Beware: New ChatGPT Chrome Extension Will Steal Your Account

Already 9k users fell victim to this add-on.

A dangerous new threat has emerged on the Chrome Web Store, putting users’ accounts at risk.

Cybercriminals have been caught using a fraudulent version of the popular ChatGPT extension to steal unsuspecting users’ Facebook accounts. What’s particularly alarming is that this malicious variant is posing as the genuine add-on, and it has already fooled over 9,000 users into downloading it.

The malicious publisher of the extension snuck it onto the Chrome Web Store on Valentine’s Day 2023, before launching a massive advertising campaign on Google Search a month later. Incredibly, this sinister tactic has seen the fake extension average a staggering one thousand installations every single day! We assume the release of ChatGPT-4 only fuelled such interest from users and that’s what cyber criminals were aiming for.

Photo by Nathana Rebouças

Chrome Web Store Scam

The insidious extension, cunningly marketed via Google Search ads, lures unsuspecting users to a fake landing page before redirecting them to the official Chrome add-on store. But don’t be fooled by its seemingly innocent façade. Once downloaded, the malicious add-on springs into action, targeting Facebook users with ruthless precision.

The utility is using a tactic known as the OnInstalled handler function, the malicious code quietly snatches Facebook session cookies from under the user’s nose. With the stolen cookies in hand, the malware slithers its way into the victim’s Facebook account, giving the cybercriminals full access to their profiles.

To add insult to injury, the malware utilizes the powerful Chrome Extension API to track down and encrypt Facebook-related cookies, which are then whisked away to the attacker’s server via a GET request. Once safely in the hands of the bad actors, the stolen cookies can be decrypted at will, allowing them to execute their dastardly plan. From spreading propaganda to disseminating dangerous content, the attackers now have full control of their victims’ Facebook sessions.

The add-on not only steals Facebook session cookies but also goes a step further by altering the login credentials of the compromised accounts, rendering the victims helpless in regaining control of their Facebook profiles. In addition, the attackers use a fictitious identity, “Lilly Collins”. Did they choose famous actress’ name after watching “Emily in Paris”? We’ll never know 🙂 This fake account is used to change the profile name and picture, effectively taking over the victim’s persona.

The Threat Continues

At the moment of writing this article, the extension has been flagged many times as a threat, as well as covered by media, helping to take it down from the Chrome Web Store entirely. However, even though this extension is no more a threat, there may be other malicious utilities in Chrome Web store.

Even though Google has pledged to stamp out phishing and other malicious activities on its platform, the threat actors find ways of exploiting add-ons against the users. At Kaduu we advise you to stay vigilante and don’t install any Chrome add-ons unless you’re sure of their security and source.

If you liked this article, we advise you to read our previous article about a dark market anniversary celebration leading to 2.1M credit cards data exposure. Follow us on Twitter and LinkedIn for more content.

Stay up to date with exposed information online. Kaduu with its cyber threat intelligence service offers an affordable insight into the darknet, social media and deep web.