Cybercriminals are hijacking Facebook pages and using sponsored posts to offer downloads of ChatGPT and Google Bard AI, which in reality spread RedLine Stealer malware.
According to a report from security automation startup Veriti, threat actors are attempting to exploit the popularity of OpenAI’s chatbot ChatGPT and Google Bard to distribute malware and steal sensitive data. These attempts underscore the risks associated with generative AI platforms.
It should come as no surprise that ChatGPT’s popularity has been exploited for malicious purposes since its launch. As a result, OpenAI, ChatGPT’s parent company, recently introduced its first-ever bug bounty program.
Attack Mechanism
Veriti researchers have observed that attackers first hijack Facebook business or community pages, carefully selecting pages with thousands of followers. They then post seemingly legitimate sponsored ads on these pages, offering free downloads of ChatGPT and Google Bard. Unsuspecting visitors fall into the trap and download the malicious files, which then unleash the RedLine information-stealing malware on their devices.
“These posts are designed to appear legitimate, using the buzz around OpenAI language models to deceive unsuspecting users into downloading the files. However, once the user downloads and extracts the file, the RedLine Stealer malware is activated and can steal passwords and download further malware onto the user’s device,” reads Veriti’s report.
For reference, RedLine Stealer is sold on online hacker forums as a malware-as-a-service (MaaS) platform, with a primary focus on targeting browsers to collect users’ data. This commoditized malware is often favoured by cybercriminals due to its low cost, priced at $100 to $150.
What are the Dangers?
When a victim installs the malicious file from one of these sponsored ads, their device is hijacked by the RedLine infostealer, which can then steal confidential data, disrupt critical infrastructure, and compromise financial accounts.
By targeting web browsers on the infected device, RedLine Stealer can steal credentials, credit card information, or other payment card details, as well as conduct system inventory to identify vulnerabilities for further attacks.
Furthermore, RedLine Stealer has the capability to upload/download files and execute commands, providing even novice hackers with extensive opportunities to carry out various types of cyberattacks.
Who are the Targets?
Researchers detected this campaign in January 2023 and observed a peak in March. So far, dozens of Facebook accounts have been hijacked across ten countries to distribute RedLine Stealer through malicious ads.
The highest number of victims were identified in Greece, followed by India, Mexico, the USA, and Bangladesh. Approximately 77% of the attacks were observed in the USA, with Canada at 9%, Mexico at 6%, India at 4%, and Portugal at 2%.
This campaign serves as an early warning of what may lie ahead, as the soaring popularity of AI-based chatbots has made them lucrative targets for threat actors. They can exploit the versatility of these products, which can be packaged in different forms such as open source or mobile applications, allowing them to create trojanized downloads.
The potential impact is significant, as attackers can steal anything from private to financial data and target critical infrastructure.
Researchers suggest that enterprises should upgrade their cybersecurity practices, educate employees about the risks associated with downloading files from unauthenticated or unknown sources, and ensure strong security configurations to prevent system compromise.
Limiting the downloading of executables and implementing sandboxing of executables before downloading can also reduce the risk of infecting corporate IT infrastructure.