Researchers are once again stumbled upon a new strain of the Facebook Ads accounts stealer Fake ChatGPT. The campaign has been targeting thousands of users and the variant comes in the form of an open-source product laden with malicious code, making it difficult to be detected.
The new strain named Chat GPT for Google, the malicious extension has been in distribution since March 14, via sponsored Google search results for ChatGPT 4. The FakeGPT extension was downloaded by more than 9,000 users.
It can steal Facebook session cookies and compromise accounts at go. The cookies are, subsequently, sent to the attackers’ server via a GET request. The cookie list is AES-encrypted and attached to the X-Cached-Key HTTP header value. This ensures that the cookies could be pilfered without any deep packet inspection mechanisms raising alarms.
This variant of FakeGPT is based on genuine code and performs only one malicious action. It filters Facebook-related cookies, encrypts them with AES, and sends them back to the attacker’s server.
The use of the workers.dev service is notable, which allowed attackers to hijack Facebook accounts using a ChatGPT Chrome extension.
- Threat actors can use the compromised profiles as a bot for promoting services or create pages and ad accounts, exploiting their identity.
- With the Facebook session overtaken, the profile will be controlled by the attacker, with no way for the victims to regain control.
- The attacker can change the profile name and picture, harvest private data, and use the profile for further malicious actions.
ChatGPT’s popularity is being increasingly exploited. To thwart attacks and protect data privacy, home internet users too are recommended using security protection and detection services. These services can overcome the significant security gaps that affect users en masse.