A trojanized model of the reputable ChatGPT extension for Chrome is gaining recognition on the Chrome Web Store, accumulating over 9,000 downloads whereas stealing Facebook accounts.
The extension is a duplicate of the reputable widespread add-on for Chrome named “ChatGPT for Google” that provides ChatGPT integration on search outcomes. However, this malicious model contains extra code that makes an attempt to steal Facebook session cookies.
The writer of the extension uploaded it to the Chrome Web Store on February 14, 2023, however solely began selling it utilizing Google Search ads on March 14, 2023. Since then, it has had a mean of a thousand installations per day.
The researcher who found it, Nati Tal of Guardio Labs, experiences that the extension is speaking with the identical infrastructure used earlier this month by an identical Chrome add-on that amassed 4,000 installations earlier than Google eliminated it from the Chrome Web Store.
Hence, this new variant is taken into account a part of the identical marketing campaign, which the operators saved as a backup on the Chrome Web Store for when the primary extension could be reported and eliminated.
Targeting Facebook accounts
The malicious extension is promoted through ads in Google Search outcomes, that are prominently featured when looking for “Chat GPT 4.”
Clicking on the sponsored search outcomes takes customers to a pretend “ChatGPT for Google” touchdown web page, and from there, to the extension’s web page on Chrome’s official add-on retailer.
After the sufferer installs the extension, they get the promised performance (ChatGPT integration on search outcomes) because the reputable extension’s code remains to be current. However, the malicious add-on additionally makes an attempt to steal session cookies for Facebook accounts.
Upon the extension’s set up, malicious code makes use of the OnInstalled handler operate to steal Facebook session cookies.
These stolen cookies enable the risk actors to log in to a Facebook account because the consumer and achieve full entry to their profiles, together with any enterprise promoting options.
The malware abuses the Chrome Extension API to accumulate an inventory of Facebook-related cookies and encrypts them utilizing an AES key. It then exfiltrates the stolen information through a GET request to the attacker’s server.
“The cookies list is encrypted with AES and attached to the X-Cached-Key HTTP header value,” explains the Guardio Labs report.
“This technique is used here to try and sneak the cookies out without any DPI (Deep Packet Inspection) mechanisms raising alerts on the packet payload.”
The risk actors then decrypt the stolen cookies to hijack their victims’ Facebook classes for malvertizing campaigns or to advertise banned materials like ISIS propaganda.
The malware routinely adjustments the login particulars on the breached accounts to forestall the victims from regaining management over their Facebook accounts. It additionally switches the profile identify and movie to a pretend persona named “Lilly Collins.”
At this time, the malicious Google Chrome extension remains to be current within the Google Chrome Web Store.
However, the safety researcher reported the malicious extension to the Chrome Web Store staff, which is able to possible be eliminated quickly.
Unfortunately, primarily based on earlier historical past, the risk actors possible have a plan ‘C’ through one other “parked” extension that might facilitate the following an infection wave.
BleepingComputer contacted Google with additional questions in regards to the extension, however a response was not instantly accessible.