Reports of data theft from Facebook accounts done by the ChatGPT extension for Chrome made headlines recently. Guardio security Team has uncovered another variant (beside the FakeGPT) of a new campaign that has already affected thousands of people.
The ChatGPT extension was propagated from 14th March using malicious sponsored Google search results. Available in the official Chrome Store, it stole Facebook session cookies and compromised FB accounts. It was a large-scale attack. This follows the current trend of stolen Facebook accounts changing names into ‘Lily Collins’ clones and bots used to promote malicious activities – from buying likes to straight-up ISIS propaganda.
The real ‘ChatGPT For Google’ extension is based on an open-source project that has gained huge popularity and millions of users over the past few months. As an open-source project, it aims to share knowledge and contribute to the developer community. Not many expected it could be so easily abused for malicious activities. Based on 1.16.6 version of the open-source project, the FakeGPT variant performs only one specific malicious action, right after installation. The rest is basically the same as the original code, which leaves no reason for suspicion.
A few hours after Guardio reported the case to Google (22 March 2023), the extension was removed from the Chrome store. At the time of removal, it was noted that more than 9,000 users had installed it. A search for the ChatGPT extension in the extension databases for Mozilla Firefox gave 567 results, and for Microsoft Edge – 47.
Unfortunately, in many cases, installing an application (or plug-in) does not trigger any alerts from the antivirus systems because they simply do not detect ‘new’ threats too well. When installing browser extensions, you need to be extremely vigilant – check what permissions the extension/application needs, the actual vendor, and what the addition actually does to the system.
Sources and IoC:
