Phishing Operation Targets ChatGPT Users with Malware
A sophisticated phishing operation has recently surfaced, targeting users in search of ChatGPT downloads. This scheme distributes malware by employing a fake website that closely resembles the official download page of OpenAI’s ChatGPT. The fraudulent site, known as openew[.]app, uses familiar OpenAI branding, featuring a dark theme and marketing language that is almost indistinguishable from the authentic platform.
The authors of this operation have cleverly designed the faux site to deliver different types of malware based on the victim’s operating system. For Windows users, the malware is disguised as a legitimate ChatGPT desktop application and is labeled Chat_GPT.exe; it includes tools designed to steal user credentials. Meanwhile, users operating macOS systems are targeted with a different form of malware known as Atomic Stealer, which has been developed as a malware-as-a-service platform focused on cryptocurrency theft.
Technical Deceptions Amplify the Threat
One of the more insidious aspects of the phishing operation is its exploitation of the .app top-level domain, which is managed by Google and mandates the use of HTTPS connections. This requirement helps the fraudulent site display the browser padlock icon that users typically associate with security. Coupled with the website’s professional appearance, these technical details create a deceptive impression that is convincing to average internet users, making it challenging for them to differentiate between the authentic ChatGPT page and this malicious imitation.
The operation appears to be well-timed, capitalizing on the growing number of users who are turning to AI tools for the first time. Many users rely heavily on search results without prior knowledge of official URLs, creating an ideal opportunity for such attacks to flourish.
The Mechanics of the Malware
The Windows malware, identified as Chat_GPT.exe, is designed to appear credible by utilizing legitimate open-source tools, including Inno Setup and the Electron framework. Once executed, the malware creates files in the user’s AppData folder and utilizes PowerShell with an unrestricted execution policy to execute harmful commands without leaving disk traces. This stealthy approach allows it to communicate with servers controlled by the attackers, establishing a persistent threat even though only nine out of 69 antivirus engines detected the malware during initial analysis.
On the macOS front, the malware is notably more elaborate and costly, with the Atomic Stealer (AMOS) reportedly requiring around $3,000 per month for its operators to utilize, in stark contrast to standard infostealers on Windows that typically cost about $250 monthly.
Atomic Stealer executes a multi-stage attack, commencing with a counterfeit system password prompt designed to mimic an authentic macOS security dialog. When victims enter their passwords, the malware goes on to harvest sensitive information such as keychain data, browser credentials from 12 Chromium-based browsers as well as Firefox, Telegram session details, and scans for 16 different types of cryptocurrency wallet applications.
One of the most alarming features of the Atomic Stealer is its capacity to download tainted versions of critical applications such as Ledger Live and Trezor Suite. It seeks to replace legitimate applications with these malicious alternatives, ultimately intercepting cryptocurrency transactions. This capability underscores the primary objective of the phishing operation: stealing cryptocurrency from unsuspecting Mac users.
Urgent Actions for Affected Users
Individuals who might have downloaded ChatGPT from suspicious or unofficial sources are urged to take immediate actions to mitigate potential damage. The first step is to log out of all important accounts from a clean device, utilizing each service’s remote logout feature. Users should promptly change their passwords, beginning with their primary email accounts. Additionally, they should rotate API keys and cloud credentials, and move cryptocurrency funds primarily using devices that have not been compromised.
For macOS users, a crucial piece of advice is to avoid opening applications like Ledger Live or Trezor Suite until after they have reinstalled the operating system. There is a risk that the wallet replacement may have already transpired, leading to potential cryptocurrency theft. To ensure a thorough recovery path, a complete operating system reinstall is recommended. Those utilizing work devices should reach out to their IT security teams without delay.
This incident serves as a stark reminder of how product launches in the AI sector can pique the interest of first-time users, thereby leaving them vulnerable to search-based phishing attacks. Such tactics easily adapt to emerging trends in the tech landscape, making vigilance essential for users navigating the increasingly complex digital environment.
In summation, individuals are strongly cautioned to verify download sources meticulously. Enhancing awareness and adopting best practices when seeking software can serve as the best defense against such sophisticated phishing operations.