|
Since its launch last November, the ChatGPT hype has only increased not only among users but also abusers. Cyble researchers recently spotted phishing attacks using supposed ChatGPT sites to phish for personally identifiable information (PII), specifically credit card data.
The Cyble study identified four domains as indicators of compromise (IoCs)—openai-pc-pro[.]online, chat-gpt-pc[.]online, chatgpt-go[.]online, and rebrand[.]ly—that we used as jump-off points for an expansion analysis that led to the discovery of:
Five IP addresses the IoCs resolved to
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our analysis with a bulk WHOIS lookup for the IoCs that showed three of them were newly registered—openai-pc-pro[.]online, chat-gpt-pc[.]online, and chatgpt-go[.]online, while rebrand[.]ly was already nine years old. None of them seem to be owned by the companies whose names appeared as strings in them based on WHOIS record comparisons with the legitimate domains openai[.]com and rebrand[.]com. Specifically:
The domains openai-pc-pro[.]online, chat-gpt-pc[.]online, and chatgpt-go[.]online didn’t share openai[.]com’s registrar Gandi SAS and registrant country France.
Openai-pc-pro[.]online and chat-gpt-pc[.]online’s registrar was Namecheap, Inc., while that of chatgpt-go[.]online was PDR Ltd.
Also, openai-pc-pro[.]online and chat-gpt-pc[.]online’s registrant country was Iceland, while that of chatgpt-go[.]online was Romania.
To find other connections that haven’t been publicized, we performed DNS lookups on the IoCs that gave us five IP address resolutions, three of which are 69[.]12[.]73[.]19, 104[.]21[.]21[.]135, and 172[.]67[.]199[.]21. IP geolocation and reverse IP/DNS lookups for the IP hosts showed that:
Three brand names—OpenAI, ChatGPT, and Rebrand—appeared in the IoCs. To determine if more domains started with openai., chatgpt., and rebrand. and contain chatgpt, we used them as Domains & Subdomains Discovery search terms. That led to the discovery of:
Additional WHOIS record comparisons of the string-connected domains and subdomains yielded interesting findings, such as:
Popularity online is a double-edged sword as the ChatGPT-themed phishing campaigns showed. While more and more users are becoming aware of the technology and its benefits, an increasing number of phishers and other cybercriminals are bound to use its name in their campaigns.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byVerisign
Sponsored byRadix
Sponsored byWhoisXML API