Threat actors have been using LLM’s to create more convincing phishing attacks for some time now. We have now observed them using ChatGPT Subscription renewals as their phishing lure to entice users of the LLM to disclose their credit card data. The example below stated their subscription would expire soon and urged the recipient to click a button to renew. However, upon closer inspection we can see that the URL leads to an unrelated d.]info TLD instead of the legitimate ChatGPT site.

This attack was going directly after credit card information with a reasonable request for less than USD $25. Once disclosed the victims credit card would be used to make fraudulent online purchases at online retailers. These fraudulent purchases are sometimes accompanied by a DSD attack to conceal the activity from the victim.

Remember, if you suspect a subscription is due for renewal always navigate directly to that site to submit payment instead of following links within an email.