Beware of ChatGPT

Impersonators
Tips to Avoid Falling Victim to Phishing Scams
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams

Executive Summary

ChatGPT Phishing Methods

Scenario

Case Studies

IOCs
Table of Content

Rules
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams

In November 2022, OpenAI launched ChatGPT, which quickly

became one of the most rapidly growing AI tools, attracting over
100 million users. The release of ChatGPT generated a lot of buzz
because of its impressive capabilities.

With access to vast amounts of data, ChatGPT can answer a wide

range of questions and assist users in increasing their productivity.
Its popularity and usefulness have made it a popular topic of
discussion.

As an AI language model, ChatGPT itself does not engage in

phishing activities. However, it is possible for attackers to use
Foreward

ChatGPT or other similar language models to create more

convincing phishing messages.
Executive Summary | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 1

ChatGPT-based phishing typically involves using a language model to

generate messages that appear to be from a trusted source, such as a
bank, social media platform, or online retailer. The messages may
contain links to fake websites that are designed to look like the real
thing, and may prompt the user to enter their login credentials, credit
card information, or other sensitive data.

To protect yourself from ChatGPT-based phishing and other types of

phishing attacks, it is important to be wary of any unsolicited messages
that ask you to click on links or provide personal information. Look for
signs that the message may be fake, such as typos, strange formatting,
or requests for information that the legitimate sender would not
normally ask for. Additionally, always verify the legitimacy of the
message or website by contacting the sender directly or by typing the
URL directly into your browser instead of clicking on a link in the
message.
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 2

In recent months, we have seen an increase in phishing methods that use

ChatGPT to create convincing messages that trick users into divulging
sensitive information or clicking on malicious links.

One such method involves using ChatGPT to generate personalized

ChatGPT Phishing Methods

phishing emails that appear to be from a trusted source, such as a bank or

an employer. Attackers can use information gathered from social media or
other sources to make the message appear more authentic and increase
the likelihood that the recipient will fall for the scam.

Another method involves using ChatGPT to create convincing chatbot

scripts that are used in phishing attacks. The chatbot appears to be a
customer service representative or other trusted individual, and the user
is prompted to enter sensitive information or click on a link that leads to a
malicious website.

To make matters worse, ChatGPT can also be used to generate convincing

deepfake videos or audio recordings that can be used to further trick
users into divulging sensitive information. For example, an attacker could
use ChatGPT to create a video or audio clip of a trusted individual, such as
a CEO or government official, giving a convincing speech or directive that
convinces the victim to take action.

While the use of ChatGPT in phishing attacks is concerning, there are

steps that can be taken to protect against these types of attacks. One
effective approach is to educate users on how to identify and avoid
phishing attempts. This includes looking for telltale signs, such as
misspellings, suspicious URLs, or requests for sensitive information.
Additionally, organizations can implement technologies that can detect
and block suspicious emails or chatbot interactions.

One important consideration when it comes to ChatGPT-based phishing

methods is the fact that these attacks are often
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 3

highly personalized and targeted. Attackers may use social engineering

tactics to gather information about the victim, such as their name, job
title, or even their location, which can be used to create more convincing
messages. Additionally, attackers may use ChatGPT to generate responses
that appear to be from a trusted individual, such as a friend or colleague,
ChatGPT Phishing Methods

which can further increase the likelihood that the victim will fall for the
scam.

Another important factor to consider is the role that artificial intelligence

and machine learning can play in detecting and preventing these types of
attacks. As ChatGPT and other language models become more
sophisticated, it may be possible to use these technologies to detect
suspicious messages or interactions based on their language or behavior.
Additionally, machine learning algorithms can be used to analyze patterns
in phishing attacks and identify new or emerging threats.

However, it's important to note that there are also risks associated with
using AI and machine learning in cybersecurity. For example, attackers
could potentially use these technologies to create more sophisticated and
convincing phishing attacks, making it more difficult for traditional
detection methods to identify and block them.

Overall, the rise of ChatGPT-based phishing methods highlights the need

for a multi-faceted approach to cybersecurity that includes both
education and technology. By staying vigilant and learning how to identify
and avoid phishing attacks, individuals can play an important role in
protecting themselves and their organizations from these types of
threats. At the same time, advancements in AI and machine learning can
help to detect and prevent these attacks before they can cause harm.
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 4

One such method could be as follows:

1. Set up a simulated openai chatgpt-based chatbot that mimics the

appearance and behavior of the real openai chatgpt-based chatbot.

