Threat actors are using the name and image associated with ChatGPT to distribute malware through phishing sites, social media pages, and malicious Android applications. ChatGPT is a well-known AI chatbot run by OpenAI and has reported more than 100 million users in January 2023, only 3 months after its initial launch. The high volume of users immediately attracted to this AI resulted in an official paid tier being launched by OpenAI to offer use of the tool with no availability restrictions. Malicious actors have also created fake sites appearing to offer this premium ChatGPT service free-of-charge, however these are actually used to spread malware and harvest credentials.  

Researchers at Cyble identified malicious domain is chat-gpt-pc.online that threat researcher Dominic Alvieri found to be installing Redline info-stealing malware onto victim’s devices. The user was tricked into clicking a download link that they thought was to install a Windows desktop client for ChatGPT, which is a function that does not officially exist. This link was advertised through a Facebook page using stolen ChatGPT logos to manipulate victims into thinking it was a legitimate site. Cyble’s threat research team also found another similar typosquatted domain also promoted through a social media page, openai-pc-pro.online. This domain leads to a phishing site that contains a ‘Download for Windows’ button which is used to install the stealer malware.   

Malware families Lumma Stealer, Aurora Stealer(mainly on the domain chatgpt-go.online, a host for various malicious files), and clipper malware were named by the researchers as those found in use in this attack. A phishing site displaying a clone of the ChatGPT site with an offer to ‘TRY CHATGPT’ was also found, but clicking this button invokes the Lumma Stealer malware. Threat actors were also found to use another phishing page, pay.chatgptftw.com to fraudulently request users credit card information which they then harvested and used to steal the victim’s money.  

Dominic Alvieri also found two malicious Android apps being promoted through the Google Play store called ChatGPT Chatteo AI Chat GPT and ChatGPT – Smart AI Chatbot. These apps have now been removed from the Google Play Store, however any users that have already installed these apps will need to remove them from their devices immediately. Other third-party apps have also been identified as malicious impersonations of this chatbot. To maintain security of devices it is always best practice to only install apps from the official app store and never use third-party vendors. 

With the recent outages experienced by ChatGPT and OpenAI worldwide, these fake sites are more likely to attract users. One of the methods used by these fake sites is offering a download option, to use the AI in the form of a mobile or desktop app. Currently ChatGPT is only available at chat.openai.com and does not offer any apps for any operating systems, so all downloadable options are fake and should be treated as potentially malicious.