Facebook Accounts Hijacked by Fake ChatGPT Extension
The security team at Guardio Labs has discovered a malicious ChatGPT extension for Google Chrome on the Chrome Web Store. The extension is a copy of the legitimate “ChatGPT for Google” add-on, which offers ChatGPT integration on search results. However, the malicious version includes additional code designed to gain total access to the user’s Facebook account.
The hackers access and decrypt the user’s Facebook session cookies, which can then be used to fully take over the victims’ Facebook account. The profile can then be used to spread prohibited material like ISIS propaganda and malicious advertising. Hackers can also easily change the victim’s login details to prevent them from regaining control.
Interestingly, it seems the hackers use an automated system to change the user’s profile name and image to match a new persona named “Lily Collins”.
The extension was uploaded to the Chrome Web Store on February 14th, 2023. However, it didn’t really gain traction until it began being pushed to the top of Google’s search result pages via Google Ads on March 14th. Overall, the malicious Chrome add-on has amassed over 9,000 total downloads.
The extension is primarily promoted through advertisements in Google Search results for “Chat GPT 4.” Upon clicking the sponsored search results, users are directed to a fake landing page, then to the extension’s page on Chrome’s official store. After installation, users receive the promised ChatGPT integration on search results, but the add-on also attempts to steal Facebook cookies and hijack your account.
This variant is considered to be part of the same campaign as another malicious Chrome extension that managed to accrue 4,000 installations before being removed.
BleepingComputer contacted Google for further information about the extension. They responded with the following: “We don’t allow ads on our platform that use malicious techniques such as phishing. We’ve reviewed the ads in question and taken appropriate action. The extension is no longer available from the Chrome Web Store.”
The extension was removed from the Google Chrome Web Store on March 22nd. Unfortunately, it is feared that the threat actors likely have a backup plan via another parked extension, which could enable the next infection wave.
Please, comment on how to improve this article. Your feedback matters!