1. Create a simulated email or other communication to employees,

inviting them to try out the openai chatgpt-based chatbot for work-
related purposes.
2. When employees interact with the simulated chatbot, provide them
with realistic phishing scenarios, such as requests for login credentials,
personal information, or other sensitive data.
Scenario

3. After employees interact with the chatbot, provide them with

immediate feedback on whether their responses were correct or
incorrect.
4. Follow up with additional training and education for employees who
fell for the simulated phishing attacks, to help them improve their
awareness and understanding of phishing tactics.

It is important to prioritize ethical and legal considerations when it comes

to cybersecurity and to promote safe and responsible technology use.
Organizations should focus on using ethical and legal methods of
conducting simulated phishing campaigns, such as using pre-built
platforms or working with professional security companies that specialize
in such activities.
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 10

Openai-pc-pro.online

In this scenario, the attacker creates a website that appears to be a

legitimate company or organization, such as a bank or a government
agency. The website is designed to look and feel authentic, with logos,
branding, and other elements that are consistent with the targeted
organization.

When a user visits the website, they are prompted to enter their login
credentials or other sensitive information. However, instead of simply
Case Studies

asking the user to input this information, the website incorporates a

ChatGPT-powered chatbot that engages the user in conversation.

The chatbot appears to be a customer service representative or other

trusted individual, and the user is prompted to enter their information in a
more conversational manner. For example, the chatbot may ask the user
questions such as "Can you tell me your name and account number so I
can verify your identity?" or "Can you confirm your email address so we
can send you a password reset link?"

Because the chatbot uses natural language processing and machine

learning algorithms to generate responses, it is able to adapt to the user's
responses and create a convincing and personalized interaction. The user
may not realize that they are actually talking to a machine, and may be
more likely to trust the chatbot and provide their sensitive information.

Once the attacker has obtained the user's login credentials or other
sensitive information, they can use this information to gain access to the
user's accounts or steal their identity.
Case Studies | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 11

To protect against this type of attack, it is important for employees to be

aware of the risks associated with phishing and to be cautious when
entering sensitive information online. Organizations can also implement
technologies that can detect and block suspicious websites or chatbot
interactions, and can provide training to employees on how to identify
and avoid phishing attempts. By working together, we can continue to stay
ahead of emerging threats and keep our digital world safe and secure.
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 12

Clip[1].exe

PE Import analysis is one of the methods used in malware analysis to

identify malicious code within a binary file. It involves examining the
imported functions and APIs used by the binary, which can reveal
potential malicious activity.

COMCTL32.DLL:
This is a legitimate Windows library that contains functions related to
common controls used in graphical user interfaces (GUIs), such as
Case Studies

buttons, scrollbars, and menus. It does not typically contain any malicious
code.

COMDLG32.DLL:
This is also a legitimate Windows library that contains functions related to
common dialog boxes used in GUIs, such as file open and save dialogs. It
does not typically contain any malicious code.

GDI32.dll:
This is another legitimate Windows library that contains functions related
to graphical device interfaces (GDIs), which are used for drawing graphics
on the screen and printing. It does not typically contain any malicious
code.

KERNEL32.dll:
This is a core Windows library that contains functions related to memory
management, process management, and system-level functions. It is often
targeted by malware because it provides access to many system-level
functions. Malware may try to abuse functions in this library to carry out
malicious activities, such as process injection, file manipulation, and
network communication.
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 13

msvcrt.dll:

This is a runtime library for Microsoft Visual C++ that provides functions
related to memory allocation, input/output operations, and string
manipulation. It does not typically contain any malicious code, but
malware may abuse functions in this library to carry out malicious
activities, such as memory manipulation and file operations.

USER32.dll:
Case Studies

This is a Windows library that contains functions related to user interface

and window management. It is often targeted by malware because it
provides access to many user interface functions. Malware may try to
abuse functions in this library to carry out malicious activities, such as
stealing user input, displaying fake error messages, and manipulating
windows.

