GoKawiilThreat actors are abusing ChatGPT's content-sharing feature to display fake OpenAI outage pages that direct users to download malware disguised as the ChatGPT desktop application.
The "LLMShare" campaign, discovered by Push Security, uses Google ads to direct users searching for ChatGPT to a malicious shared ChatGPT page hosted on chatgpt.com, allowing the attack to be delivered through a legitimate OpenAI domain.
Fake sponsored ChatGPT advertisement
Users who click the advertisement are taken to a legitimate ChatGPT shared page, but instead of seeing a chat conversation, they are presented with a rendered outage notice claiming the web version is unavailable and that they should download the desktop application instead.
"We're experiencing high traffic right now," reads the fake outage message.
"Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue."
Fake outage message
Unlike traditional phishing pages hosted on attacker-controlled infrastructure, the fake outage notice is rendered through ChatGPT itself.
The attackers created a custom HTML page using ChatGPT's rendering capabilities and published it through a shared chatgpt.com/s/ link, allowing the fake outage notice to be displayed from a legitimate ChatGPT URL.
Push Security noted that the page includes "Show code" and "Remix with ChatGPT" controls, revealing that the fake outage notice is actually generated from custom HTML and CSS rendered by a ChatGPT prompt.
... continue reading