Kaspersky Digital Footprint Intelligence experts have uncovered a series of websites on the shadow internet that appear to be selling fake access to the malicious AI-tool WormGPT. These sites have phishing-like characteristics, including varying designs, pricing, currencies used for payment, and some require upfront payment for access to a trial version. This trend, while not an immediate threat to users, underscores the rising popularity of black-hat alternatives to GPT models and emphasizes the need for robust cybersecurity solutions.
The cybercriminal community has started leveraging AI capabilities to aid in their nefarious business, and the darknet currently provides a range of language models specifically designed for hacking purposes such as BEC (business email compromise), malware creation, phishing attacks, and beyond. One such model is WormGPT, a nefarious version of ChatGPT which, unlike its legitimate counterpart, lacks specific limitations, making it an effective tool for cybercriminals looking to carry out attacks, for example, Business Email Compromise (BEC).
Phishers and scammers often exploit the popularity of certain products and brands, and WormGPT is no exception. On darknet forums and in illicit Telegram channels, Kaspersky experts have found websites and ads, offering fake access to the malicious AI tool and targeting other cybercriminals, that are apparently phishing sites.
These websites differ significantly in several ways and are designed as typical phishing pages. They have different designs and pricing. Payment methods also vary, ranging from cryptocurrencies, as originally proposed by the author of WormGPT, to credit cards and bank transfers.
Examples of the suspected WormGPT phishing pages' design and pricing. Source: Kaspersky Digital Footprint Intelligence
Moreover, suspected phishing pages advertise a trial version, but access is only granted after payment.
An example of a suspected phishing scheme using the WormGPT name. Source: Kaspersky Digital Footprint Intelligence
“In the dark web, it is impossible to distinguish malicious resources with absolute certainty. However, there are many indirect pieces of evidence that suggest that the discovered websites are indeed phishing pages. The authors behind the genuine WormGPT have issued a warning and shared some tips to verify the authenticity of the offers. It is a well-known fact that cybercriminals often deceive each other. However, recent phishing attempts may indicate the level of popularity of these malicious AI tools within the cybercriminal community. These models, to some extent, facilitate the automation of attacks, thereby emphasizing the increasing importance of trusted cybersecurity solutions”, explains Alisa Kulishenko, digital footprint analyst at Kaspersky.
To avoid threats related to the cybercriminal's activities in the shadow segment of the internet, it is worth implementing the following security measures:
- Use Kaspersky Digital Footprint Intelligence to help security analysts explore an adversary’s view of their company resources and promptly discover the potential attack vectors available to them. This also helps raise awareness about existing threats from cybercriminals in order to adjust your defenses accordingly or take counter and elimination measures timely.
- Choose a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is equipped with behavior-based detection and anomaly control capabilities for effective protection against known and unknown threats.
- Dedicated services can help combat high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop intrusions in their early stages, before the perpetrators achieve their goals. If you encounter an incident, Kaspersky Incident Response service will help you respond and minimize the consequences, for instance identify compromised nodes and protect the infrastructure from similar attacks in the future.