In summary, while COMCTL32.DLL, COMDLG32.DLL, and GDI32.dll are

unlikely to contain malicious code, KERNEL32.dll and USER32.dll are
commonly targeted by malware due to the system-level and user
interface functions they provide. Msvcrt.dll may also be targeted for its
memory manipulation and input/output functions. However, the absence
of malicious code in these libraries does not necessarily mean that the
system is not compromised, as malware may also use other techniques to
hide its presence. Therefore, it is important to analyze other aspects of
the system, such as network traffic and system logs, to detect and
investigate potential malware infections.
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 14

Also General overview of some of the functions mentioned and their

potential use in malware:

CreateToolbarEx: creates a toolbar control that can be used to display

buttons or other UI elements
ImageList_Create: creates an image list that can be used to store and
display images
ImageList_Destroy: destroys an image list and frees associated
resources
ImageList_Remove: removes an image from an image list
Case Studies

ImageList_ReplaceIcon: replaces an image in an image list with an icon

ImageList_SetBkColor: sets the background color for an image list
InitCommonControlsEx: initializes the common controls library for the
current application
GetOpenFileNameA: displays a dialog box that allows the user to
select a file to open
GetSaveFileNameA: displays a dialog box that allows the user to select
a file to save
CreateWaitableTimerW: creates a waitable timer object
DeleteCriticalSection: deletes a critical section object
EnterCriticalSection: enters a critical section object
ExitProcess: terminates the current process
FindClose: closes a search handle created by FindFirstFileA or
FindNextFileA
FindFirstFileA: finds the first file that matches a specified pattern
FindNextFileA: finds the next file that matches a specified pattern
FreeConsole: detaches the calling process from its console
FreeLibrary: frees the loaded DLL module
GetCommandLineA: retrieves the command-line string for the current
process
GetLastError: retrieves the calling thread's last-error code value
GetModuleFileNameA: retrieves the fully qualified path for the
specified module
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 15

GetModuleHandleA: retrieves a module handle for the specified

module
GetProcAddress: retrieves the address of an exported function or
variable from the specified dynamic-link library (DLL)
GetStdHandle: retrieves a handle to the specified standard device
InitializeCriticalSection: initializes a critical section object
LeaveCriticalSection: releases ownership of a critical section object
LoadLibraryA: loads the specified DLL module into the address space
of the calling process
SetUnhandledExceptionFilter: sets a new exception filter function
Case Studies

SetWaitableTimer: sets a waitable timer to a specified time value

TlsGetValue: retrieves the value in the calling thread's thread local
storage (TLS) slot for the specified TLS index
VirtualProtect: changes the access protection of the specified memory
region
VirtualQuery: retrieves information about a range of pages within the
virtual address space of a specified process

Here are the steps to perform PE Import analysis to identify malware:

1. Open the binary in a disassembler or analysis tool such as IDA Pro or

Ghidra.
2. Look for the Import Address Table (IAT) section in the binary, which
lists all of the external functions and libraries that the binary calls
during execution.
3. Identify any suspicious or malicious libraries or functions being
imported. Some common examples of malicious libraries include
"kernel32.dll" and "advapi32.dll" because they contain functions that
can be used for process injection and privilege escalation.
4. Look for functions that are not typically used by legitimate programs
or have suspicious names. For example, functions related to network
communication or process manipulation are often used by malware.
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 16

5. Look for any attempts to obfuscate or hide imports, such as using

dynamically loaded libraries or hashing the function names.
6. Cross-reference the identified imports with known malware samples or
threat intelligence databases to determine if they are associated with
known malicious activity.

PE Import analysis is one of the methods used in malware analysis to

identify malicious code within a binary file. It involves examining the
imported functions and APIs used by the binary, which can reveal
potential malicious activity.
Case Studies
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 5

No Type Indicator

1 domain https://openai-pc-pro.online/

2 domain chat-gpt-pc.online

3 domain https://chat-gpt-online-pc.com/

4 domain http://chatgpt-go.online/clip.exe

FileHash- d1b1813f7975b7117931477571a2476decff41f124b84cc
IOCs

5
SHA256 7a2074dd00b5eba7c

FileHash- ae4d01a50294c9e6f555fe294aa537d7671fed9bc06450e
6
SHA256 6e2198021431003f9

FileHash- 60e0279b7cff89ec8bc1c892244989d73f45c6fcc3e432e
7
SHA256 aca5ae113f71f38c5

