There are concerns that generative AI chatbots, such as ChatGPT, could be employed in the future to ... [+]
There are concerns that generative AI chatbots, such as ChatGPT, could be employed in the future to write malware. However, the bigger concern now is that ChatGPT's popularity is actually the issue. Scammers have been increasingly spoofing ChatGPT websites and apps as a lure to steal information from unsuspecting victims.
Researchers at Facebook parent company Meta on Wednesday warned that malicious groups – including Ducktail and NodeStealer – are now posing as ChatGPT and similar tools, where they target people through malicious browser extensions, ads, and even various social media platforms with the aim to run unauthorized ads from compromised business accounts across the Internet.
Meta said it has detected and disrupted these malware operations, including previously unreported malware families, and that it has already seen rapid adversarial adaptation in response to its detection.
"We know that malicious groups behind malware campaigns are extremely persistent, and we fully expect them to keep trying to come up with new tactics and tooling in an effort to survive disruptions by any one platform where they spread. That’s why our security teams tackle malware – one of the most persistent threats online – as part of our defense-in-depth approach through multiple efforts at once," Meta's Duc H. Nguyen and Ryan Victory noted in a blog post on Wednesday.
Multiple Malware Groups
Since March, Meta has identified around ten malware families using ChatGPT and other similar themes to compromise accounts across the Internet.
"In one case, we've seen threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools," added Nguyen and Victory. "They would then promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware. In fact, some of these extensions did include working ChatGPT functionality alongside malware, likely to avoid suspicion from official web stores."
Meta claims it has blocked more than 1,000 unique ChatGPT-themed malicious URLs from being shared on its platforms, while it has shared those URLs with industry partners.
According to TechCrunch, the Vietnam-based Ducktail malware operation has targeted Facebook users since 2021. It is now spoofing ChatGPT to steal browser cookies while it hijacks logged-in Facebook sessions to access information from the victim's Facebook account, including account information, location data, and two-factor authentication codes.
What Is NodeStealer?
It was in January that researchers at the social network discovered the information-stealing malware dubbed NodeStealer. It enables threat actors to steal browser cookies to hijack accounts on the social media platform, as well as Gmail and Outlook accounts.
"We identified NodeStealer early – within two weeks of it being deployed – and took action to disrupt it and help people who may have been targeted to recover their accounts," Nguyen and Victory explained. "As part of this effort, we submitted takedown requests to third-party registrars, hosting providers, and application services such as Namecheap, which were targeted by these threat actors to facilitate distribution and malicious operations. These actions led to a successful disruption of the malware."
Meta's researchers have said they have not observed any new samples of malware in the NodeStealer family since February 27 of this year, but continue monitoring for any potential future activity.
The Generative AI Threat
Researchers at cybersecurity firm Blackfog had also warned of the threat from ChatGPT, including how it can develop code that can be used for malicious purposes. It is now monitoring how the generative AI can be employed as a lure on social media
"As BlackFog has demonstrated, ChatGPT and other generative AI tools can be used very effectively for data exfiltration, including writing the actual software to do this," explained Darren Williams, CEO and founder of BlackFog, via an email.
"This is now being leveraged to craft entire websites and phishing sites for the purpose of stealing credentials and installing malware onto devices," Williams added.
He also warned that the threats from ChatGPT are likely to increase it, and therefore cybersecurity efforts will need to keep pace with this emerging technology.
"Traditional defensive-based approaches, EDR, and antivirus tools have proved highly ineffective against these modern ransomware variants," Williams added.
A strong defense will remain necessary, and that will include due diligence by users not to fall for spoofing campaigns.
"The only real way to ensure your data is protected is to focus on newer technologies to prevent data exfiltration in the first place," Williams continued. "If an attacker cannot exfiltrate data, they cannot extort the victim and therefore have nothing to gain."
