Monday, July 15, 2024

Fake ChatGPT Chrome Extension with Thousands of Installs Steal Facebook Logins

Guardio Labs discovered a Chrome Extension that promotes rapid access to fake ChatGPT functionality capable of stealing Facebook accounts and establishing hidden account backdoors.

Using a maliciously imposed Facebook app “backdoor” that grants the threat actors super-admin powers stands out.

“By hijacking high-profile Facebook business accounts, the threat actor creates an elite army of Facebook bots and a malicious paid media apparatus,” Guardio Labs reports.

“This allows it to push Facebook paid ads at the expense of its victims in a self-propagating worm-like manner.”

Tactics Employed By This Powerful Stealer

The Guardio Labs research team discovered a new version of the malicious fake ChatGPT browser extension. This time, it has been updated with a frightening method to take control of your Facebook accounts and a sophisticated worm-like way for spreading.

On Facebook-sponsored posts, the malicious stealer extension dubbed “Quick access to Chat GPT” is advertised as a fast way to launch ChatGPT straight from your browser.*dk6Oz-DYOQPUhODIZTIVAA.png
Malicious Sponsored Posts on Facebook leading to the Malicious “FakeGPT” extension

Reports say although the extension gives you that (by merely connecting to the official ChatGPT’s API), it also gathers all the data it can from your browser, steals cookies from allowed active sessions to any service you have, and uses targeted methods to take over your Facebook account.

Using two fake Facebook applications, portal and msg kig, backdoor access is maintained, and complete control of the target profiles is attained. Adding apps to Facebook accounts is a fully automated procedure.

Threat Actor Uses 2 Main Apps

“With this approach, the campaign can continue propagating with its army of hijacked Facebook bot accounts, publishing more sponsored posts and other social activities on behalf of its victim’s profiles and spending business account money credits!” Guardio Labs.*N_117h-kpxFLRgfzxPP6MA.png
From malvertising, extension installation, hijacking Facebook accounts, and back again to propagation

After you click on the extension icon after it has been installed, a small popup window with a prompt to ask ChatGPT whatever you want appears. This is precisely what the extension promises.

As a result, it can send any request to any other service, just as if the browser owner were the one requesting the first place. This is important since, in most circumstances, the browser already has an active and authenticated session with nearly all your daily services, such as Facebook.

This enables the extension to utilize Meta’s Graph API for developers, giving the threat actor rapid access to your details and the ability to perform activities on your behalf from within your Facebook account via straightforward API calls.

“Not only this malicious extension is free-roaming on the official Chrome store, but it is also abusing Facebook’s official applications API in a way that should have triggered policy enforcers’ attention already,” Guardio Labs.

Reports state that since its appearance on March 3, 2023, this extension has been installed by more than 2000 users daily. As a result, each person has their Facebook account stolen. However, this is likely not the only harm.

The extension has since been removed from Chrome’s store due to Guardio’s Google report on this malicious extension.

Hence, we need to be more cautious even when doing regular, casual browsing. For example, avoid clicking on the first search result, and always be careful to only click on sponsored links and posts if you are confident of their source.

Network Security Checklist – Download Free E-Book

Related Read


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles