"Fobo" Trojan distributed as ChatGPT client for Windows | Kaspersky official blog

Credit to Author: Daria Ivanova| Date: Wed, 22 Feb 2023 12:53:22 +0000

The golden rule — “if something is popular, criminals will exploit it” — strikes once again. This time, we’re talking about the trending ChatGPT chatbot, developed by OpenAI, which has been all over the news of late.

A word about the popularity of ChatGPT

When OpenAI opened access to its AI chatbot (that is, a chatbot based on neural networks trained on a vast corpus of text), the internet changed beyond recognition practically overnight.

Users all over the planet rushed to see what the chatbot is capable of — and were not disappointed (and often positively astonished). ChatGPT can maintain a dialog in a way that feels like there’s a real person at the other end. And, more groundbreakingly, it’s great at writing short texts on a given topic in a particular style, including poetry, and can adapt to a specified format and basically create texts no worse than a rookie copywriter, since it’s loaded with exabytes of knowledge on every topic under the sun. You can also ask ChatGPT for advice on unfamiliar topics — and in most cases it delivers sound tips. True, ChatGPT is equally good at lying and propagating errors, but these are finer points.

ChatGPT use is becoming mainstream, and not just for fun (to chat or, say, to ask for The Hobbit in the form of a Shakespearean sonnet — why not?), but also for business. With the help of chatbots, you can quickly fill websites with content, create product descriptions, generate quests for games, and do many other things to help people of various professions in their everyday work.

Unsurprisingly, the ChatGPT servers were quickly overloaded, so Open AI had to increase their capacity. The company soon attracted investment from Microsoft, and now ChatGPT has been integrated into Bing, albeit with restrictions. In response, Google rushed to roll out its own neural network, Bard, which has similar capabilities but was not considered by the company to be fully ready for market launch.

We’ve already written about how ChatGPT will change the world of cybersecurity, but for now at least the use of chatbots in phishing attacks or malware development remains at the theoretical stage. In practice, however, ChatGPT is already being used as bait to spread malware.

What attracts scammers to ChatGPT

Why are scammers suddenly using ChatGPT as bait? Simply because the service is hugely popular.

Although ChatGPT is technically free, it’s not always easy to access it. First, to register an account on the OpenAI website, you need to enter your e-mail address and phone number. But not all country codes are accepted: ChatGPT registration is currently unavailable in Russia, China, Egypt, Iran and some other countries. So not everyone can get an account easily.

Second, even if you managed to create an account on the OpenAI website, it’s not a given that you’ll be able to actually use ChatGPT: the service is almost always overloaded with users wanting to try out the AI, ask it to write a marketing blurb, or give it some other tasks. The inflow of users was so great that OpenAI introduced a subscription plan with priority access and faster text generation for US$20 a month.

High demand and low availability. That’s enough for scammers.

The desktop client that never was

Kaspersky experts have uncovered a malicious campaign exploiting the growing popularity of ChatGPT. Fraudsters create groups on social networks that convincingly mimic, if not official OpenAI accounts, then at least communities of enthusiasts. These groups publish equally persuasive posts: say, that ChatGPT hit one million users faster than any other service. At the bottom of the post is a link for supposedly downloading a ChatGPT desktop client.

Impressive stats and a handy link — just how we like it

Impressive stats and a “handy” link — just how we like it

Also posted in these groups are fake credentials for the precreated accounts that are said to provide access to ChatGPT. To motivate potential users even further, the attackers say that each account already has US$50 on its balance, which can be spent on using the chatbot. It all feels like a genuine opportunity to use ChatGPT without the trouble of creating an account, and even to get premium features for free: just download the desktop client and sit back for the ride.

Roll up, roll up, get your desktop chatbot while you can!

Roll up, roll up, get your desktop chatbot while you can!

You can probably guess what happens next, but we’ll tell you anyway. Clicking the link with a very plausible URL opens a well-made site inviting you to download ChatGPT for Windows. It’s not the official site, of course, but very like the original. If you click on the download button, an archive with an executable file is indeed downloaded.

The scam site is a carbon copy of the original, only instead of the “Try ChatGPT” button there is a “Download for Windows” button

If this archive is unpacked and the executable file run, then, depending on the version of Windows, the user sees either a message saying installation failed for some reason, or no message at all — at which point the process seems to end. “Shame I didn’t get to use a precreated account with premium features“, the user will think, and forget about the incident — probably resorting to creating a regular account on the real ChatGPT site.

If you see this message (or no message at all), the Trojan installed successfully

If you see this message (or no message at all), the Trojan installed successfully

In fact, installation did not fail: a stealer Trojan is installed on the user’s computer, from where it pinches account credentials stored in Chrome, Edge, Firefox, Brave, CôcCôc (popular in Vietnam), and other browsers. We’ve dubbed it Trojan-PSW.Win64.Fobo.

The Trojan’s creators are interested in Facebook, TikTok, and Google cookies and accounts — in particular business accounts. The virus steals usernames and passwords, then, on finding a business account in one of these services, it tries to get additional information, such as how much money was spent on advertising from the account and what its current balance is.

According to our data, the attackers target the international market — the “ChatGPT desktop client” has already been spotted in Asia, Africa, Europe and America.

How to use ChatGPT safely

For starters, note that there’s no official desktop, mobile, or other client for ChatGPT — only the web version. Amusingly, the chatbot itself makes this very point when asked to write a blog post about this scam campaign.

What ChatGPT itself thinks of this scam campaign

What ChatGPT itself thinks of this scam campaign

There’s also no need to use “precreated” accounts, of course. Currently, OpenAI’s only paid feature is a monthly subscription with priority access, otherwise access to ChatGPT is completely free. So you can register a real ChatGPT account for free, no strings attached. Even if your phone number is no good due to restrictions on some countries, you can ask a friend abroad to buy you a disposable SIM card or use a temporary phone number — you only need it once, to activate the account. There are plenty of services that offer temporary phone numbers for receiving verification codes by text: just google “one-time phone number”.

The main thing is to make sure you land on the official site (https://chat.openai.com). To do that, don’t follow a link, rather enter the URL in the address bar yourself.

And have a good security solution installed on your computer — ChatGPT is only gaining popularity, and attackers are bound to come up with more campaigns centered on this revolutionary new chatbot. Sure, vigilance is vital, but sometimes even the most attentive and super-prepared fall for phishing or well-faked sites, so it’s better to play it safe. All Kaspersky security solutions detect Trojan-PSW.Win64.Fobo and keep it off your computer.

As for ChatGPT desktop clients, they’re bound to appear sooner or later — if not official, then third-party ones. But always think thrice before using any kind of third-party client, and here an antivirus is a no-brainer.


https://blog.kaspersky.com/feed/