How Threat Actors are Exploiting ChatGPT's Popularity to Spread Malware via Compromised Facebook Accounts Putting Over 500,000 People at Risk

CloudSEK's investigation has revealed the presence of 13 Facebook pages/accounts (totaling over 500K followers) that have been compromised and are being used to disseminate the malware via Facebook ads.

Bablu Kumar
March 27, 2023
Green Alert
Last Update posted on
February 3, 2024
Protect Your Brand Reputation from fake social media pages

CloudSEK XVigil's Fake Social Media Handles module helps you combat fake identities and protect your brand reputation, ensuring a secure digital presence

Schedule a Demo
Table of Contents
Author(s)
No items found.

Researcher: Bablu Kumar

Introduction

ChatGPT has gained significant attention lately, and for good reasons. Its potential benefits and ability to enhance work efficiency and effectiveness have piqued the interest of individuals across various sectors. Unfortunately, this heightened interest has also attracted the attention of threat actors who seek to exploit the hype and capitalize on the technology's popularity for their gain.

CloudSEK has recently released a research paper that sheds light on the nefarious tactics employed by threat actors to hijack existing YouTube accounts. These tactics include leveraging previously compromised data, phishing techniques, and the use of stealer logs. This blog reveals that threat actors may have also infiltrated Facebook accounts and pages using the same methods. These compromised accounts and pages are being used to distribute malware through various channels, such as Trello boards, Google Drive, and various individual websites, that are embedded in Facebook ads. 

The ads are designed in such a way that they appear legitimate, containing all the necessary details to appear convincing to unsuspecting users. The download link is accompanied by a password to lend further credibility to the scam. Furthermore, compromised accounts can also result in the theft of personally identifiable information (PII) and sensitive details such as payment information, etc. Semrush, SMIT, Evoto, and OBS Studio are a few other websites targeted in a similar manner.

Modus Operandi

Facebook is among the world's largest social networking platforms, with over 2.96 billion monthly active users. In our recent research, it has come to light that several potentially high-follower Facebook pages have been compromised and hijacked to spread malware at an unprecedented pace. It can be understood using this simple illustration.

Infection chain - compromised Facebook accounts spreading malware

After taking over a Facebook account or page, the threat actors modify the profile information to make it appear as if it is an authentic ChatGPT page. This involves using the username "ChatGPT OpenAI" and setting the ChatGPT image as the profile picture. These accounts are then used to run Facebook ads offering links to the “latest version of ChatGPT, GPT-  V4” which, when downloaded, deploys a stealer malware into the victim’s device. (For more information please refer to the Appendix section)

Also Read Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware

Information from OSINT

The circulated malware is capable of stealing sensitive information from the user’s device, including but not limited to PII, system information, credit card details, etc. The malware also has replication capabilities, which makes it easier to spread across systems through the means of removable media.

Additionally, the malware can escalate privileges and has persistent mechanisms that enable it to remain on the system and gain further leverage. Upon running the malware through VirusTotal it was found to be flagged “malicious” by 9 out of 61 security vendors.

Several security vendors flagged the binary as malicious

Analysis of the Compromised Facebook Accounts

Our investigation has revealed the presence of 13 Facebook pages/accounts (totaling over 500K followers) that have been compromised and are being used to disseminate the malware via Facebook ads. The oldest instance of such a hijacking, as identified by our researcher, dates back to 13 February 2023 and pertains to a page with over 23K followers. Furthermore, we have observed that the actors also targeted newly created accounts, some of which were as young as 0 days old. (Refer to the complete list of compromised accounts analyzed for more details)

Upon conducting a deeper analysis of the Facebook pages, we observed several noteworthy findings. Despite the original pages catering to diverse nationalities across various countries, a majority of the compromised Facebook accounts were being managed by individuals hailing from Vietnam, the Philippines, Brazil, Pakistan, and Mexico. Threat actors from Vietnam and the Philippines exhibited the highest incidence of compromised accounts among the aforementioned countries.

