West Wind Posted by Ao Fei Si Qubits | The official account QbitAI is outrageous. The OpenAI official account was hacked by coin miners overnight! It’s the OpenAI Newsroom account that was just opened specifically for publishing news. ....

West Wind from Ao Fei Si

qubit | The public account qbitai

is outrageous, the official account of openai 𝕏 was hacked by coin miners overnight!

is the openai newsroom account that was just opened to publish news.

suddenly posted this tweet in the middle of the night:

We are very happy to announce the launch of 💲openai: a token that connects artificial intelligence and blockchain technology. All openai users are eligible to claim a portion of 💲openai’s initial supply. Holding 💲openai will gain access to all our future testing programs.

then sent the phishing website link.

This tweet is currently invisible, leaving only one sentence:

The comment has been closed due to malicious links. Good luck to everyone!

This official account is not the only one. Within 15 months, at least 4 accounts of Openai related 𝕏 account were stolen.

openai employee accounts have also encountered accidents one after another recently. The accounts of

chief scientist jakub pachocki, cto mira murati, and researcher jason wei were all targeted.

Looking at the same operation, it seems that the same group of people did it. Netizen

said that in the past 12 months, Jason Wei’s account had been stolen at least 10 times.

This time the openai newsroom account was hacked. It was less than two days after the latest hack of jason wei's account, and .

These tweets were spread on 𝕏 and gathered into a large melon-eating scene.

In addition to this, netizens are also sweating for everyone, but don’t be fooled.

I don't quite understand who the target audience is here. If these scams didn't work, they wouldn't spend so much time on them.

But who are the people who are simultaneously: 1) interested in cryptocurrencies, 2) knowledgeable about OpenAI and its senior leadership, and 3) easily fall for such a simple wallet theft trap?

Musk’s xai employees and grok developers couldn’t help but open the microphone:

I wish everyone good luck!

Some netizens lamented for openai:

once is bad luck,
twice can reflect the problem,
three times is systemic,

. Netizens ridiculed ilya to start a business and engage in ssi (safe superintelligence) . Openai has now become usi (unsafe superintelligence). ) :

So why not open 2fa (two-factor authentication) ?

maybe... 2fa doesn't work anymore.

Some netizens analyzed the operation method and technology stack of this attack.

attack method analysis

The following is the analysis given by vercel ceo guillermo rauch.

The first thing to note is that most phishing websites have a common disadvantage: websites look very low.

But this time the phishing website really looks like that, it really looks like a legitimate website.

How can an attacker do it so realistically?

Pay attention to the "data-scrapbook-source" attribute. Maybe some kind of crawler tool was used? If you Google

, you will find that it appears on many reported phishing websites. It comes from a chrome extension called "webscrapbook" that instantly clones a website to static html.

guillermo rauch tried it himself and said that the effect is very good:

I cloned my website and the copy was very accurate.

Next, guillermo rauch discovered Huadian. The date crawled by the attacker is exposed in

html: 20240619000652144. If

parses it, the result is displayed as: 2024-06-19t00:06:52.144z, which is three months ago from .

This shows that they have been doing this for a while, and may be targeting multiple openai employees.

enters the server stack. The website is hosted via @cloudflare, which theoretically makes it difficult to trace back to the origin server.

However, when the 404 error page is triggered, guillermo rauch got some interesting information:

pache/2.4.52 (ubuntu) server at distribution-⁠openai⁠.com port 80

Why is it interesting?

Guillermo Rauch explains that "port 80" could mean two things:

One could be that they set up an encrypted reverse tunnel to connect to cloudflare (which is less common) , or the opposite could be that they're boldly trying to connect it directly ${ip}:80 as source.

The question is: How does find this source IP address?

Contrary to popular opinion, traditional CDNs cannot truly protect source IP addresses, which may be discovered by search engines.

This technique involves looking for unique strings in the source, of which there are some good candidates. For example, css id:

A suspected clone website was found here, but because the title tag does not match, it is not an identical clone.

Furthermore, it does not match the Turkish language in html:

videoyu cep telefonunuzda izlemeye devam etmek için qr kodunu tarayın (To continue watching the video on your phone, please scan the qr code)

Another very interesting string is the attack The wallet address where the person intends to receive cryptocurrency. The

address is not directly embedded in the html, but is controlled through a confusing encrypted script that tries its best to avoid censorship and keeps triggering the debugger into a loop.

guillermo rauch posted the script and said that he had not yet had a chance to start reverse engineering.

Finally, guillermo rauch made some anti-fraud experience summaries:

enable non-SMS multi-factor authentication (mfa)
Even if mfa is turned on, still needs to be highly alert to emails . Existing attack patterns can already steal mfa verification codes
Always be wary of domain names and emails .

openai’s account being hacked this time and posting phishing information is also a reminder to everyone.

Children's shoes, please keep your eyes open when surfing the Internet ~

Reference link:
[1]https://x.com/iscienceluvr/status/1838344428504973585
[2]https://news.ycombinator.com/item?id=41631412
[ 3]https://x.com/smokeawayyy/status/1838345566100820102
[4]https://x.com/rauchg/status/1838005061332673008