Meta Removes Malware Campaigns Using ChatGPT as Bait to Steal Accounts

May 04, 2023Ravie LakshmananOnline Security / ChatGPT

Meta says it has taken steps to remove more than 1,000 malicious URLs from being shared across its services that were found to be leveraging OpenAI’s ChatGPT as bait to spread about 10 malware families since March 2023.

The development comes against a backdrop of fake ChatGPT web browser extensions being increasingly used to steal users’ Facebook account credentials with the aim of running unauthorized ads from hijacked business accounts.

“Threat actors create malicious browser extensions available on legitimate web stores that claim to offer ChatGPT-based tools,” Meta said. “They will then promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware.”

The social media giant said it had blocked several iterations of its multi-pronged malware campaign dubbed Ducktail over the years, adding it issued cease and desist letters to the individuals behind the operations located in Vietnam.

Trend Micro, at a series of tweets last week, detailing information thieves posing as Windows desktop clients for ChatGPT to extract passwords, session cookies, and history from Chromium-powered browsers. The company says the malware shares similarities with Ducktail.

In addition to ChatGPT, threat actors have also been observed turning to other “hot button issues and popular topics” such as Google Bard, TikTok marketing tools, pirated software and movies, and Windows utilities to trick people into clicking fake links.

“This change is likely an attempt by threat actors to ensure that a single service only has limited visibility across operations,” Guy Rosen, chief information security officer at Meta, said.

The attack chain is primarily engineered to target the personal accounts of users who manage or connect to business pages and advertising accounts on Facebook.

Apart from using social media to spread ChatGPT themed malicious URLs, this malware is hosted on various legitimate services such as Buy Me a Coffee, Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive, and Trello.

Ducktail isn’t the only stealing malware detected in the wild, as Meta revealed that it discovered another new strain dubbed NodeStealer capable of looting cookies and passwords from web browsers to eventually compromise Facebook, Gmail, and Outlook accounts.

The malware was assessed to be Vietnamese in origin, with Meta noting that the malware “took action to stop it and assist potential targets to recover their accounts” within two weeks of being deployed in late January 2023.

Samples analyzed by the company show that NodeStealer binaries are distributed via Windows executables disguised as PDF and XLSX files with file names relating to marketing and monthly budgets. The file, when opened, sends JavaScript code designed to extract sensitive data from Chromium-based browsers.

NodeStealer gets its name from the use of the Node.js cross-platform JavaScript runtime environment, which is bundled with the main payload, to set up persistence and run malware. No new artefacts were identified until February 27, 2023.

“After fetching Facebook credentials from the target browser data, the malware uses them to make several unauthorized requests to Facebook URLs to calculate the account information associated with the ads,” said Meta. “The stolen information then allows the threat actor to assess and then use the user’s advertising account to run unauthorized ads.”

In an attempt to slip under the radar of the company’s anti-abuse systems, malicious requests are made from the targeted user’s device to Facebook’s API, providing a layer of legitimacy to the activity.

To overcome this threat, said Meta launch New support tools guide users to identify and remove malware, allow businesses to verify connected Business Manager accounts, and require additional authentication when accessing credit limits or changing business administrators.