Hacker

A trojanized version of the legitimate ChatGPT extension for Chrome is gaining popularity on the Chrome Web Store, accumulating over 9,000 downloads while stealing Facebook accounts.

The extension is a copy of the legitimate popular add-on for Chrome named "ChatGPT for Google" that offers ChatGPT integration on search results. However, this malicious version includes additional code that attempts to steal Facebook session cookies.

The publisher of the extension uploaded it to the Chrome Web Store on February 14, 2023, but only started promoting it using Google Search advertisements on March 14, 2023. Since then, it has had an average of a thousand installations per day.

Add-on available on Chrome Web Store
Add-on available on the Chrome Web Store (BleepingComputer)

The researcher who discovered it, Nati Tal of Guardio Labs, reports that the extension is communicating with the same infrastructure used earlier this month by a similar Chrome add-on that amassed 4,000 installations before Google removed it from the Chrome Web Store.

Hence, this new variant is considered part of the same campaign, which the operators kept as a backup on the Chrome Web Store for when the first extension would be reported and removed.

Targeting Facebook accounts

The malicious extension is promoted via advertisements in Google Search results, which are prominently featured when searching for "Chat GPT 4."

Clicking on the sponsored search results takes users to a fake "ChatGPT for Google" landing page, and from there, to the extension's page on Chrome's official add-on store.

After the victim installs the extension, they get the promised functionality (ChatGPT integration on search results) since the legitimate extension's code is still present. However, the malicious add-on also attempts to steal session cookies for Facebook accounts.

Infection chain
Infection chain (Guardio Labs)

Upon the extension's installation, malicious code uses the OnInstalled handler function to steal Facebook session cookies.

These stolen cookies allow the threat actors to log in to a Facebook account as the user and gain full access to their profiles, including any business advertising features.

The malware abuses the Chrome Extension API to acquire a list of Facebook-related cookies and encrypts them using an AES key. It then exfiltrates the stolen data via a GET request to the attacker's server.

Retrieving list of cookies from Google Chrome
Retrieving list of cookies from Google Chrome (Guardio Labs)

"The cookies list is encrypted with AES and attached to the X-Cached-Key HTTP header value," explains the Guardio Labs report.

"This technique is used here to try and sneak the cookies out without any DPI (Deep Packet Inspection) mechanisms raising alerts on the packet payload."

The threat actors then decrypt the stolen cookies to hijack their victims' Facebook sessions for malvertizing campaigns or to promote banned material like ISIS propaganda.

Facebook page of an RV seller taken over by the attacker
Facebook page of an RV seller taken over by the attacker (Guardio Labs)

The malware automatically changes the login details on the breached accounts to prevent the victims from regaining control over their Facebook accounts. It also switches the profile name and picture to a fake persona named "Lilly Collins."

At this time, the malicious Google Chrome extension is still present in the Google Chrome Web Store.

However, the security researcher reported the malicious extension to the Chrome Web Store team, which will likely be removed soon. 

Unfortunately, based on previous history, the threat actors likely have a plan 'C' via another "parked" extension that could facilitate the next infection wave.

BleepingComputer contacted Google with further questions about the extension, but a response was not immediately available.


Update 3/23 - A Google spokesperson has sent BleepingComputer the following comment in regards to the malicious Chrome extension:

We don’t allow ads on our platform that use malicious techniques such as phishing.

We’ve reviewed the ads in question and taken appropriate action.

The extension is no longer available from the Chrome Web Store.

Related Articles:

Facebook ads push new Ov3r_Stealer password-stealing malware

PyPI suspends new user registration to block malware campaign

Cisco warns of password-spraying attacks targeting VPN services

Google fixes Chrome zero-days exploited at Pwn2Own 2024

Hackers poison source code from largest Discord bot platform