Another interesting observation arising from our analysis is the repeated use of a specific video (which was originally posted on this YouTuber's channel) to attract and engage the audience across the majority of the compromised accounts. This pattern suggests that this campaign, of deploying malware via Facebook ads, is most likely the activity of a distinct group of threat actors or an individual threat actor.

Repeated use of a particular video on the compromised Facebook pages

Hosting Malware on Legitimate Platforms

Our observations have led us to discover that threat actors are resorting to the use of legitimate websites as hosts for malware. Some of the most common platforms that have been exploited in this manner include Google Drive, Trello, and individual websites. This trend is not new but presents a significant challenge to the security community as it is often difficult to dissociate legitimate sites from the malicious content hosted on them.

Frequent activities noticed on the Trello board used for hosting the malware

Information from Trello

A closer look at the Trello cards has yielded an intriguing finding that deserves attention. The status names that are being utilized, such as Cần làm (To do), Đang làm (Doing), and Đã xong (Done), are written in Vietnamese. This observation could provide valuable insights into the origins and motives of the threat actors who are leveraging Trello as a platform for disseminating malware.

The Trello account responsible for the distribution of the malware is registered under the name "Tony." This account has been active since March 15, 2023, with the most recent card update occurring on March 18, 2023. It is noteworthy that most of the Facebook ads in circulation contain a link to this Trello account, suggesting that the threat actors have been using this specific card to disseminate the malware.

(For more information please refer to the Appendix section)

The tables below contain details of the threat actors and the Trello cards used by them to disseminate malware.

Threat Actors Trello Profiles

hxxps://trello[.]com/u/darleen1942/activity

hxxps://trello[.]com/u/vanonian3082z/activity

hxxps://trello[.]com/u/dennsosambitp/activity

Malware Distributing Domains

hxxps://trello[.]com/c/zBYusnD5/7-chatv4pass8883 

hxxps://trello[.]com/c/MQUn4GKp/1-chat-1

hxxps://trello[.]com/c/OmgcXsOC/2-111

hxxps://trello[.]com/c/50PLizDm/1-bot-1

hxxps://trello[.]com/c/0EJaknGH/4-chatgpt

hxxps://trello[.]com/c/eHQlpx3L/6-chatgpt-openai-full-destop-63f6f5c3ae530d5930f758b2

hxxps://drive.google[.]com/u/0/uc?id=1dkIb0pKI-inGMQw1WeKP9VVO6ALuF7vr&export=download&fbclid=IwAR3nT2jzFLpbnA-iBQ9gTlQh3yabpXhnb3o37e9YK-jhUGG_14tsSed1P_c 

Information from Individual Websites

Our research uncovered at least 25 individual websites that have been engaging in the nefarious practice of impersonating the OpenAI.com website. These malicious sites are duping individuals into downloading and installing harmful software, posing a severe risk to their security and privacy. (For more information please refer to the Appendix section)

Malicious Domains

Creation Date

https://nutrientnirvana[.]com/ 

22 December 2022

http://gpt-chat[.]cloud/ 

18 March 2023

https://chat-gpt[.]org/chat 

11 December 2022

https://chatgptchat[.]org/ 

3 February 2023

https://ai-chat[.]org/

8 February 2023

https://gpt-ai[.]org/ 

10 February 2023

https://rebrand[.]ly/GPT4V1

12 September 2014

Other Websites on Radar

During the course of our investigation, we discovered several counterfeit software applications, advertised alongside the malicious ChatGPT software, on the same Trello cards. These applications may currently be in use for various nefarious purposes, including but not limited to, fraudulent Facebook advertising. The list of targeted software* uncovered by CloudSEK includes the following:

  • Semrush: A platform for keyword research and online ranking data.
  • SMIT: A social media advertising tool for marketing experts
  • Evoto: An AI photo editing software.
  • OBS Studio: A free and open-source screencasting and streaming app
  • Photo Editors

*Note: All the compromised companies mentioned in the report are legitimate and are not responsible in any way for threat actors imitating or abusing them or their brand name. Additionally, some companies even have a disclaimer that explicitly warns users against sharing credit card details and other sensitive information.

