Barracuda Networks has observed a large-scale OpenAI impersonation campaign targeting the credentials of ChatGPT users.
Threat actors have been sending out phishing emails that purport to come from artificial intelligence company OpenAI, informing recipients that their “latest subscription payment for ChatGPT was unsuccessful” and instructing them to click on a link to update payment information.
Barracuda has seen these emails targeting businesses worldwide. The company is aware of over 1,000 emails being sent from a single domain.
The phishing emails appear to come from OpenAI Payments, but they actually originate from a domain called topmarinelogistics.com. The emails passed DKIM and SPF checks.
Prebh Singh of Barracuda’s Product Management team told SecurityWeek that the OpenAI phishing emails pointed to the domain fnjrolpa.com.
This website is currently offline, but an analysis showed that it hosted a fake login page resembling that of OpenAI, indicating that the goal of the campaign is credential harvesting.
“This is the simplest way for attackers to get access to new accounts that they can compromise to launch new phishing campaigns,” Singh explained.
The domain hosting the ChatGPT phishing page was registered in December 2023.
“Interestingly, based on whois records, the website was registered with an address from Nepal but the sender domain shows registered in France (and is also inaccessible now). Sender IP belongs to Germany,” Singh noted.
Related: Microsoft Warns of Russian Spear-Phishing Attacks Targeting Over 100 Organizations
Related: Be Aware of These Eight Underrated Phishing Techniques
Related: DoJ: Chinese Man Used Spear-Phishing to Obtain Software From NASA, Military
Related: Quishing Campaign Abuses Microsoft Sway to Host Phishing Pages
