Around 9,000 people have downloaded a trojanized version of the genuine ChatGPT plugin for Chrome from the Chrome Web Store, hijacking Facebook accounts in the process. The extension is a clone of the genuine “ChatGPT for Google” Chrome add-on, which integrates ChatGPT with search results. The malicious version, however, also contains extra code that tries to collect Facebook session cookies.
The extension’s creator published it to the Chrome Web Store on February 14, 2023, but began utilizing Google Search adverts to advertise it on March 14, 2023. Since then, it has seen 1,000 installations on average per day. A similar Chrome add-on that collected 4,000 installations before Google deleted it from the Chrome Web Store earlier this month is connecting with the same infrastructure, according to the researcher who identified it, Nati Tal of Guardio Labs.
As a result, this new edition is seen as being a part of the same campaign. The operators kept it on the Chrome Web Store as a fallback in case the original extension was reported and taken down. While looking for “Chat GPT 4,” Google Search results prominently display adverts that promote the malicious plugin.
Malicious Malware Steals Facebook Session Cookies
When visiting a phony “ChatGPT for Google” landing page, users can access the extension’s page on the legitimate Chrome add-on store by clicking on the sponsored search results. The real extension’s code is still present after the victim installs the extension, so they receive the advertised functionality (ChatGPT integration on search results). The malicious add-on does make an effort to harvest Facebook session cookies, though.
When the extension is installed, malicious malware steals Facebook session cookies using the OnInstalled handler function. Threat actors can enter into a Facebook account as the user and have full access to their profiles, including any commercial advertising options, thanks to these stolen cookies.
Using the Chrome Extension API for improper purposes, the virus collects a list of Facebook-related cookies and encrypts them with an AES key. It then sends a GET request to the attacker’s server in order to exfiltrate the stolen data. The Guardio Labs report states, “The cookies list is tied to the X-Cached-Key HTTP header value and is encrypted with AES.”
This method is used in this case to attempt to send cookies across the wire without raising any DPI (Deep Packet Inspection) techniques’ alarms regarding the packet payload. The threat actors then decrypt the stolen cookies to hijack the Facebook sessions of their victims and promote illegal content, such as ISIS propaganda, through ad campaigns.
In order to prevent the victims from taking back control of their Facebook accounts, the malware automatically alters the login information on the compromised accounts. Also, it changes the profile image and name to a false identity called “Lilly Collins.”
The malicious Google Chrome extension is still accessible right now through the Google Chrome Web Store. However, the Chrome Web Store team received a warning from the security researcher about the harmful extension, which will probably be taken down soon.
Sadly, based on past experience, the threat actors probably have a backup plan in the form of another “parked” extension that might help the next wave of infections.
Malicious ChatGPT For Chrome Extension Had Over 9000 Downloads
Given that the code of the malicious extension and the legitimate version upon which it is based only change in one way, it is very challenging to distinguish between the two.
We can tell the authentic extension is using the “OnInstalled” handler method only to make sure you see the settings screen (where you can log in to your OpenAI account), according to Guardio.
But, the malicious code that was forked is taking advantage of the current situation to steal your session cookies.
Once taken, the cookies are encrypted and exfiltrated, giving threat actors instant access to the accounts that have been compromised. They then alter the log-in information to prevent legitimate users from accessing the funds.
According to the security firm, the malicious ChatGPT for Chrome extension had over 9000 downloads before being taken down by Google. The original “FakeGPT” extension, which Guardio uncovered, was disseminated through paid Facebook postings.
Conclusion
Security researchers have issued another alert regarding a security problem that is spreading thanks to the public interest in ChatGPT and is posing as a Chrome extension this time. Using a legal open-source “ChatGPT for Google” extension as a base, threat actors allegedly injected malicious code intended to harvest Facebook session cookies, according to a blog post by Guardio.
Malicious sponsored search engine results then led users to the extension. To test the new algorithm, you search for “Chat GPT 4,” and in your eagerness, you click on a sponsored search result that promises you precisely that, according to Guardio. The only thing left to do is install the extension from the official Chrome Store after being redirected to a landing page that offers you ChatGPT directly inside your search results page. You can access ChatGPT through the search results, but your Facebook account will be immediately compromised.
