPT. 

The firm has identified numerous campaigns that mimic the ChatGPT website with the intention of luring users into downloading malicious files or disclosing sensitive information. The frequency of these attack attempts has been steadily increasing over the past few months, with tens of thousands of attempts to access these malicious ChatGPT websites. 

Since the beginning of 2023 until the end of April, out of 13,296 new domains created related to ChatGPT or OpenAI, 1 out of every 25 new domains were either malicious or potentially malicious. 

Fake Domains

One of the most common techniques used in phishing schemes are lookalike or fake domains. Lookalike domains are designed to appear to be a legitimate or trusted domain at a casual glance. For example, instead of the email address boss@company.com, a phishing email may use boss@cornpany.com. The email substitutes ‘rn’ for ‘m’. While these emails may look authentic, they belong to a completely different domain that may be under the attacker’s control.

Phishers may also use fake but believable domains in their attacks. For example, an email claiming to be from Netflix may be from help@netflix-support.com. While this email address may seem legitimate, it is not necessarily owned by or associated with Netflix.

Here are some examples of the malicious websites we have identified:

• chat-gpt-pc.online
• chat-gpt-online-pc.com
• chatgpt4beta.com
• chatgptdetectors.com
• chat-gpt-ai-pc.info
• chat-gpt-for-windows.com

Once a victim clicks on these malicious links, they are redirected to these websites and potentially exposed to further attacks:

What to Do if You Suspect a Phishing Attack

If you suspect that a website or email may be a phishing attempt, take the following steps:

1. Don’t Reply, Click Links, or Open Attachments: Never do what a phisher wants. If there is a suspicious link, attachment, or request for a reply do not click, open, or send it.
2. Report the Email to IT or Security Team: Phishing attacks are commonly part of distributed campaigns, and just because you fell victim to the scam does not mean that everyone did. Report the email to IT or the security team immediately, so that they can start an investigation and perform damage control as quickly as possible.
3. Delete the Suspicious Email: After reporting, delete the suspicious email from your Inbox. This lessens the chance that you will accidentally click on it, without realizing it later.
4. Beware of lookalike and fake domains: Note the language, the spelling and content within the website you are clicking on. Note “small” mistakes in spelling and content that requires you to download files.

While awareness of common phishing tactics and knowledge of anti-phishing best practices is important, modern phishing attacks are sophisticated enough that some will always slip through.

Check Point Harmony Email & Office provides visibility and protection across email phishing techniques. To learn more, you’re welcome to request a free demo. 

Pre-Emptive User Protection

Check Point Anti-Phishing solutions eliminate potential threats before they reach users without affecting workflows or productivity.

• Click-time URL protection examines and blocks suspicious links in real time, removing the risk of URLs that are weaponized after the email has been sent
• Zero-day phishing protection identifies and blocks new and known phishing sites by analyzing the characteristics of the page and URL
• Eliminates risk from incoming email by inspecting all aspects of messages before they enter the mailbox, including attachments, links, and email text