Cybercriminals are Discussing How to Bypass ChatGPT Safeguards
Checkpoint researchers came across discussions seeking ways to see if ChatGPT payment, location and other API restrictions could be bypassed.
OpenAI’s ChatGPT made waves in the past few months, enough for cybercriminals to look for avenues of exploitation. Only weeks after the artificial intelligence-powered chatbot was found to have been used to create malware, threat actors are now exploring how to bypass security restrictions to access and use it in other malicious ways.
According to Checkpoint Technologies’ research, discussions are rife on underground cybercriminal forums, of Russian hackers trying to find ways to circumvent API restrictions set in place by OpenAI, to use it for malicious purposes.
Currently, access to ChatGPT is contingent on the user’s IP address, payment cards and phone numbers. Checkpoint researchers came across discussions seeking ways to see if all of these restrictions could be bypassed.
“It is not extremely difficult to bypass OpenAI’s restricting measures for specific countries to access ChatGPT. Right now, we are seeing Russian hackers already discussing and checking how to get past the geofencing to use ChatGPT for their malicious purposes,” Checkpoint said.
“We believe these hackers are most likely trying to implement and test ChatGPT into their day-to-day criminal operations. Cyberciminals are growing more and more interested in ChatGPT, because the AI technology behind it can make a hacker more cost-efficient.”
ChatGPT’s response generation prowess, for text and even computer code, helped OpenAI have a blockbuster release for the AI tool, propelling it to over one million users in just five days of its launch. The overwhelming response fried the underlying servers, with users getting the “Chat GPT is at capacity right now” messages or being unable to log in.
Upon logging into ChatGPT on January 16, 2023, the website showed the following message (in orange):
ChatGPT Message (as on Jan 16, 2023)
It is unclear how many users ChatGPT currently has though the Microsoft-funded OpenAI opened up a waitlist for a professional, paid version last week.
Earlier in January 2023, Checkpoint detailed how amateur and even seasoned cybercriminals are using the chatbot to create malware, including infostealers for Microsoft Office documents, PDFs, and images-based targeting, Python script that performs cryptographic operations or, in other words, encryption tools; developing dark web marketplaces and pushing fraudulent schemes.
See More: Succeeding with Cybersecurity: Challenges and Opportunities for 2023
Another potential malicious ChatGPT use could be the generation of spam and phishing messages or the amplification of other attacks with automated content generated through its reinforcement and supervised learning techniques. Checkpoint demonstrated this by using the chatbot alongside Codex, a code-generation deep learning model developed by OpenAI at the heart of AI pair programmer GitHub Copilot.
“The expanding role of large language model (LLM) and AI in the cyber world is full of opportunity, but also comes with risks,” Checkpoint concluded, calling ChatGPT a “talented phisher.”
“Multiple scripts can be generated easily, with slight variations using different wordings. Complicated attack processes can also be automated as well, using the LLMs APIs to generate other malicious artifacts. Defenders and threat hunters should be vigilant and cautious about adopting this technology quickly, otherwise, our community will be one step behind the attackers.”
When we asked ChatGPT, “what is the potential impact of ChatGPT on cybersecurity?” the chatbot replied positively replied it can be trained to identify malicious packages. But it warned of potential misuse by attackers.
Additionally, we asked ChatGPT how it can be used in cyberattacks. The chatbot replied:
However, before ChatGPT’s malicious use becomes widespread, threat actors must figure out a way to undermine OpenAI’s defenses to prevent misuse. That’s precisely where we are right now. Some are even offering semi-legal online SMS services in Russian on how to register ChatGPT.
Going by Checkpoint’s research, expect to see stolen credit cards being used to make a threat actors an upgraded OpenAI user. And before they can upgrade themselves, hackers would first have to figure out how to bypass geofencing limitations, which restrict access in certain countries.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON THREAT REPORTS