FileHash- 53ab0aecf4f91a7ce0c391cc6507f79f669bac033c7b3be
8
SHA256 2517406426f7f37f0

FileHash- 46200951190736e19be7bcc9c0f97316628acce43fcf5b3
9
SHA256 70faa450e74c5921e

FileHash- 3ec772d082aa20f4ff5cf01e0d1cac38b4f647ceb79fdd3f
10
SHA256 fd1aca455ae8f60b

FileHash- 34b88f680f93385494129bfe3188ce7a0f5934abed4bf6b
11
SHA256 8e9e78cf491b53727

FileHash-
12 f1a5a1187624fcf1a5804b9a15a4734d9da5aaf6
SHA1
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 6

No Type Indicator

FileHash-
13 cebddeb999f4809cf7fd7186e20dc0cc8b88689d
SHA1

FileHash-
14 c57a3bcf3f71ee1afc1a08c3a5e731df6363c047
SHA1

FileHash-
15 afa741309997ac04a63b4dd9afa9490b6c6235c1
SHA1

FileHash-
16 aeb646eeb4205f55f5ba983b1810afb560265091
SHA1

FileHash-
IOCs

17 23f50f990d4533491a76ba619c996b9213d25b49
SHA1

FileHash-
18 189a16b466bbebba57701109e92e285c2909e8a2
SHA1

FileHash-
19 c8aa7a66e87a23e16ecacad6d1337dc4
MD5

FileHash-
20 94e3791e3ceec63a17ca1a52c4a35089
MD5

FileHash-
21 81e6a150d459642f2f3641c5a4621441
MD5

FileHash-
22 6a481f28affc30aef0d3ec6914d239e4
MD5

FileHash-
23 5f6f387edf4dc4382f9953bd57fa4c62
MD5

FileHash-
24 4e8d09ca0543a48f649fce72483777f0
MD5
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 7

No Type Indicator

FileHash-
25 174539797080a9bcbb3f32c5865700bf
MD5

26 url https://openai-pc-pro.online/

27
url https://chatgpt-go.online/

28 domain https://chat-gpt-online-pc.com/
IOCs

29 url https://chatgpt-go.online/

30 url http://chatgpt-go.online/java.exe
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 8

Sigma rule that could be used to detect network activity associated with
the given indicators:
Rules

This rule looks for network activity that matches the specified indicators,
including suspicious URLs and file paths. It also restricts the source IP
addresses to internal network ranges, to reduce the likelihood of false
positives. When triggered, the rule includes relevant metadata such as the
URL, source and destination IP addresses, and event type. Finally, the rule
includes a list of false positives to help reduce noise and prevent
legitimate traffic from triggering alerts.
 | Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams 9

And detection rule for the provided IOCs with SHA-256 and MD5 hash
values:
Rules
 Beware of ChatGPT Impersonators: Tips to Avoid Falling Victim to Phishing Scams

Key Notes
Obtain a sample of the malicious executable file. This can be done through

various means, such as downloading the file from a malicious website, analyzing

email attachments or using sandboxing tools.

Run the sample in a controlled environment, such as a virtual machine or

sandbox, to prevent potential damage to the host system. Observe the behavior

of the malware, such as whether it modifies files, creates new files, or

establishes network connections.

Use static analysis techniques to examine the code of the malware. This can

involve using disassemblers or decompilers to translate the binary code into

readable assembly code or higher-level programming language. Look for any

suspicious code, such as calls to external libraries or encrypted strings.

Use dynamic analysis techniques to monitor the behavior of the malware in real-

time. This can involve running the malware in a debugger and setting

breakpoints at specific points in the code. This can help identify any network

connections or calls to system functions.

Identify the attack vector that was used to deliver the malware to the victim.

This can involve analyzing email headers or network traffic logs to determine the

source of the malware.

Take appropriate actions to contain and remove the malware. This may involve

isolating the infected system, deleting infected files, or blocking network traffic

to malicious domains.

Analyze the data collected during the analysis to identify potential indicators of

compromise (IoCs). This can involve analyzing network traffic logs, examining

system logs, or using threat intelligence feeds to identify any known malicious

domains or IP addresses.

Share the findings with relevant stakeholders, such as incident response teams

or law enforcement agencies, to assist with their investigations.

 01

Threat Intelligence Radar

Spotlight. Detect. Hunt.