Kaspersky has detected a scam tactic leveraging the OpenAI platform. Attackers are abusing OpenAI's organisation creation and team invitation features to send spam emails from legitimate OpenAI addresses, potentially tricking users into clicking scam links or calling fraudulent phone numbers.
The spam campaign begins with attackers registering an account on the OpenAI platform. During registration, users are prompted to enter an organisation name, which can consist of any combination of symbols. Scammers exploit this by embedding deceptive text and fraudulent links or phone numbers directly into the field for organisation name itself.
Once the "organisation" is created, OpenAI provides an option to "invite your team," allowing the input of target email addresses of victims. When invitations are sent, they originate from OpenAI's address, making them appear fully legitimate from a technical standpoint. Kaspersky detected several types of messages containing email threats sent in such a way. These are scam emails that promote fraudulent offers, such as adult services. Another attack angle is vishing – false notifications claiming a subscription has been renewed for a large sum: attackers instruct recipients to call a provided phone number to "cancel" the charge or take other actions that lead to further compromise. There may also be other email threats spreading via OpenAI platform.
The text that the attackers want the victims to read (highlighted in bold in the email template) is structurally inconsistent with the rest of the email template – which was originally designed to invite project collaborators. But the attackers bet on the fact that the victims would not pay attention.
An example of a scam email
"This case highlights a vulnerability in how platform features can be weaponised for social engineering email attacks. By embedding deceptive elements in seemingly innocuous fields like organisation names, scammers attempt to bypass traditional email filters and exploit user trust in reputable services. We urge all users to verify invitations carefully and avoid clicking embedded links without scrutiny. We also recommend brands to consider whether their online services or platforms could be abused by attackers," comments Anna Lazaricheva, senior spam analyst at Kaspersky.
Kaspersky recommends:
- Treat unsolicited invitations from any platform with suspicion, even if they appear to come from trusted sources.
- Carefully inspect URLs before clicking.
- Do not call any phone numbers indicated in suspicious emails – if you need to call support of a certain service, it is best to find the phone number on the official webpage of this service.
- Report suspicious emails to the platform provider and use multi-factor authentication for all accounts.
- For corporate users, Kaspersky Security for Mail Server with its multi-layered defence mechanisms powered by machine learning algorithms provides robust protection against a wide range of evolving threats and offers peace of mind to businesses in the face of evolving cyber risks.
- For individual users, Kaspersky Premium offers AI-powered anti phishing features designed to help avoid phishing attacks and improve overall cybersecurity.
