Suspected Phishing That Mimics WormGPT Surfaces on the Darknet

Suspected-Phishing-That-Mimics-WormGPT-Surfaces-on-the-Darknet

Kaspersky Digital Footprint Intelligence experts have uncovered a series of websites on the shadow internet that appear to be selling fake access to the malicious AI tool WormGPT. These sites have phishing-like characteristics, including varying designs, pricing, and currencies used for payment, and some require upfront payment for access to a trial version. While not an immediate threat to users, this trend underscores the rising popularity of black-hat alternatives to GPT models and emphasises the need for robust cybersecurity solutions.

The cybercriminal community has started leveraging AI capabilities to aid in their nefarious business, and the darknet currently provides a range of language models specifically designed for hacking purposes, such as BEC (business email compromise), malware creation, phishing attacks, and beyond. One such model is WormGPT, a nefarious version of ChatGPT which, unlike its legitimate counterpart, lacks specific limitations, making it an effective tool for cybercriminals looking to carry out attacks, for example, Business Email Compromise (BEC).

Phishers and scammers often exploit the popularity of certain products and brands, and WormGPT is no exception. On darknet forums and in illicit Telegram channels, Kaspersky experts have found websites and ads offering fake access to the malicious AI tool and targeting other cybercriminals that are phishing sites

These websites differ significantly in several ways and are designed as typical phishing pages. They have different designs and pricing. Payment methods also vary, ranging from cryptocurrencies, as originally proposed by the author of WormGPT, to credit cards and bank transfers. 

Moreover, suspected phishing pages advertise a trial version, but access is only granted after payment.

“In the dark web, it is impossible to distinguish malicious resources with absolute certainty. However, many indirect pieces of evidence suggest that the discovered websites are indeed phishing pages. It is a well-known fact that cybercriminals often deceive each other. However, recent phishing attempts may indicate the level of popularity of these malicious AI tools within the cybercriminal community. These models, to some extent, facilitate the automation of attacks, thereby emphasising the increasing importance of trusted cybersecurity solutions”, explains Alisa Kulishenko, digital footprint analyst at Kaspersky.

To avoid threats related to the cybercriminal’s activities in the shadow segment of the internet, it is worth implementing the following security measures:

  • Use Kaspersky Digital Footprint Intelligence to help security analysts explore an adversary’s view of their company resources and promptly discover the potential attack vectors available to them. This also helps raise awareness about existing threats from cybercriminals to adjust your defences accordingly or take counter and elimination measures in a timely.
  • Choose a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business, equipped with behaviour-based detection and anomaly control capabilities for effective protection against known and unknown threats.

  • Dedicated services can help combat high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop intrusions in their early stages before the perpetrators achieve their goals.  If you encounter an incident, the Kaspersky Incident Response service will help you respond and minimise the consequences, for instance, identify compromised nodes and protect the infrastructure from similar attacks in the future.