A sophisticated phishing campaign is actively targeting both corporate and consumer accounts by impersonating OpenAI and Sora branded login portals.
Stealthy Credential Theft
Attackers are distributing emails crafted to look like legitimate service notifications, often warning recipients of unusual activity or account suspension. These messages include links that direct victims to counterfeit login pages. These fake sites closely replicate the original portals, sometimes even mirroring their SSL certificates to appear trustworthy.
Unit 42 researchers identified that the threat actors employ an obfuscated JavaScript multi-stage loader. This loader executes immediately after a victim submits their username and password on the fraudulent page. The malicious code dynamically injects a payload into the victim's browser, which then exfiltrates the harvested credentials to a command-and-control (C2) server. After stealing the information, the script instantly redirects the user to the legitimate service, effectively masking the breach and preventing immediate suspicion.
Significant Impact and Mitigation
The impact of this campaign is significant. Compromised credentials can be used to access sensitive data, manipulate AI models, or launch further corporate attacks using the guise of trusted accounts. Organizations using Single Sign-On (SSO) are especially vulnerable, as stolen tokens could grant the attackers lateral movement within corporate networks.
To combat this stealthy threat, security teams are advised to review recent login activity, implement multi-factor authentication (MFA) immediately, and monitor outbound network traffic for connections to known malicious domains. The dynamic nature of the JavaScript loader makes signature-based detection difficult, as the primary malicious code is never present on the initial phishing page.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
