Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts

Mar 23, 2023Ravie LakshmananBrowser Security / Artificial Intelligence

Google has stepped in to remove a bogus Chrome browser extension
from the official Web Store that masqueraded as OpenAI’s ChatGPT
service to harvest Facebook session cookies and hijack the
accounts.

The “ChatGPT For Google” extension, a trojanized version of a
legitimate open source browser
add-on ^[1], attracted over 9,000
installations since March 14, 2023, prior to its removal. It was
originally uploaded to the Chrome Web Store on February 14,
2023.

According to Guardio Labs ^[2]
researcher Nati Tal, the extension is propagated through malicious ^[3]
sponsored Google search results ^[4] that are designed to
redirect unsuspecting users searching for “Chat GPT-4” to
fraudulent landing pages that point to the fake add-on.

Installing the extension adds the promised functionality – i.e.,
enhancing search engines with ChatGPT – but it also stealthily
activates the ability to capture Facebook-related cookies and
exfiltrate it to a remote server in an encrypted manner.

Once in possession of the victim’s cookies, the threat actor
moves to seize control of the Facebook account, change the
password, alter the profile name and picture, and even use it to
disseminate extremist propaganda.

The development makes it the second fake ChatGPT Chrome browser
extension to be discovered in the wild. The other extension ^[5], which also functioned
as a Facebook account stealer, was distributed via sponsored posts
on the social media platform.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app
access to your company’s SaaS apps? Join our webinar to learn about
the types of permissions being granted and how to minimize
risk.

RESERVE YOUR
SEAT ^[6]

If anything, the findings are yet another proof that
cybercriminals are capable of swiftly adapting their campaigns to
cash in on the popularity of ChatGPT to distribute malware and
stage opportunistic attacks.

“For threat actors, the possibilities are endless — using your
profile as a bot for comments, likes, and other promotional
activities, or creating pages and advertisement accounts using your
reputation and identity while promoting services that are both
legitimate and probably mostly not,” Tal said.

Found this article interesting? Follow us on Twitter ^[7]
and LinkedIn ^[8]
to read more exclusive content we post.

References

^{^}
legitimate open source browser
add-on (github.com)
^{^}
Guardio
Labs (labs.guard.io)
^{^}
malicious
(thehackernews.com)
^{^}
sponsored Google search results
(thehackernews.com)
^{^}
other
extension (thehackernews.com)
^{^}
RESERVE YOUR SEAT
(thn.news)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)