Kaspersky Finds a Scam that Exploits OpenAI's Team Invitation Feature

JAKARTA - Kaspersky has detected a fraud tactic that takes advantage of the OpenAI platform, where attackers abuse the group invitation feature.

This spam campaign started with the attacker registering an account on the OpenAI platform. During registration, users are asked to enter the name of the organization, which can consist of any combination of symbols.

Scammers exploit this by embedding misleading text and fake links or phone numbers directly into the organization's name column itself.

Once the "organization" is created, OpenAI provides an option to "invite your team," which allows for input of the target victims' email addresses. The "invite your team" column allows the attacker to target specific email addresses.

When the invitation was sent, the invitation came from OpenAI's official address, so it looked legitimate. However, Kaspersky detected a message containing threats in the email, such as a scam promoting a fake offer.

In addition, the global cybersecurity company also found cases where attackers carried out vishing (voice phishing) attacks.

In this scheme, the attacker instructs the recipient to call a given phone number to "cancel" the bill or perform other actions that cause further security risks.

"This case highlights the vulnerability of how platform features can be used as a weapon for social engineering email attacks," said Anna Lazaricheva, senior spam analyst at Kaspersky.

Anna recommends that service providers - such as OpenAI - consider whether their online services or platforms can be abused by attackers.