Fake ChatGPT Chrome extension targeted Facebook Ad accounts

ChatGPT has garnered a lot of questions about its security and capacity for manipulation, partly because it is a new software that has seen unprecedented growth (hosting 100 million users just two months following its launch). Security concerns vary from the risk of data breaches to the program writing code on behalf of hackers.

From malvertising, extension installation, hijacking Facebook accounts, and back again to propagation

Fake ChatGPT extension

The fake ChatGPT extension discovered by Guardio is the latest security concern, affecting thousands daily. The scam starts with the malicious stealer extension, “Quick access to Chat GPT,” showing up on Facebook-sponsored posts as a quick way to get started with ChatGPT directly from your browser.

While the extension does connect with ChatGPT’s API, it also harvests information from users’ browsers, stealing cookies of authorized, active sessions to any service they have and employing tailored tactics to take over the user’s Facebook accounts.

What happens to the data?

• In most cases, once data is stolen, it’s sold to the highest bidder
• High-profile Facebook business accounts that are taken over are treated differently. Those accounts are used to publish more sponsored posts and other social activities on behalf of the victim’s profiles, and the business’ account money credits are used to do so
• Once installed, the extension gains access to Meta’s Graph API for developers — allowing the threat actor to access personal details quickly and to take actions on the users’ behalf directly through their Facebook account using simple API calls
• Thanks to Chrome’s declarative NetRequest API, the extension can circumvent Facebook’s protection measures
• More than 2000 users have been installing this extension daily since its first appearance on 03/03/2023.

Following Guardio’s report regarding this malicious extension to Google, the extension is now removed from Chrome’s store.