Bad trick: Attackers use ChatGPT share links for malware
Trusted links, real domains – and still malware: Cybercriminals abuse ChatGPT share links to lure users into a perfidious download trap. Is this an underestimated danger or an easy-to-spot trick?
Functions of modern AI services are exploited
What seems like a harmless click on a well-known link can just as easily become a ticket to malware. Security researchers at Push Security are currently observing a new wave of attacks in which cybercriminals are specifically exploiting functions of modern AI services – especially the share links of chatbots such as ChatGPT. At the center is a campaign under is called “LLMShare”.. Attackers use a simple but effective trick, as security researchers have discovered. Specifically, ChatGPT share links are misused to embed manipulated content. To users, this looks like a normal shared conversation, including a familiar URL structure.
The path to the trap often begins with Google. The perpetrators use paid advertisements to place links to search terms such as “ChatGPT Download” or “ChatGPT Desktop App”. This is old hat; this scam has of course been known for a long time. Anyone who clicks on it will not end up on an obvious phishing page, but on a real domain with a seemingly trustworthy link. Classic protection mechanisms, such as web filters or firewalls, often do not work because the domain itself is considered reputable.
Tricky indication of high server load
A credible “disturbance” is then simulated on the site itself, for example through indications of high server load. Users will be prompted to download a desktop application to continue. However, the supposed download leads to an external site that looks very similar to official offers, but has nothing to do with the original site. Malware is ultimately distributed there, for both Windows and MacOS systems. The attackers can do this so easily because many users are not yet fully familiar with ChatGPT and its sharing functions. Technically, the attackers are becoming increasingly sophisticated. Computer crime infographic: Where cyberattacks originate When they start, the malware checks whether they are running in a real user environment or in an analysis environment. Security software and virtual test systems should be recognized and bypassed in this way. While various system checks are carried out under Windows, the MacOS version aims to read out sensitive data directly.
Caution is advised
This means one thing above all for users: a trusted link is no longer a guarantee of security. It’s worth taking a second look, especially when it comes to downloads from search ads or supposedly official sources – especially if unusual detours or additional installations are required.
