The dark web has seen a spike in the trade of stolen ChatGPT credentials, particularly those of premium accounts. This allows cybercriminals bypass OpenAI’s geofencing limitations and gain unlimited access to ChatGPT.
Check Point stated in a blog that “during the last month CPR (Check Point Research), observed an increase of chatter on underground forums related leakage or sale compromised ChatGPT Premium accounts.” “Most of these accounts are sold. However, some actors share the stolen ChatGPT accounts for free to promote their services or tools that allow them to steal accounts.”
Criminal activities in ChatGPT
Researchers have noticed various types of trades and discussions related to ChatGPT in the dark web for the last month.
Recent activity on the dark Web in relation to ChatGPT includes leakage and free publication credentials of ChatGPT account, as well as trade of stolen premium ChatGPT Accounts.
ChatGPT is also a target for cybercriminals who use brute force and checkers tools. Cybercriminals can hack into ChatGPT by using these tools to run huge lists of passwords and email addresses to try to guess the correct combination.
Check Point’s blog said that the service is also available as ChatGPT Account as a Service — a dedicated account opening service, which offers to use stolen payment cards.
SilverBullet configuration on sale
Check Point reported that cybercriminals also offer a configuration file called SilverBullet, which allows checking a list of credentials for OpenAI platform on an automated basis.
SilverBullet, a web-testing suite, allows users to make requests towards a target application. Cybercriminals use the same tool to perform credential stuffing attacks and account checks against websites and steal online platform accounts.
Researchers said that in the case of ChatGPT this allows them to steal large numbers of accounts. The process can be fully automated, and it can perform between 50 and 200 checks every minute. It also supports proxy implementation, which allows it in many cases to bypass different protective measures on websites against such an attack.
“Another Cybercriminal, who only focuses on abuse and fraud of ChatGPT products has even called himself ‘gpt4.’ Check Point reported that he offered for sale in his threads not only ChatGPT account but also a configuration of another automated tool which checks the validity of a credential.
ChatGPT Plus Upgrade to ChatGPT Plus for Lifetime
Check Point reported that on the 20th of March, a cybercriminal who spoke English began advertising a ChatGPT plus lifetime account service with 100% satisfaction guarantee.
The lifetime upgrade to a regular ChatGPT Plus Account opened by email from the buyer is $59.99, while OpenAI’s original legitimate price of this service was $20 per month.
Check Point stated that “this underground service offers the option of sharing access to ChatGPT with another cybercriminal at a cost of $24.99 for life.”
What can you do with a stolen ChatGPT account?
Cybercriminals are in high demand for the credentials of premium ChatGPT account as they can use them to bypass geofencing restrictions. ChatGPT has geofencing limitations that limit the service’s use in certain geographical areas, such as Iran. Russia and China.
Check Point stated that cybercriminals could bypass restrictions by using the ChatGPT API and also use premium accounts.
Cybercriminals can also use personal information to their advantage. ChatGPT accounts save the most recent questions of the account owner.
When cybercriminals steal accounts, they can access the original account owner’s queries. Check Point stated in a blog that this information can include personal data, corporate product and process details, and much more.
OpenAI, a Microsoft-backed company, revealed in March that a Redis open source library bug led to an outage of ChatGPT and data leaked. Users could view other users’ chat queries and personal information.
The company admitted that chat queries, personal information, such as names, emails, payment addresses and partial credit card numbers, were exposed.
Concerns about privacy in ChatGPT
In the past few months, there have been several privacy and security concerns raised about ChatGPT. Italia’s data privacy regulator has already chatGPT banned over privacy violations related to the chatbots collection and storing of personal data. The authorities have said that they will lift their temporary ban of ChatGPT once OpenAI meets a number of data protection standards by April 30, 2019.
A German data protection commissioner also warned ChatGPT that it could be blocked in Germany because of data security concerns.
OpenAI announced earlier this week a bug-bounty program, inviting the global community to identify and fix vulnerabilities in the company’s generative artificial intelligence systems.
OpenAI offers cash rewards that range from $200 for less serious discoveries to up to $20,000.
