Since its launch last November, the ChatGPT hype has only increased not only among users but also abusers. Cyble researchers recently spotted phishing attacks using supposed ChatGPT sites to phish for personally identifiable information (PII), specifically credit card data.

The Cyble study identified four domains as indicators of compromise (IoCs)—openai-pc-pro[.]online, chat-gpt-pc[.]online, chatgpt-go[.]online, and rebrand[.]ly—that we used as jump-off points for an expansion analysis that led to the discovery of:

Five IP addresses the IoCs resolved to

• 303 domains that shared the IoCs’ IP hosts, one of which turned out to be malicious
• 1,142 domains that started with the strings openai., chatgpt., and rebrand. akin to two of the IoCs, 11 of which were confirmed malware hosts
• 2,693 subdomains that contained the string chatgpt, five of which may have already figured in malicious campaigns

A sample of the additional artifacts obtained from our analysis is available for download from our website.

WHOIS Connections

We began our analysis with a bulk WHOIS lookup for the IoCs that showed three of them were newly registered—openai-pc-pro[.]online, chat-gpt-pc[.]online, and chatgpt-go[.]online, while rebrand[.]ly was already nine years old. None of them seem to be owned by the companies whose names appeared as strings in them based on WHOIS record comparisons with the legitimate domains openai[.]com and rebrand[.]com. Specifically:

The domains openai-pc-pro[.]online, chat-gpt-pc[.]online, and chatgpt-go[.]online didn’t share openai[.]com’s registrar Gandi SAS and registrant country France.

Openai-pc-pro[.]online and chat-gpt-pc[.]online’s registrar was Namecheap, Inc., while that of chatgpt-go[.]online was PDR Ltd.

Also, openai-pc-pro[.]online and chat-gpt-pc[.]online’s registrant country was Iceland, while that of chatgpt-go[.]online was Romania.

DNS Ties

To find other connections that haven’t been publicized, we performed DNS lookups on the IoCs that gave us five IP address resolutions, three of which are 69[.]12[.]73[.]19, 104[.]21[.]21[.]135, and 172[.]67[.]199[.]21. IP geolocation and reverse IP/DNS lookups for the IP hosts showed that:

• Four of them originated from the U.S., while one was from Vietnam.
• One IP address didn’t have domain connections.
• Two were shared IP hosts, while another two appeared to be private hosts.
• The four IP addresses with existing DNS connections hosted 303 domains, one of which—denizyilbasiozel-taycan4s[.]com—turned out to be malicious.

Three brand names—OpenAI, ChatGPT, and Rebrand—appeared in the IoCs. To determine if more domains started with openai., chatgpt., and rebrand. and contain chatgpt, we used them as Domains & Subdomains Discovery search terms. That led to the discovery of:

• 1,142 domains that started with openai., chatgpt., and rebrand., 11 of which turned out to be malicious
• 2,693 subdomains that contained chatgpt, five of which were confirmed malware hosts

Other Findings

Additional WHOIS record comparisons of the string-connected domains and subdomains yielded interesting findings, such as:

• Only three of the 372 domains that started with openai. shared OpenAI’s registrar and registrant country. We couldn’t precisely confirm their ownership, though, since openai[.]com’s WHOIS record was redacted.
• Only one of the 184 domains that started with rebrand. was owned by Rebrand based on its registrant email address.
• None of the 589 domains that started with chatgpt. shared OpenAI’s registrar and registrant country. Three of the domains starting with openai. shared OpenAI’s registrar and registrant country while only one domain beginning with rebrand. seemed to be owned by Rebrand.
  
  

  

• Among the domains that contained strings found among the IoCs (i.e., openai., rebrand., and chatgpt.), only chatgpt. appeared in them.
• We also looked at subdomains that contained chatgpt since the string appeared only as a subdomain of the legitimate domain belonging to OpenAI. None of the 2,693 subdomains that contained chatgpt seemed to be owned by the company after careful scrutiny of their WHOIS record details.

Popularity online is a double-edged sword as the ChatGPT-themed phishing campaigns showed. While more and more users are becoming aware of the technology and its benefits, an increasing number of phishers and other cybercriminals are bound to use its name in their campaigns.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.