Barracuda Networks has recently uncovered a large-scale phishing campaign that targets users of ChatGPT by impersonating OpenAI. The attackers are sending deceptive emails that appear to be from “OpenAI Payments,” informing recipients that their most recent subscription payment for ChatGPT was unsuccessful. These emails prompt users to click on a link to update their payment information, a tactic designed to harvest sensitive credentials from unsuspecting victims. Barracuda has tracked over 1,000 phishing emails sent from a single fraudulent domain, “topmarinelogistics.com,” which underscores the widespread nature of this attack.
The phishing emails are crafted to look convincing and successfully pass DKIM and SPF authentication checks, making them appear legitimate to recipients. This level of sophistication allows the attackers to deceive individuals and organizations into believing they are communicating with a trusted entity. The emails direct users to a fake login page hosted on “fnjrolpa.com,” which has since gone offline. An analysis of this page revealed it was designed to closely mimic the official OpenAI login interface, further enhancing its potential to mislead victims.
Barracuda’s Product Management team has highlighted the ease with which attackers can obtain access to new accounts through such phishing schemes. Once compromised, these accounts can be exploited to initiate additional phishing campaigns, creating a cycle of fraudulent activity that can impact numerous unsuspecting users. This method of credential harvesting is particularly alarming as it can lead to widespread repercussions across various sectors and organizations that utilize ChatGPT.
Interestingly, the domain hosting the phishing page was registered in December 2023, with WHOIS records indicating a registration address in Nepal, while the sending domain is noted to be registered in France. Additionally, the sender’s IP address has been traced back to Germany. This complexity in the registration and hosting locations points to a well-organized operation, likely designed to evade detection and prosecution. As phishing tactics continue to evolve, it remains crucial for users to stay informed and vigilant against such deceptive practices to protect their personal and organizational information.
Reference:
