AI News AI资讯 1mo ago Updated 1mo ago 更新于 1个月前 53

Attackers abuse shared ChatGPT and Claude chats to spread malware 攻击者滥用共享的ChatGPT和Claude聊天来传播恶意软件。

Attackers are weaponizing the trust users place in AI platforms by distributing malware through legitimate-looking shared conversations on ChatGPT and Claude, leveraging the domains' inherent credibility to bypass traditional security filters. 攻击者利用ChatGPT和Claude的聊天共享功能传播恶意软件,他们将恶意代码伪装成错误消息或软件安装指南,并借助大模型平台可信域名的掩护,成功绕过传统安全工具的检测。

80
Hot 热度
75
Quality 质量
70
Impact 影响力

Analysis 深度分析

This isn't just another phishing variant; it's a sophisticated social engineering attack that represents a predictable, yet alarming, evolution in how threat actors adapt to new technology. The brilliance—and the danger—lies in its exploitation of two fundamental human factors: our conditioned trust in the familiar UI of tools we use daily, and our instinct to follow instructions that appear helpful. When you see a chat that looks like it came from your own history, complete with an error message or a tutorial, your guard drops. The malicious link isn't in a suspicious email from an unknown sender; it's embedded in what feels like a technical note from the AI itself, a context our brains have learned to associate with legitimate utility and safety.

The attack vector exposes a critical blind spot in enterprise security. Cybersecurity tools are meticulously trained to scrutinize email domains, file attachments, and untrusted websites. But a link hosted on chat.openai.com or claude.ai? That's whitelisted territory, often explicitly permitted by corporate firewalls. Attackers aren't breaking into a secure system; they're setting up a malware stand in the castle courtyard, knowing the guards have been instructed to let anyone bearing the royal crest pass through. It turns the platform's greatest strength—its trusted domain—into a catastrophic vulnerability. We're witnessing the weaponization of brand trust at an architectural level.

What's particularly insidious is the mimicry of AI's native behavior. These aren't poorly written, grammatically flawed scams. They're crafted to look like authentic AI interactions: a chat about code that "hits a snag" and suggests downloading a fix, or a guide that recommends installing a necessary component. This mimics the very patterns of help and troubleshooting that users have come to rely on. The AI itself isn't compromised; rather, its conversational facade is being perfectly spoofed to serve as a delivery mechanism. It’s a form of digital ventriloquism, making a trusted platform "speak" the attacker's payload into existence.

This forces a sobering reevaluation of the AI ecosystem's threat model. The industry has been rightly focused on securing models against prompt injection, data poisoning, and intellectual property theft. This attack operates a layer up, in the sharing and dissemination mechanics of the platforms. It highlights that any feature enabling user-generated content to look official—even if it's just a read-only share link—becomes a potential attack surface. The responsibility can't lie solely with security software. Platform architects must now consider how their design choices, like customizable chat sharing, create new phishing realms that legacy infrastructure can't police.

The path forward requires a dual approach. Security teams need to develop heuristics that look beyond domain trust, analyzing the context and behavior of links even on whitelisted sites. More importantly, AI companies must proactively build safeguards into their sharing features. Think digital watermarks on shared chats, clear and prominent warnings that "This is a user-shared conversation, not an official communication," or even limiting executable content in shares. User education is crucial, but it's a fallback. The primary defense must be embedded in the platform's fabric, making it structurally difficult to weaponize its own credibility. This incident is a stark reminder that in the AI era, innovation and security must evolve in lockstep; one without the other is a liability waiting to be exploited.

一个看似寻常的技术特性,在恶意分子手中变成了一把精准的钥匙。当主流大模型平台竞相将“对话分享”作为提升用户体验和传播能力的核心功能推出时,安全风险的种子也随之埋下。这次事件的核心矛盾,在于平台为了便利性与品牌露出而设计的信任机制,恰恰成了攻击者最渴望的保护色。

安全工具通常会对来自未知或可疑域名的链接、文件保持高度警惕,这是防御恶意攻击的基础逻辑。然而,当恶意内容被封装在 chat.openai.comclaude.ai 这样的顶级可信域名链接中时,绝大多数企业的防火墙、邮件安全网关乃至终端防护软件都会本能地放行。攻击者利用的正是这种根植于数字世界底层的“域名信任”原则。他们不再需要费尽心机诱导用户访问一个陌生网站,只需在合法的、每天被无数人正常访问的平台上,埋下一个精心构造的陷阱。这像在图书馆的推荐书目里夹入一张传单,利用人们对场所本身信誉的信赖,完成了一次“认证过”的投毒。

这种攻击方式的阴险之处在于,它将检测压力完全转移给了最终用户和AI平台本身。传统的安全防线在此近乎失效。当一个用户收到朋友或同事发来的、看起来是ChatGPT总结报告的链接,点开后看到一段看似专业的“错误代码”或“更新指南”,并被提示“需要复制这段代码执行以修复问题”时,警惕性会大幅降低。攻击成功的关键,从技术漏洞转向了社会工程学,利用了人们对AI助手输出的默认信任以及对技术故障的焦虑。

对于OpenAI和Anthropic这样的平台方而言,这无疑敲响了一记警钟。分享功能的代码生成、渲染和执行环境,是否设立了足够的沙箱隔离?对于用户在对话中粘贴的、意图被分享和执行的代码片段,是否有自动化的内容安全扫描机制?平台不能仅仅将自己定义为内容生成的“画布”,也必须成为恶意内容在传播路径上的“安检口”。分享按钮的背后,需要一套完整的内容安全审核与风险标注体系,比如对包含可执行代码、系统命令的分享内容进行强制风险提示,甚至暂时禁用某些高风险内容的交互性。

从更宏观的视角看,这是大模型深度融入社会生活后,其“超级入口”属性所带来的必然反噬。当人们习惯于向AI提问、让AI写代码、用AI总结一切,攻击者的靶心就从操作系统、应用程序,转向了AI这个中枢交互层。未来的网络安全战线,将不得不把大模型平台的内容生成与分享生态,纳入关键基础设施的防护范畴。这不仅仅是修补一个功能漏洞,更是对整个AI时代信任链的一次压力测试。防御的起点,或许要从重新评估我们对“可信数字原生内容”的默认态度开始。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。