Stealer malware targets SA users’ ChatGPT data

Christopher Tredger
By Christopher Tredger, Portals editor
Johannesburg, 22 Jun 2023

As more employees are taking advantage of chatbots to optimise their work, the threat of stealer malware – or that which infects devices, gathers up stored data and sells this onto malware operators – has increased.

Steps to mitigate risk

  • Having visibility into dark web communities allows organisations to identify if their sensitive data or customer information is being leaked or sold.
  • Real-time Threat Intelligence enables them to take proactive action to mitigate the impact, notify affected individuals, and strengthen their security posture to prevent further damage.
  • Using real-time threat intelligence, companies can better understand the threat landscape, proactively protect their assets, and make informed decisions to strengthen their overall cybersecurity posture.

Singapore-based cyber security firm Group-IB says that by default, ChatGPT stores the history of user queries and AI responses. Consequently, unauthorised access to ChatGPT accounts may expose confidential or sensitive information, which can be exploited for targeted attacks against companies and their employees.

The threat is info stealer malware that collects credentials and data saved across various sources, including browsers installed on infected computers and the browser history, which is then sent to the malware operator.

Stealers can also collect data from instant messengers and emails, along with detailed information about the victim’s device. Stealers work non-selectively, Group-IB adds, and this type of malware infects as many computers as possible through phishing or other means in order to collect as much data as possible.

Group-IB has identified 1 019 infected devices with saved ChatGPT credentials in South Africa, making the country the second most threatened in the Middle East and Africa (MEA) region.

The company comments: “Info stealers have emerged as a major source of compromised personal data due to their simplicity and effectiveness. Logs containing compromised information harvested by info stealers are actively traded on dark web marketplaces. Additional information about logs available on such markets includes the lists of domains found in the log as well as the information about the IP address of the compromised host.”

Dark web market

Group-IB’s threat intelligence platform found these compromised credentials within the logs of info-stealing malware traded on illicit dark web marketplaces over the past year. The number of available logs containing compromised ChatGPT accounts reached a peak of 26 802 in May 2023.

MEA is also placed second on the global list of regions with the highest number of stealer-infected devices that had saved ChatGPT credentials.

In this region, Algeria, Egypt, Kenya, Morocco, Nigeria and Turkey were the most affected.

The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year.

Group-IB adds, “The majority of logs containing ChatGPT accounts have been breached by the infamous Racoon info stealer.The number of available logs containing compromised ChatGPT accounts has consistently increased month after month between June 2022 and March 2023.”

Dmitry Shestakov, head of threat intelligence at Group-IB, said, “Many enterprises are integrating ChatGPT into their operational flow. Employees enter classified correspondences or use the bot to optimise proprietary code. Given that ChatGPT’s standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials. At Group-IB, we are continuously monitoring underground communities to promptly identify such accounts.”

Group-IB advises users to update their passwords regularly and implement two-factor authentication.

By enabling two-factor authentication, users are required to provide an additional verification code, typically sent to their mobile devices, before accessing their ChatGPT accounts, the company added.