4M Accounts Compromised in #LilyCollinsHack: Fake ChatGPT Apps & Websites Alert

Header

Author: Trend Micro

April 20, 2023

ChatGPT is everywhere in the news lately, understandably as its ingenious uses appear limitless. In our previous two articles, we covered the what and how, and also the effects of ChatGPT on children and education.  

Unfortunately however, it’s not all positives: the chatbot can also be used to write malicious coding and create viruses, while researchers have also warned that cybercriminals can use ChatGPT to compose the text for phishing emails at a fraction of the cost — meaning more phishing emails and more cyber threats. Then there’s the problem of fake ChatGPT apps and websites.  

#LilyCollinsHack: accounts compromised by fake ChatGPT apps

Have you seen people using the hashtag #LilyCollinsHack on social media recently? Its widespread sharing stems from Facebook users having their accounts hacked, and their names/profile pictures changed to resemble actress Lily Collins’s account. Reports state that over 4 million accounts have been affected – the number is so high because the attack commenced after victims were duped into downloading fake ChatGPT apps that were disguised as Chrome extensions.

Using fake ChatGPT apps in order to steal personal credentials is a known recent tactic used by hackers and cybercriminals, and this latest event is just the tip of the iceberg.

Victims discussing #LilyCollinsHack on Reddit.

Fake ChatGPT Apps 

In our investigations, we have found that there is a proliferation of fake ChatGPT apps. It is important to note that there is currently NO official ChatGPT app, neither is there a download — it is ONLY available on the official webpage

We have tracked various suspicious ChatGPT apps, some being malicious Trojan viruses and others PUAs (“potentially unwanted app”). PUAs are not considered malware, but still pose a lower security and privacy risk: they result in your device’s operating system slowing down, or in the appearance of unexpected and intrusive ads.  

Trojan apps have the capacity to install malicious software onto your device, and even to encrypt your data/device. A trojan is a nasty malware type that can put users, user data, or devices, at high risk of serious damage. The ChatGPT trojan apps we have discovered are in fact not new — but merely under a new disguise. Previously, they were listed as YouTube and Netflix “premium” apps (also fake).   

The “ChatGPT” trojan app discreetly subscribes its target to various premium services through SMS billing fraud. While the “AI photo” trojan app belongs to the Spynote malware, which can be used to steal files, SMS messages, call records, and contact lists from the target device. 

In short, these are fake, harmful apps that should be avoided at all costs. There is no reason to download an app relating to ChatGPT, until OpenAI themselves release such a thing — for which there are currently NO plans.  

Fake ChatGPT Websites 

A suspicious ChatGPT Facebook page. Source: Tripwire

Researchers have also found multiple suspicious ChatGPT websites and pages, with fake URLs like “chat-gpt-pc[.]online”. These malicious websites offer a download of ChatGPT — despite it being solely browser-based. The intention is to infect your computer with malware: don’t let them.  

 

Source:Twitter

Others are fake payment pages where you can supposedly upgrade to ChatGPT Plus, but will in fact lose your money and/or compromise your data.   

Fake ChatGPT Plus payment page. Source: Cyble

As with the apps, stay away from these websites at all costs. Be sure to only use the official website from OpenAI: https://openai.com/blog/chatgpt.   

Protect Yourself from Fakes 

Trend Micro Mobile Security will give you the defense you need against fake/malicious apps and phone malware. Download Trend Micro Mobile Security today — and guard against cyberthreats with:  

  • Real-time Web Threat Protection 
  • Cloud-based AI, Smart Protection Network™, which keeps track of evolving threats 
  • Trend Micro Pay Guard, which opens payment windows 
  • Anti-phishing/spam software  

Folder shields that protect your most sensitive date 
 
We would also encourage readers to use our FREETrend Micro Check tool and detect scams with ease: Trend Micro Check is an all-in-one browser extension and mobile app for detecting scams, phishing attacks, malware, and dangerous links. 

http://

After you’ve pinned the Trend Micro Check extension, it will block dangerous sites automatically! (Available on Safari, Google Chrome, and Microsoft Edge.) 

http://

You can also download the Trend Micro Check mobile app for 24/7 automatic scam and spam detection and filtering. (Available for Android and iOS).   

Protecting Your Social Media and Personal Info

We would encourage readers to head over to our new FREE ID Protection platform, which has been designed to meet challenges such as those above. With it, you can secure your social media accounts with our Social Media Account Monitoring tool, with which you’ll receive a personal report:

Aside from this, you can also:

  • Check to see if your data (email, number, password, social media) has been exposed in a leak,
  • Receive the strongest tough-to-hack password suggestions from our advanced AI.

All this for free — give it a go today. As always, we hope this article has been an interesting and/or useful read. If so, please do SHARE it with family and friends to help keep the online community secure and informed — and consider leaving a like or comment below. Here’s to a secure 2023!

This article was published in collaboration with Trend Micro.

Image source: unsplash.com

Report a Scam!

Have you fallen for a hoax, bought a fake product? Report the site and warn others!

Help & Info

Popular Stories

As the influence of the internet rises, so does the prevalence of online scams. There are fraudsters making all kinds of claims to trap victims online - from fake investment opportunities to online stores - and the internet allows them to operate from any part of the world with anonymity. The ability to spot online scams is an important skill to have as the virtual world is increasingly becoming a part of every facet of our lives. The below tips will help you identify the signs which can indicate that a website could be a scam. Common Sense: Too Good To Be True When looking for goods online, a great deal can be very enticing. A Gucci bag or a new iPhone for half the price? Who wouldn’t want to grab such a deal? Scammers know this too and try to take advantage of the fact. If an online deal looks too good to be true, think twice and double-check things. The easiest way to do this is to simply check out the same product at competing websites (that you trust). If the difference in prices is huge, it might be better to double-check the rest of the website. Check Out the Social Media Links Social media is a core part of ecommerce businesses these days and consumers often expect online shops to have a social media presence. Scammers know this and often insert logos of social media sites on their websites. Scratching beneath the surface often reveals this fu

So the worst has come to pass - you realise you parted with your money too fast, and the site you used was a scam - what now? Well first of all, don’t despair!! If you think you have been scammed, the first port of call when having an issue is to simply ask for a refund. This is the first and easiest step to determine whether you are dealing with a genuine company or scammers. Sadly, getting your money back from a scammer is not as simple as just asking.  If you are indeed dealing with scammers, the procedure (and chance) of getting your money back varies depending on the payment method you used. PayPal Debit card/Credit card Bank transfer Wire transfer Google Pay Bitcoin PayPal If you used PayPal, you have a strong chance of getting your money back if you were scammed. On their website, you can file a dispute within 180 calendar days of your purchase. Conditions to file a dispute: The simplest situation is that you ordered from an online store and it has not arrived. In this case this is what PayPal states: "If your order never shows up and the seller can't provide proof of shipment or delivery, you'll get a full refund. It's that simple." The scammer has sent you a completely different item. For example, you ordered a PlayStation 4, but instead received only a Playstation controller.  The condition of the item was misrepresented on the product page. This could be the