In a recent report shared with cybersecurity firm Group-IB revealed a concerning trend of compromised OpenAI ChatGPT account credentials surfacing on illicit dark web marketplaces. These compromised credentials, totaling over 100,000, were discovered in information stealer logs made available for sale between June 2022 and May 2023. Notably, India accounted for the highest number of stolen credentials, with 12,632 compromised accounts.
Asia-Pacific Region and Top Countries:
The report highlighted that the Asia-Pacific region witnessed the highest concentration of ChatGPT credentials being offered for sale over the past year. Besides India, other countries with significant numbers of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh.
Info Stealer Analysis:
Further analysis conducted by Group-IB revealed that the notorious Raccoon info stealer was responsible for breaching the majority of logs containing ChatGPT accounts. Other info stealers involved in the compromise included Vidar and RedLine. These information stealers are known for their ability to extract passwords, cookies, credit card details, and other sensitive information from web browsers and cryptocurrency wallet extensions.
Impact on Enterprises and Best Practices:
Given the increasing integration of ChatGPT into operational workflows, it is crucial for enterprises to be aware of the risks associated with compromised account credentials. Employees using ChatGPT for classified correspondences or proprietary code optimization may unintentionally expose sensitive intelligence to threat actors if their account credentials are obtained. To mitigate such risks, users are advised to follow proper password hygiene practices and implement two-factor authentication (2FA) to safeguard their accounts against account takeover attacks.
Ongoing Malware Campaign:
The discovery of compromised ChatGPT account credentials coincides with an ongoing malware campaign exploiting fake OnlyFans pages and adult content lures. This campaign delivers a remote access trojan called DCRat (or DarkCrystal RAT) and an information stealer by leveraging ZIP files containing a VBScript loader. The malware campaign, involving explicit photos and content related to adult film actresses, has been active since January 2023.
New Variant of GuLoader:
In a separate development, cybersecurity company eSentire uncovered a new variant of GuLoader (aka CloudEyE), a highly evasive malware loader commonly used to deliver info-stealers and Remote Administration Tools (RATs). This variant utilizes tax-themed decoys to launch PowerShell scripts capable of injecting the Remcos RAT into a legitimate Windows process. GuLoader employs obfuscated commands and encrypted shellcode to operate stealthily within a genuine Windows process.
The discovery of compromised OpenAI ChatGPT account credentials on illicit dark web marketplaces serves as a reminder of the importance of cybersecurity measures. Users should remain vigilant, adhere to password hygiene practices, and enable two-factor authentication to protect their accounts from being compromised. Additionally, enterprises must be cautious regarding the potential risks associated with integrating ChatGPT into their workflows and ensure appropriate security measures are in place.