List of Compromised Facebook Accounts Analyzed

Affected Facebook Accounts/Pages

Date of Compromise

Followers

https://www.facebook.com/chatsopenai/

13 February 2023 23,527

https://www.facebook.com/chat.openais/

27 February 2023 37,307

https://www.facebook.com/openaischat/

6 March 2023 11,680

https://www.facebook.com/ChatGPT4/

9 March 2023 33,084

https://www.facebook.com/chatgptai4.0/

13 March 2023 18,703

https://www.facebook.com/tiktokUSS

15 March 2023 123000

https://www.facebook.com/chatgptdotcom/

16 March 2023 18,468

https://www.facebook.com/buyurcars

16 March 2023 26000

https://www.facebook.com/ChatOpen-AI-419029688653893/

18 March 2023 28,204

https://www.facebook.com/KnockingNews/

18 March 2023 214,170

https://www.facebook.com/profile.php?id=100083053914779

18 March 2023 73

https://www.facebook.com/profile.php?id=100090989901546

19 March 2023 0 (New Account)

https://www.facebook.com/profile.php?id=100090478546947

19 March 2023 0 (New Account)

References & Attributions

Appendix

Actors targeting OBS, Evoto, SMIT, and Semrush using malware

Threat actors using this well-known YouTuber to earn trust and facilitate this campaign

Updated details after compromising the accounts

Running Facebook ads via compromised Facebook accounts

Actors managing the Facebook pages

Vietnamese names present on the Trello board hosting the malicious malware

Trello board hosting the malicious malware

Websites impersonating OpenAI.com

Threat actors changing the Facebook profile details and using OpenAI’s Logo

Several individuals flagged the page as a scam/malicious

Facebook page sharing malicious links

Trello download link in Facebook posts

Facebook accounts being managed by individuals (likely threat actors) from several countries

Facebook sponsored link referring to a fake ChatGPT website

Facebook sponsored link referring to ChatGPT malware

Multiple domains distributing ChatGPT malware

Facebook sponsored link referring to ChatGPT malware

 

Author

Bablu Kumar

Bablu is a technology writer and an analyst with a strong focus on all things cybersecurity

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware Intelligence

12

min read

How Threat Actors are Exploiting ChatGPT's Popularity to Spread Malware via Compromised Facebook Accounts Putting Over 500,000 People at Risk

CloudSEK's investigation has revealed the presence of 13 Facebook pages/accounts (totaling over 500K followers) that have been compromised and are being used to disseminate the malware via Facebook ads.

Authors
Bablu Kumar
Bablu is a technology writer and an analyst with a strong focus on all things cybersecurity
Co-Authors
No items found.

Researcher: Bablu Kumar

Introduction

ChatGPT has gained significant attention lately, and for good reasons. Its potential benefits and ability to enhance work efficiency and effectiveness have piqued the interest of individuals across various sectors. Unfortunately, this heightened interest has also attracted the attention of threat actors who seek to exploit the hype and capitalize on the technology's popularity for their gain.

CloudSEK has recently released a research paper that sheds light on the nefarious tactics employed by threat actors to hijack existing YouTube accounts. These tactics include leveraging previously compromised data, phishing techniques, and the use of stealer logs. This blog reveals that threat actors may have also infiltrated Facebook accounts and pages using the same methods. These compromised accounts and pages are being used to distribute malware through various channels, such as Trello boards, Google Drive, and various individual websites, that are embedded in Facebook ads. 

The ads are designed in such a way that they appear legitimate, containing all the necessary details to appear convincing to unsuspecting users. The download link is accompanied by a password to lend further credibility to the scam. Furthermore, compromised accounts can also result in the theft of personally identifiable information (PII) and sensitive details such as payment information, etc. Semrush, SMIT, Evoto, and OBS Studio are a few other websites targeted in a similar manner.

Modus Operandi

Facebook is among the world's largest social networking platforms, with over 2.96 billion monthly active users. In our recent research, it has come to light that several potentially high-follower Facebook pages have been compromised and hijacked to spread malware at an unprecedented pace. It can be understood using this simple illustration.

