A fraudulent Chrome browser extension masquerading as OpenAI’s ChatGPT tool was used by hackers this month to hijack Facebook accounts.
The extension, which was designed to look nearly identical to OpenAI’s legitimate ChatGPT browser add-on, was downloaded more than 9,000 times before eventually being taken down by Google.
The malicious extension operated the same as the real extension, which offered ChatGPT responses alongside search engine results, but also included extra lines of code that attempted to steal session cookies used by Facebook.
Once downloaded, the hackers are able to log in and take total control of a victim’s Facebook account using the stolen cookies.
Uploaded to the Chrome store on February 14, the add-on, as first reported by cybersecurity firm Guardio Labs, began appearing in Google search advertisements exactly one month later.
One victim of the attack, according to Guardio Labs’ report, even had their Facebook business account used to promote ISIS propaganda.
“The misuse of ChatGPT’s brand and popularity just keeps on rising, used not only for Facebook account harvesting and not only with malicious fake Extensions for Chrome,” wrote Nati Tal, head of Guardio Labs.
“Major services offered by Facebook, Google, and other big names are under continuous attack and abuse, while at the end of it all—the ones being mostly hit here are us, the users.”
In a statement to Bleeping Computer on Wednesday, Google confirmed that it removed the extension after being alerted to its presence on the Chrome Web Store.
“We don’t allow ads on our platform that use malicious techniques such as phishing,” a Google representative said. “We’ve reviewed the ads in question and taken appropriate action. The extension is no longer available from the Chrome Web Store.”
The unknown threat actors behind the malicious add-on carried out a similar attack in the past.
Guardio Labs found that the extension was communicating with the same infrastructure as another fake ChatGPT add-on that was downloaded more than 4,000 times before being removed earlier this month.
“This time, threat actors didn’t have to work hard on the look and feel of this malicious ChatGPT-themed extension—they just forked and edited a well-known open-source project that does exactly that,” Guardio Labs reported. “From zero to ‘hero’ in probably less than 2 minutes.”