Infostealers traded on the dark web have compromised 101,134 infected devices running ChatGPT accounts over the past year.
The Raccoon stealer breached the most accounts by far, a sign that even though the group developing Raccoon has been degraded, these infostealers have a long tail once purchased on the dark web.
Infostealers are a type of malware that collects credentials saved in browsers, bank card details, crypto wallet information, cookies, browsing history, and other information from browsers installed on infected computers. It then sends all this data to the malware operator. Stealers can also collect data from instant messengers and emails, along with detailed information about the victim’s device.
The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023, the researchers said.
Overall, India accounted for 12,632 of the stolen accounts. Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the United States, France, Morocco, Indonesia and Bangladesh.
The researchers said that 78,348 of the accounts were breached by the Raccoon infostealer, while 12,984 were hit by Vidar and RedLine accounted for 6,773. According to Group-IB’s latest findings, ChatGPT accounts have already gained significant popularity within underground communities.
“Many enterprises are integrating ChatGPT into their operational flow,” said Dmitry Shestakov, head of threat intelligence at Group-IB. "Employees enter classified correspondence or use the bot to optimize proprietary code. Given that ChatGPT’s standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials.”
How Raccoon was named the most highly used to compromise ChatGPT accounts is likely that it was installed on systems and just not detected and removed, said Ira Winkler, chief information security officer at CYE. Winkler said there are a variety of ways that people can exploit already installed installations, which might include taking over the Raccoon command-and-control servers, domains, or IP addresses.
“Raccoon was just a prominent form of spyware that was available to steal new accounts, so it did,” Winkler said. “If people or companies don’t have active anti-malware and other cybersecurity tools and processes in place, they are vulnerable to widely known attacks. And while I don’t know the functionality of the malware, I assume from this that criminals can set how they control the installed malware, which allows them to access the malware indefinitely, until the victim discovers the malware and removes it.”
Avkash Kathiriya, senior vice president of research and innovation at Cyware, added that tools such as the Raccoon stealer have become so widespread that they continue to live on, even after they have been blocked by more security-conscious organizations. Kathiriya said ChatGPT still operates in the "wild west" phase with rapid, mass adoption by users outside of normal IT security channels.
“This seems like relatively low-hanging fruit for less sophisticated hackers, using readily available tools, Kathiriya said. “The hacking of 100,000 users is probably only the tip of the iceberg, given the mass, uncontrolled adoption of ChatGPT. Many people have been rushing to incorporate it into critical processes without vetting or validation. It shouldn't be surprising that there are also significant issues around security, privacy and intellectual property. Until these are thoughtfully addressed, we'll continue to see this prototype technology applied carelessly and dangerously.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said while the Raccoon operation went off the air in early 2022, they reemerged by mid-2022 with a V2, aka RecordBreaker. It appears to be an ongoing concern, even after one of its members was indicted by a grand jury in the United States in late 2022, and they don't have the influence they once had, he continued.
“It seems that Raccoon lived on in some form, rather than actually disappearing after their announcement in early 2022,” Parkin said. “Whether it's the same team operating now, or someone else has taken up the reins, it appears they have not really gone away.”