A Chrome extension that masquerades as ChatGPT 4 has been detected stealing Facebook session cookies. Since it was uploaded in February 2023, it has been downloaded over 9,000 times.
Chrome Web Storethe store that allows you to download extensions for Google’s browser, is currently the scene of a malicious data theft campaign via a Trojan extension of ChatGPT. This extension, which has been downloaded over 9,000 times, is a true copy of the legitimate “ChatGPT for Google” extension. Instead, it contains code that steals users’ Facebook session cookies.
Guardio Labs researcher Nati Tal found that this extension communicates with the same infrastructure used by a similar Chrome extension that was removed from Google play this month after amassing 4,000 installs. The publisher of this malicious extension uploaded it on February 14, 2023, but did not start promoting it until March 14, 2023 by running advertisements on Google. Today, this malicious extension records on average a thousand installations per day.
Read also: ChatGPT – no more possible to cheat with AI, this student has developed the perfect counter-attack
Malicious ChatGPT 4 extension steals Facebook session cookies
It all started with misleading advertisements in Google search results. Ads that are highlighted when searching for “ChatGPT 4”. When users click on sponsored search results, they are taken to a fake landing page”ChatGPT for Google“. They are then sent to the extension’s page on the official Chrome add-ons store. A times the victim installs the extensionshe gets the promised functionality, i.e. ChatGPT integration in search results.
Malicious code embedded in ChatGPT 4 extension used handler function OnInstalled to steal cookies Facebook session. These stolen cookies allowed threat actors to access a Facebook account as a user and have full access to their profile.
Read also – This farcical scam uses ChatGPT to drain your bank account
After stealing cookies, this threat actors can easily take control of your Facebook sessions to run dubious ad campaigns or spread prohibited content, such as Islamic State propaganda. Their methods are vicious: they automatically change the login information of your hacked Facebook account to prevent you from regaining control. They even go so far as to replace your name and profile picture with a fake ID.
Google has confirmed that the malicious extension has been removed from the Chrome Web Store following BleepingComputer’s request for information. This decision was made after Google reviewed the advertisements in question and took the necessary steps to remove them from the platform. Google also said it does not tolerate malicious ads who use techniques such as phishing on their platform.
Note that the legitimate ChatGPT extension for Chrome has nothing to do with this malicious version. It is therefore crucial to check the source of any downloaded extension before installing it, to keep your browser regularly updated and to do not share personal information on social networks without having verified the authenticity.
Source: BleepingComputer