Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts
Google has stepped in to remove fake Chrome browser extensions from the official Web Store that masquerade as OpenAI ChatGPT services to harvest Facebook session cookies and hijack accounts.
“ChatGPT For Google” extension, trojan version of a legit open source browser add-on, attracted more than 9,000 installs since March 14, 2023, before being removed. It was originally uploaded to the Chrome Web Store on February 14, 2023.
Based on Guard Laboratory researcher Nati Tal, the extension is propagated through malicious sponsored Google search results designed to redirect unsuspecting users searching for “GPT-4 Chat” to a fraudulent landing page that leads to a bogus add-on.
Installing the extension adds the promised functionality – namely, improving the search engine with ChatGPT – but also silently enables the ability to capture Facebook-related cookies and extract them to a remote server in an encrypted manner.
Once in possession of the victim’s cookies, threat actors move to seize control of Facebook accounts, change passwords, change names and profile pictures, and even use them to spread extremist propaganda.
Development makes it the second fake ChatGPT Chrome browser extension discovered in the wild. The other extension, which also functions as a Facebook account stealer, is distributed through sponsored posts on social media platforms.
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master a 6-Phase process with Asaf Perlman, Cynet’s Lead IR!
If anything, these findings are yet another proof that cybercriminals are able to quickly adapt their campaigns to take advantage of ChatGPT’s popularity to distribute malware and carry out opportunistic attacks.
“For threat actors, the possibilities are endless — use your profile as a bot for comments, likes, and other promotional activity, or create ad pages and accounts using your reputation and identity while promoting legitimate services and most likely not,” said Tal.