'Quick access to ChatGPT' Browser Extension

Analysis has revealed that a fake Chrome browser extension called the 'Quick access to ChatGPT' has been used by a threat actor to compromise thousands of Facebook accounts, including business accounts. The extension was previously available on Google's official Chrome Store. This extension claimed to offer users a convenient way to interact with the popular AI chatbot ChatGPT. However, in reality, it was designed to collect a wide range of information from the victim's browser and steal cookies of all authorized active sessions. The extension also installed a backdoor that gave the malware author super-admin permissions to the user's Facebook account. Details about the malicious extension were released in a report by the researchers at Guardio Labs.

The use of the 'Quick access to ChatGPT' browser extension is just one example of how threat actors have been trying to exploit the widespread interest in ChatGPT to distribute malware and infiltrate systems. The threat actor behind the fake extension used sophisticated tactics to deceive users into installing the extension, which highlights the need for users to be vigilant when downloading browser extensions and other software from the internet.

The 'Quick access to ChatGPT' Browser Extension Collects Sensitive Facebook Information

The malicious 'Quick access to ChatGPT' browser extension did provide access to the ChatGPT chatbot by connecting to its API, as promised. However, the extension also harvested a complete list of cookies stored in the user's browser, including security and session tokens for various services like Google, Twitter, and YouTube, and any other active services.

In cases where the user had an active authenticated session on Facebook, the extension accessed the Graph API for developers, which allowed it to harvest all the data associated with the user's Facebook account. Even more alarming, a component in the extension code enabled the threat actor to hijack the user's Facebook account by registering a rogue app on the victim's account and getting Facebook to approve it.

By registering an app on the user's account, the threat actor gained full admin mode on the victim's Facebook account without having to harvest passwords or try to bypass Facebook's two-factor authentication. If the extension encountered a Business Facebook account, it would harvest all information related to that account, including currently active promotions, credit balance, currency, minimum billing threshold, and whether the account had a credit facility associated with it. The extension would then examine all the harvested data, prepare it, and send it back to the Command-and-Control (C2, C&C) server using API calls based on relevancy and data type.

These findings underscore the need for internet users to be cautious when installing browser extensions, especially those promising quick access to popular services. They should also regularly review their list of installed extensions and remove any that are no longer needed or that have questionable behavior.

Threat Actors may Seek to Sell the Collected Information

According to the researchers, the threat actor behind the 'Quick access to ChatGPT' browser extension is likely to sell the information it harvested from the campaign to the highest bidder. Alternatively, the cybercriminals may attempt to use the hijacked Facebook Business accounts to create a bot army, which they could then use to post malicious ads using the victims' accounts.

The malware is equipped with mechanisms for bypassing Facebook's security measures when handling access requests to its APIs. For example, before granting access via its Meta Graph API, Facebook first verifies that the request is from an authenticated user and a trusted origin. To circumvent this precaution, the threat actor included code in the malicious browser extension that ensured all requests to the Facebook website from the victim's browser had their headers modified, so they appeared to originate from the victim's browser as well.

This gives the extension the ability to freely browse any Facebook page, including making API calls and actions, using the infected browser, and without leaving any trace. The ease with which the extension could circumvent Facebook's security measures underscores the need for online platforms to be vigilant in detecting and preventing such malicious activity. The malicious 'Quick access to ChatGPT' browser extension has since been removed by Google from Chrome's store.