A threat actor may have compromised thousands of Facebook accounts — including business accounts — via a sophisticated fake Chrome ChatGPT browser extension which, until earlier this week, was available on Google's official Chrome Store.
According to an analysis this week from Guardio, the malicious "Quick access to Chat GPT" extension promised users a quick way to interact with the hugely popular AI chatbot. In reality, it also surreptitiously harvested a wide range of information from the browser, stole cookies of all authorized active sessions, and installed a backdoor that gave the malware author super-admin permissions to the user's Facebook account.
The Quick access to ChatGPT browser extension is just one example of the many ways in which threat actors have been trying to leverage the enormous public interest in ChatGPT to distribute malware and infiltrate systems. One example is an adversary who set up a fake ChatGPT landing page, where users tricked into "signing up" only ended up downloading a Trojan called Fobo. Others have reported a sharp increase in ChatGPT themed phishing emails in recent months, and the growing use of fake ChatGPT apps to spread Windows and Android malware.
Targeting Facebook Business Accounts for a "Bot Army"
Guardio's analysis showed that the malicious browser extension actually delivered on the quick access it promised to ChatGPT, simply by connecting to the chatbot's API. But, in addition, the extension also harvested a complete list of all cookies stored in the user's browser, including security and session tokens to Google, Twitter, and YouTube, and to any other active services.
In cases where the user might have had an active, authenticated session on Facebook, the extension accessed Meta's Graph API for developers. The API access gave the extension the ability to harvest all data associated with the user's Facebook account, and more troublingly, take a variety of actions on the user's behalf.
More ominously, a component in the extension code allowed hijacking of the user's Facebook account by essentially registering a rogue app on the user's account and getting Facebook to approve it.
"An application under Facebook's ecosystem is usually a SaaS service that was approved to be using its special API," Guardio explained. Thus, by registering an app in the user's account the threat actor gained full admin mode on the victim's Facebook account without having to harvest passwords or trying to bypass Facebook's two-factor authentication, the security vendor wrote.
If the extension encountered a Business Facebook account, it quickly harvested all information pertaining to that account, including currently active promotions, credit balance, currency, minimum billing threshold, and whether the account might have a credit facility associated with it. "Later, the extension examines all the harvested data, preps it, and sends it back to the C2 server using the following API calls — each according to relevancy and data type."
A Financially Motivated Cybercriminal
Guardio assessed that the threat actor will probably sell the information it harvested from the campaign to the highest bidder. The company also foresees the potential for the attacker to create a bot army of hijacked Facebook Business accounts, which it could use to post malicious ads using money from the victims' accounts.
Guardio described the malware as having mechanisms for bypassing Facebook's security measures when handling access requests to its APIs. For instance, before Facebook grants access via its Meta Graph API, it first confirms that the request is from an authenticated user and also from trusted origin, Guardio said. To circumvent the precaution, the threat actor included code in the malicious browser extension that ensured that all requests to the Facebook website from a victim's browser had their headers modified so they appeared to originate from there as well.
"This gives the extension the ability to freely browse any Facebook page (including making API calls and actions) using your infected browser and without any trace," Guardio researchers wrote in the report on the threat.