According to a research by Group-IB, a Singapore-based cybersecurity company, has shown that over 100,000 compromised OpenAI ChatGPT account credentials are on illicit dark web marketplaces, with India accounting for 12,632 stolen credentials between June 2022 and May 2023.
The availability of compromised ChatGPT account logs reached its peak in May 2023, with a staggering 26,802 logs offered for sale. The Asia-Pacific region has witnessed the highest number of ChatGPT credentials on sale in the past year. Alongside India, countries such as Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh also top on the list of compromised ChatGPT credentials.
Further investigation conducted by Group-IB has revealed methods used to breach these accounts. Judging by the compromised logs containing the ChatGPT accounts, the famous Raccoon info stealer, Vidar and Redline played a vital role in the theft. Due to Information stealer’s ability to extract sensitive information from web browsers, including passwords, cookies, credit card details, and even cryptocurrency wallet data, its fame among cybercriminals is becoming second to none.
These compromised logs are actively traded on dark web marketplaces, providing cybercriminals with capabilities to launch follow-on attacks using stolen credentials. Dmitry Shestakov, head of threat intelligence at Group-IB, highlighted the risks associated with ChatGPT’s integration into enterprise workflows.
As employees engage in confidential communications or utilize the ChatGPT bot to optimize proprietary code, compromised account credentials could inadvertently grant threat actors access to sensitive information. To mitigate such risks, Group-IB advises ChatGPT users to practice robust password hygiene and implement two-factor authentication (2FA) to prevent unauthorized access to their accounts. It serves as an essential precaution against account takeover attacks.
These revelations occur amidst an ongoing malware campaign that exploits fake OnlyFans pages and adult content lures to deliver a remote access trojan (RAT) and an information stealer known as DCRat. Researchers at eSentire have observed victims get enticed into downloading ZIP files containing a VBScript loader. The execution mode of the file is manual. The lure tactics involve explicit photos or content related to various adult film actresses.
Furthermore, a new variant of the GuLoader malware masquerading as tax-themed decoys is still active and this variant employs PowerShell scripts to inject the Remcos RAT into legitimate Windows processes.
further details about GuLoader has revealed that it is a highly elusive malware loader commonly utilized to distribute info-stealers and Remote Administration Tools (RATs). Its complex execution involves multiple rounds of obfuscated commands and encrypted shellcodes, resulting in a stealthy and persistent malware payload residing within legitimate Windows processes, as reported by a Canadian cybersecurity company.
As cyber threats evolve and pose risks to individuals and enterprises alike, it is crucial to stay vigilant, adhere to best security practices, and promptly implement necessary safeguards to protect sensitive information from falling into the wrong hands.
