Home / Industry

AI Tool Popularity: An Opportunity for Launching Malicious Campaigns?

The latest fraud data Sift published in “Q2 2023 Digital Trust & Safety Index” revealed that 78% of users are concerned that fraudsters could exploit AI tools to victimize them. And given recent cyber attacks targeting ChatGPT and Grammarly, their worries may not be unfounded.

From a brand and phishing protection perspective, WhoisXML API and Bayse Intelligence joined forces to uncover instances of cybersquatting or phishing properties that could be riding on the increasing popularity of some of what have been dubbed “the best AI productivity tools in 2023.”

Our collaboration led to the following findings:

  • A total of 2,003 domains containing the names of popular AI productivity tools.
  • The identification of one threat actor actively targeting several popular AI productivity tools while hiding within trusted cloud provider infrastructure.

A sample of the additional artifacts obtained from this analysis is available for download here.

Part #1: WhoisXML API Analysis

Cybersquatting Property Discovery in the DNS

The first step was identifying the AI productivity tools to perform public domain ownership attribution on. We subjected the 37 AI tool developers’ official site domains to a bulk WHOIS lookup and chose eight tools whose domain registrants indicated any of the data points below.

Note: We partially masked the registrant name found in sanebox[.]com’s WHOIS record for privacy purposes.
TOOLOFFICIAL SITE DOMAINREGISTRANT DATA TYPEWHOIS RECORD DETAIL
AgentGPTagentgpt[.]reworkd[.]aiEmail addressNamecontact.me.reworkd@gmail[.]comReworkd AI
Bardbard[.]google[.]comOrganizationGoogle LLC
EmailTreeemailtree[.]aiOrganizationTS Holding
Motionmotion[.]aiEmail addressOrganizationdomain-groups@hubspot[.]comHubSpot, Inc.
ProWritingAidprowritingaid[.]comOrganization123-Reg Limited
Runwayrunway[.]ml[.]comEmail addressOrganizationdomain.administrator@bankofamerica[.]comBank of America Corporation
SaneBoxsanebox[.]comNameOrganizationS***** R*****SaneBox
Slidesgoslidesgo[.]comOrganizationFreepik Company S.L.

To determine if threat actors could be trailing their sights on any of the eight tools for their upcoming campaigns, we performed Domains & Subdomains Discovery lookups using the following search terms:

  • agentgpt
  • bard + ai
  • emailtree
  • motion + ai
  • prowritingaid
  • runway + ml
  • sanebox
  • slidesgo

Our searches provided us with 2,003 domains in sum.

AI TOOLDOMAIN VOLUME
Agent GPT108
Bard1,049
EmailTree15
Motion712
ProWritingAid15
Runway35
SaneBox40
Slidesgo29

Our WHOIS record detail comparisons revealed that less than 1% of the brand name-containing domains could confidently be publicly attributable to the AI productivity tool developers on our list.

Part #2: Bayse’s Campaign Analysis

One of the main ways attackers impersonate highly valuable websites is to reproduce or clone their content. This raises the likelihood that a user will visually associate the spoofed site with the legitimate one and enable the attacker to achieve their objectives (collect credentials or PII, download malware, and so on).

This tactic has been seen for several of these AI tools, but Bard was by far the most targeted.

After submitting Bard’s legitimate site to Bayse Intelligence, we can find out how frequently, since when, and where else we’ve seen Bard’s assets being referenced:

One of the sites that recently linked to Bard (highlighted above) is clearly impersonating Bard:

Moreover, it has been seen multiple times over the last two months, and we’ve seen other sites associated with its parent domain (lmlm[.]workers[.]dev) as well:

Pivoting to the parent domain’s details shows us that not only is Bard targeted, but there’s actually several other popular AI and cloud-related technologies being targeted since March 2023:

While several of those sites are down, pivoting to some of them gives us a view into still-live impersonations:

In conclusion, because the parent domain (lmlm[.]workers[.]dev) is hosted on Cloudflare’s web app hosting platform and these sites all share the same lmlm subdomain, it means that all of the sites highlighted earlier were actually created by the same threat actor! Evidence of this can be traced back to the official Cloudflare announcement in 2019:

What this means is that there is a threat actor currently hosting content on Cloudflare’s infrastructure who—over the course of 5+ months—is likely targeting users of many highly popular AI- and cloud-based tools. Activity to this and anything under this particular subdomain (lmlm[.]workers[.]dev) should be treated as extremely suspect and should likely be blocked outright.

If you wish to perform a similar investigation or learn more about the products used in this research, don’t hesitate to visit whoisxmlapi.com or bayse.io.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API