After we exposed “FakeGPT,” the Facebook Ad Accounts stealer cloaked as Chat-GPT’s Chrome Extension Security team at Guardio discovered an additional variant of a campaign that has previously been distressing thousands of users every day. This time, it’s stimulated by open-source software packed with malicious code, which makes the application accomplish as predictable but unbearable to distinguish.
Dispersal since 14 March 2023 with deceitful indorsed Google search results and then deployed through the Google official Chrome Store, it’s taking Facebook meeting cookies and destructive accounts on an enormous scale. This is in line with the pattern of hijacked Facebook accounts becoming “Lily Collins” replicas and bots to banquet malicious actions across the globe, counting buying likes and simple ISIS propaganda.
In this article, we’ll share our experience with the latest versions of HTML0, how it uses open source, and the well-organized broadcast of the technology using Google tools.
Update 23 March 2023 — A few hours after Guardio’s letter to Google, and the extension was taken off Google’s Chrome store. When it was detached, it was said that over 9000 people had downloaded it.
From Open-Source to Malicious-Source
The newest version from the FakeGPT Chrome extension, titled “Chat GPT For Google,” is armed at your Facebook accounts, this time under the appearance of a ChatGPT incorporation to your browser. This time, the danger actors did not have to spend much time generating the design of this false ChatGPT extension. They merely made a fork and edited an open-source project that does the same thing. From zero to “hero” in possibly less than two minutes.
The real “ChatGPT for Google” extension is constructed on that open-source project that increased a lot of courtesy and millions of customers over the last few months. It is an open-source project envisioned to help share knowledge and deliver aid to the community of developers. Still, they did not think it would be distorted for malicious use in a matter of minutes.
A Stealer pushed with Google’s Sponsored Search
However, this time the malware isn’t lacking through paid Facebook postings but through fraudulently-sponsored Google search results, as we’ve detected in many other cases in current times.
The consequence is that you are searching for “Chat GPT 4”, looking to try this new system, which will end in a click on a waged search result that promises just that. The result will forward you to a page that offers ChatGPT straight on the search results page. The only thing to do is download the extension from Google’s Chrome Store. This will let the user access ChatGPT in search results, but it could also distress your Facebook account within minutes!
Encrypted Cookie-Sneaking over Fake HTTP Headers
The code is grounded on 1.16.6 of the open-source projects; this FakeGPT version only achieves one hateful act following installation, and the rest of the code is precisely the same as the real code, with no reason to suspect.
When we look at the OnInstalled handler function triggered when the extension is connected, we can see that the natural extension is only used to ensure you can enter the options screen (to sign in to OpenAI and log in to your OpenAI accounts). On the other hand, the branched, now malicious malware exploits this precise moment to bargain the session cookies of your account, as you can detect in this sample of code from the malware extension.
What we’re sighted is simple Cookie-Hijacking that is again devoted to Facebook, as detected in the code snippet. The function called et () filters Facebook-related cookies from the recovered list using Chrome Extension API. In the future, ax () will be used to encode all data using AES by using this password “chatgpt4google”:
Once the list is accomplished, the list is spread via the GET Request to server C2, which workers hold.dev service is comparable to the service we’ve seen in the first version of FakeGPT.
AES encodes the list of cookies and then combines them into the HTTP header X-CachedKey. This technique is employed to try to steal cookies without DPI (Deep packet inspection) approaches that alert regarding the packet’s payload (which is why it’s also encrypted).
Note that there’s no X-CachedKey Header within the HTTP protocol! The X-Cache-Key header (without the “d”) is used to reply but not requests. However, this doesn’t matter to offenders who obtain what they need via cooperated web browsers.
Encrypting the value of the Header will disclose this list of all the existing Facebook session cookies presently active in the browser, which look like this (reduced number):
In answer to the above request, the C2 server replies with an undefined 404 error, and that’s it. “All Your Facebook belongs to us!”
From Cookie-Sneaking to Facebook-Hijacking
For actors who pose as intimidations, The possibilities are boundless, counting, making your profile an automatic account to get comments, likes, and other actions for elevation, or even generating advertisements and pages by using your standing and brand while publicizing services that are dependable and likely to be deceitful.
Through these Cookies, Facebook’s account could be effortlessly wiped out, and your account login details changed; from that point on, further, you will lose control of your profile and cannot recover it. Then, it will automatically alter the name of your profile and image — likely to another deceitful “Lilly Collins” (which seems to be their favored) and, most prominently, the data you have provided to them (for superior profits) and deleted to allow for hacking.
We’ve seen many user profiles being exaggerated by this lately, and many later blamed for endorsing additional hateful actions within the Facebook ecosystem and even simple and forthright propagandism of the nastiest sort.
A chiefly cruel way to understand the condition is this business page for selling RVs taken over on 4 March 2023. Still obtainable on the original URL https://www[.]facebook [. ]com/shadymaplefarmmarket and is now used to endorse ISIS Content. Please find out how Lily Collins is mechanically added as the profile photo directly after it was stolen (probably via an automated system employed by impostors). The profile picture is then updated to ISIS-themed photos, which could be due to the sale to an additional person who wants to allocate this type of Content through high-profile fake Facebook accounts:
Last But Not Least
The misappropriation of ChatGPT’s name and its popularity keeps snowballing, not just for collecting Facebook accounts but also for malicious fake extensions for Chrome. The top services provided by Facebook, Google, and other large names are subject to continuous attack and misuse, but ultimately, those who are most harmed comprise us as customers.
The aptitude for identifying security intimidations is vital in evading these attacks and keeping your information harmless; however, nowadays, it’s pretty obvious that even for unplanned internet users, there needs to be some kind of security and defense services that are more suitable and pitched towards their necessities and overwhelming the enormous security holes that are touching users crossways the board.