Crooks Spread Rogue ChatGPT Chrome Extension to Hijack Facebook Accounts

Cybercriminals were recently spotted stealing Facebook accounts using a weaponized version of a legitimate ChatGPT browser extension available on the Chrome Web Store.

The rogue extension, dubbed “ChatGPT for Google” after its genuine counterpart, garnered over 9,000 downloads on the browser’s dedicated web store.

While it advertises itself as a utility that integrates ChatGPT within the browser’s search results, the extension has a darker purpose: covert theft of Facebook session cookies.

The threat actor started advertising the tool on March 14, a month after its publication date, using Google Search ads. Reportedly, searching for “Chat GPT 4,” “ChatGPT 4,” or similar keyword variations prompted users with sponsored results leading to the malicious tool.

Accessing the featured links would lead visitors to a rogue landing page advertising “ChatGPT for Google.” Following this path further guided users to the extension’s “official” page on Chrome’s web store.

To avoid suspicion, the perpetrator appended the malicious cookie-stealing code on top of the extension’s legitimate code. In other words, users could still use the extension, which drew their attention away from the tool’s hidden purpose.

Once installed, the extension leverages the onInstalled handler function to harvest Facebook session cookies. It then encrypts them with an AES key and exfiltrates the data to the attacker’s server using a GET request.

After decrypting the stolen cookies, threat actors can use them to log in to the victims’ Facebook accounts with full ownership rights. As BleepingComputer reports, perpetrators use hijacked accounts to run malvertising campaigns and spread banned materials such as ISIS propaganda.

The malicious extension also has a rudimentary persistence mechanism to prevent victims from recovering their accounts. After hijacking them, the tool automatically alters the accounts’ login details, changes the profile names and sets a profile picture to match a fake persona called “Lilly Collins.”

Fortunately, the extension has been taken down from Chrome’s Web Store. However, security experts believe that threat actors might have a backup plan in the form of a dormant, equally malicious extension ready to go.

Specialized software like Bitdefender Ultimate Security can protect you from malicious extensions and other cyberthreats with its extensive library of features, including:

• Continuous, all-around monitoring and protection against viruses, worms, Trojans, spyware, ransomware, zero-day exploits, rootkits, and other e-threats
• Behavioral detection module that closely monitors active apps and takes instant action upon detecting suspicious activity
• Web filtering technology that prevents you from landing on malicious pages and blocks all known infected links
• Network threat prevention module that detects and blocks suspicious network-level activities, including malware, brute force attacks, botnet-related URLs, and sophisticated exploits