Infection chain - compromised Facebook accounts spreading malware

After taking over a Facebook account or page, the threat actors modify the profile information to make it appear as if it is an authentic ChatGPT page. This involves using the username "ChatGPT OpenAI" and setting the ChatGPT image as the profile picture. These accounts are then used to run Facebook ads offering links to the “latest version of ChatGPT, GPT-  V4” which, when downloaded, deploys a stealer malware into the victim’s device. (For more information please refer to the Appendix section)

Also Read Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware

Information from OSINT

The circulated malware is capable of stealing sensitive information from the user’s device, including but not limited to PII, system information, credit card details, etc. The malware also has replication capabilities, which makes it easier to spread across systems through the means of removable media.

Additionally, the malware can escalate privileges and has persistent mechanisms that enable it to remain on the system and gain further leverage. Upon running the malware through VirusTotal it was found to be flagged “malicious” by 9 out of 61 security vendors.

Several security vendors flagged the binary as malicious

Analysis of the Compromised Facebook Accounts

Our investigation has revealed the presence of 13 Facebook pages/accounts (totaling over 500K followers) that have been compromised and are being used to disseminate the malware via Facebook ads. The oldest instance of such a hijacking, as identified by our researcher, dates back to 13 February 2023 and pertains to a page with over 23K followers. Furthermore, we have observed that the actors also targeted newly created accounts, some of which were as young as 0 days old. (Refer to the complete list of compromised accounts analyzed for more details)

Upon conducting a deeper analysis of the Facebook pages, we observed several noteworthy findings. Despite the original pages catering to diverse nationalities across various countries, a majority of the compromised Facebook accounts were being managed by individuals hailing from Vietnam, the Philippines, Brazil, Pakistan, and Mexico. Threat actors from Vietnam and the Philippines exhibited the highest incidence of compromised accounts among the aforementioned countries.

Another interesting observation arising from our analysis is the repeated use of a specific video (which was originally posted on this YouTuber's channel) to attract and engage the audience across the majority of the compromised accounts. This pattern suggests that this campaign, of deploying malware via Facebook ads, is most likely the activity of a distinct group of threat actors or an individual threat actor.

Repeated use of a particular video on the compromised Facebook pages

Hosting Malware on Legitimate Platforms

Our observations have led us to discover that threat actors are resorting to the use of legitimate websites as hosts for malware. Some of the most common platforms that have been exploited in this manner include Google Drive, Trello, and individual websites. This trend is not new but presents a significant challenge to the security community as it is often difficult to dissociate legitimate sites from the malicious content hosted on them.

Frequent activities noticed on the Trello board used for hosting the malware

Information from Trello

A closer look at the Trello cards has yielded an intriguing finding that deserves attention. The status names that are being utilized, such as Cần làm (To do), Đang làm (Doing), and Đã xong (Done), are written in Vietnamese. This observation could provide valuable insights into the origins and motives of the threat actors who are leveraging Trello as a platform for disseminating malware.

The Trello account responsible for the distribution of the malware is registered under the name "Tony." This account has been active since March 15, 2023, with the most recent card update occurring on March 18, 2023. It is noteworthy that most of the Facebook ads in circulation contain a link to this Trello account, suggesting that the threat actors have been using this specific card to disseminate the malware.

(For more information please refer to the Appendix section)

The tables below contain details of the threat actors and the Trello cards used by them to disseminate malware.

