OpenAI’s ChatGPT has taken the world by storm with its potential to generate content and conversational responses to users' queries, since its launch in November 2022. However, cybercriminals are now exploiting the AI chatbot to commit cyber fraud.
Kaspersky researchers have recently found a counterfeit ChatGPT desktop programme that contains malware that can steal users' social media login credentials. Kaspersky provides cybersecurity and anti-virus services and is headquartered in Moscow, Russia. It is operated by a holding company in the United Kingdom. According to the cybersecurity company's blog post, the fake app's links are circulating on popular social media platforms such as Facebook, Twitter, and Instagram. These links, supposedly, are for downloading a 'ChatGPT desktop client'.
How does the fraudulent link work?
Kaspersky calls this malware 'Trojan-PSW.Win64.Fobo'. The malware link is being circulated along with fake credentials for the "pre-created accounts that are said to provide access to ChatGPT". The attackers claim that each account already has $50 (US) on its balance which can be spent while using the chatbot, to further entice potential users. The link leads to a fake ChatGPT website that looks a lot like the real one. When they attempt to download the application, the installation process crashes and an error message appears.
Despite the error message, the malware covertly sets up in the background. According to Kaspersky, it then targets login credentials and cookie data from popular browsers like Chrome, Edge, Firefox, and Brave. The user's login information for numerous platforms, including Facebook, TikTok, and Google, especially those related to businesses, can be obtained by hackers if they get their hands on the cookies. The hackers might also obtain additional information, including the account spending on advertising and its current balance.
According to the Kaspersky data, the malware has already scammed users across continents, including Africa, Asia, Europe, and America.
How is the original ChatGPT different from the fraudulent malware?
Firstly, there is no official desktop or mobile version of ChatGPT. It can only be accessed through its web version. A user just needs to land on the official site, for that, they must enter the URL in the address bar instead of following a link.
Secondly, there is no requirement for a "pre-created" account to use the chatbot. Currently, ChatGPT access is entirely free, and the only paid feature of OpenAI is a monthly subscription with priority access.
According to the blog post, ChatGPT has managed to attract scammers because of its "high demand and low availability". Although the OpenAI website just requires the user to enter their e-mail address and phone number, but not all country codes are accepted. ChatGPT registration is currently unavailable in Russia, China, Egypt, Iran among other countries. Also it is not a guarantee that the chatbot can be necessarily used after the registration as "the service is almost always overloaded". This is why, earlier this month, OpenAI introduced a subscription plan for ChatGPT with priority access and faster text generation for US$20 a month.