A typical message includes the subject line “Action Required: Secure Continued Access to ChatGPT with a $24 Monthly Subscription” and spoofs the sender address as noreply@chatgpt-auth[.]net—a domain registered through PrivacyGuardian.org just 72 hours before the campaign began. The campaign impersonates ChatGPT subscription renewal notices to harvest login credentials and payment details, exploiting the platform’s restricted access model for GPT-4 API and ChatGPT Plus services. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. OpenAI’s internal logs show 2,403 compromised API keys used for malicious content generation in Q4 2024 alone, a 647% increase from the previous quarter. Homograph Domain: The “Update Billing” button links to chatgpt-payment[.]online, which uses Punycode to display as “chatgpt-pаyment[.]online” (with a Cyrillic ‘а’). CheckPoint reports a 910% increase in ChatGPT-themed domains since 2023, while Palo Alto’s Unit42 found 17,818% growth in AI phishing infrastructure. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. Symantec’s reverse engineering of the attack chain shows the phishing kit uses ChatGPT’s own API (v4.8.1) to generate personalized content. The email body contains HTML/CSS cloned from legitimate OpenAI communications, including the official logo and color scheme (#10A37F). Base64 Obfuscation: The embedded URL decrypts to hxxps://185[.]63[.]112[.]44/.well-known/auth, an IP linked to previous Rhadamanthys malware campaigns. Researchers advise victims to revoke API keys and rotate credentials through OpenAI’s Dashboard (IAM > API Keys > Rotate).
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 24 Feb 2025 12:10:12 +0000