Since the discovery of FakeGPT—the fake ChatGPT Chrome extension—Guardio Labs once again stumbled upon a new strain of the Facebook Ads accounts stealer. The campaign has been targeting thousands of users per day. This variant comes in the form of an open-source product laden with malicious code, making it difficult to be detected.
Diving into details
Named “Chat GPT for Google,” the malicious extension has been in distribution since March 14, via sponsored Google search results for ChatGPT 4.
It can steal Facebook session cookies and compromise accounts at go.
The cookies are, subsequently, sent to the attackers’ server via a GET request. The cookie list is AES-encrypted and attached to the X-Cached-Key HTTP header value. This ensures that the cookies could be pilfered without any deep packet inspection mechanisms raising alarms.
At the time of removal from the Google Play Store, the FakeGPT extension was downloaded by more than 9,000 users.
Slightly different from the original
This variant of FakeGPT is based on genuine code and performs only one malicious action. It filters Facebook-related cookies, encrypts them with AES, and sends them back to the attacker's server.
The use of the workers.dev service is notable, as it was also used in the previous version, which allowed attackers to hijack Facebook accounts using a ChatGPT Chrome extension.
Why this matters
Threat actors can use the compromised profiles as a bot for promoting services or create pages and ad accounts, exploiting their identity.
With the Facebook session overtaken, the profile will be controlled by the attacker, with no way for the victims to regain control.
The attacker can change the profile name and picture, harvest private data, and use the profile for further malicious actions.
Many users have fallen for this recently, leading to more malicious activity and propaganda within the Facebook ecosystem.
The bottom line
ChatGPT's popularity is being increasingly exploited, and this attack is not the only one. To prevent such attacks and protect data privacy, awareness is crucial, and even home internet users are recommended to implement relevant security protection and detection services. These services can overcome the significant security gaps that affect users en masse.