Threat Actors Trello Profiles

hxxps://trello[.]com/u/darleen1942/activity

hxxps://trello[.]com/u/vanonian3082z/activity

hxxps://trello[.]com/u/dennsosambitp/activity

Malware Distributing Domains

hxxps://trello[.]com/c/zBYusnD5/7-chatv4pass8883 

hxxps://trello[.]com/c/MQUn4GKp/1-chat-1

hxxps://trello[.]com/c/OmgcXsOC/2-111

hxxps://trello[.]com/c/50PLizDm/1-bot-1

hxxps://trello[.]com/c/0EJaknGH/4-chatgpt

hxxps://trello[.]com/c/eHQlpx3L/6-chatgpt-openai-full-destop-63f6f5c3ae530d5930f758b2

hxxps://drive.google[.]com/u/0/uc?id=1dkIb0pKI-inGMQw1WeKP9VVO6ALuF7vr&export=download&fbclid=IwAR3nT2jzFLpbnA-iBQ9gTlQh3yabpXhnb3o37e9YK-jhUGG_14tsSed1P_c 

Information from Individual Websites

Our research uncovered at least 25 individual websites that have been engaging in the nefarious practice of impersonating the OpenAI.com website. These malicious sites are duping individuals into downloading and installing harmful software, posing a severe risk to their security and privacy. (For more information please refer to the Appendix section)

Malicious Domains

Creation Date

https://nutrientnirvana[.]com/ 

22 December 2022

http://gpt-chat[.]cloud/ 

18 March 2023

https://chat-gpt[.]org/chat 

11 December 2022

https://chatgptchat[.]org/ 

3 February 2023

https://ai-chat[.]org/

8 February 2023

https://gpt-ai[.]org/ 

10 February 2023

https://rebrand[.]ly/GPT4V1

12 September 2014

Other Websites on Radar

During the course of our investigation, we discovered several counterfeit software applications, advertised alongside the malicious ChatGPT software, on the same Trello cards. These applications may currently be in use for various nefarious purposes, including but not limited to, fraudulent Facebook advertising. The list of targeted software* uncovered by CloudSEK includes the following:

  • Semrush: A platform for keyword research and online ranking data.
  • SMIT: A social media advertising tool for marketing experts
  • Evoto: An AI photo editing software.
  • OBS Studio: A free and open-source screencasting and streaming app
  • Photo Editors

*Note: All the compromised companies mentioned in the report are legitimate and are not responsible in any way for threat actors imitating or abusing them or their brand name. Additionally, some companies even have a disclaimer that explicitly warns users against sharing credit card details and other sensitive information.

List of Compromised Facebook Accounts Analyzed

Affected Facebook Accounts/Pages

Date of Compromise

Followers

https://www.facebook.com/chatsopenai/

13 February 2023 23,527

https://www.facebook.com/chat.openais/

27 February 2023 37,307

https://www.facebook.com/openaischat/

6 March 2023 11,680

https://www.facebook.com/ChatGPT4/

9 March 2023 33,084

https://www.facebook.com/chatgptai4.0/

13 March 2023 18,703

https://www.facebook.com/tiktokUSS

15 March 2023 123000

https://www.facebook.com/chatgptdotcom/

16 March 2023 18,468

https://www.facebook.com/buyurcars

16 March 2023 26000

https://www.facebook.com/ChatOpen-AI-419029688653893/

18 March 2023 28,204

https://www.facebook.com/KnockingNews/

18 March 2023 214,170

https://www.facebook.com/profile.php?id=100083053914779

18 March 2023 73

https://www.facebook.com/profile.php?id=100090989901546

19 March 2023 0 (New Account)

https://www.facebook.com/profile.php?id=100090478546947

19 March 2023 0 (New Account)

References & Attributions

Appendix

Actors targeting OBS, Evoto, SMIT, and Semrush using malware

Threat actors using this well-known YouTuber to earn trust and facilitate this campaign

Updated details after compromising the accounts

Running Facebook ads via compromised Facebook accounts

Actors managing the Facebook pages

Vietnamese names present on the Trello board hosting the malicious malware

Trello board hosting the malicious malware

Websites impersonating OpenAI.com

Threat actors changing the Facebook profile details and using OpenAI’s Logo

Several individuals flagged the page as a scam/malicious

Facebook page sharing malicious links

Trello download link in Facebook posts

Facebook accounts being managed by individuals (likely threat actors) from several countries

Facebook sponsored link referring to a fake ChatGPT website

Facebook sponsored link referring to ChatGPT malware

Multiple domains distributing ChatGPT malware

Facebook sponsored link referring to ChatGPT malware