Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts
Google has intervened to remove a fake Chrome browser extension from the official Web Store that posed as OpenAI’s ChatGPT service in order to gather Facebook session cookies and hijack users’ accounts.
The “ChatGPT For Google” extension, a trojanized version of a valid open source browser add-on, had over 9,000 installations before being removed on March 14, 2023. It was originally submitted to the Chrome Web Store on February 14, 2023.
According to Guardio Labs researcher Nati Tal, the extension spread via malicious sponsored Google search results that were designed to redirect unsuspecting users searching for “Chat GPT-4” to fraudulent landing pages pointing to the fake add-on.
Installing the extension not only provides the advertised functionality – namely, boosting search engines with ChatGPT – but it also activates the ability to secretly grab Facebook-related cookies and exfiltrate them to a remote server in an encrypted way.
Once the threat actor has obtained the victim’s cookies, he proceeds to grab control of the Facebook account, change the password, modify the profile name and photo, and even use it to propagate extremist content.
This is the second time a fake ChatGPT Chrome browser extension has been discovered in the wild. The other extension, which likewise functioned as a Facebook account stealer, was disseminated through Facebook sponsored postings.
If anything, the findings are just another example that hackers are capable of fast altering their tactics to cash in on the popularity of ChatGPT to distribute malware and stage opportunistic attacks.
“For threat actors, the possibilities are endless — using your profile as a bot for comments, likes, and other promotional activities, or creating pages and advertisement accounts using your reputation and identity while promoting services that are both legitimate and probably mostly not,” Tal said.