A fake ChatGPT Chrome extension likely compromised thousands of Facebook Ad accounts and installed hidden backdoors.
According to an Israeli-based cyber security company Guardio, the info-stealer was part of a malicious campaign that started in February involving several malicious fake ChatGPT extensions.
The “Quick access to Chat GPT” extension promised users interesting ways of interacting with ChatGPT, which it did by connecting to the OpenAI’s API. However, it also harvested users’ browser cookies and security tokens for various online accounts, including Facebook, Google, Twitter, YouTube, and other services.
Malicious ChatGPT Chrome extension gained all Facebook admin permissions
The malicious ChatGPT Chrome extension accessed Meta’s Graph API for any authenticated Facebook accounts, allowing it to act on the user’s behalf.
“This gives the extension the ability to freely browse any Facebook page (including making API calls and actions) using your infected browser and without any trace,” the researchers stated.
Upon encountering Facebook Ad accounts, the malicious Chrome extension initiated the takeover process.
“When threat actors find a Facebook account with a popular business page or a lot of credit, they initiate the account takeover process,” noted the researchers.
It automatically connected a malicious app to the Facebook Ad accounts to gain admin privileges, thus eliminating the need for passwords or two-factor authentication verification. The process was automated and did not require user interaction. The app, which was approved by Facebook and used the name and logo of an official Facebook app, requested all permissions, gaining unrestricted access.
“From full control of your Facebook profile and activity to admin powers on all your groups, pages, businesses, and of course, advertisement accounts, they can even manage your connected WhatsApp and Instagram accounts,” they said.
The Chrome extension applied various evasion tactics to bypass Meta’s Graph API for developers’ security measures. It modified the request headers to appear as though the activity originated from an actual Facebook account, thanks to Chrome’s declarativeNetRequest API.
“The extension is now an integral part of your browser. Thus, it can send any request to any other service – as if the browser owner itself was initiating this from the same context,” the researchers wrote.
Its design also mimicked ChatGPT’s branding to earn users’ trust by impersonating an official version.
Neither Google nor Facebook detected the malicious campaign. Users discovered the extension on Google’s Chrome Store, where it was hosted, and via sponsored Facebook posts.
ChatGPT extension building a bot army of Facebook Ad accounts
After successfully taking over, the Chrome extension harvested information on active promotions, currency, credit balance, billing threshold, whether the account is prepaid, and other transactional information from the compromised Facebook Ad accounts.
The researchers suggested that the threat actor could create an army of Facebook Ad accounts to push malicious ads using the victims’ ad credits.
“With this approach, the campaign can continue propagating with its very own army of hijacked Facebook bot accounts, publishing more sponsored posts and other social activities on behalf of its victim’s profiles and spending business account money credits!”
Similarly, they could sell the stolen information to other threat actors for further exploitation.
Hitching on the language model’s popularity, the rogue extension was downloaded approximately 2,000 times in less than a week between March 3 and March 9, 2023.
The researchers did not predict the number of Facebook Ad accounts compromised. However, the rogue extension could compromise any Facebook account authenticated on the browser.
Guardio reported the rogue Chrome extension, and Google removed it from the official Chrome Store.
