Our security research team at Guardio is constantly monitoring the activity surrounding ChatGPT’s brand abuse, with endless campaigns propagating malware and phishing for your credit cards. On 3/3/2023, our team detected a new variant of a malicious fake ChatGPT browser extension, part of a campaign started in early February with several other ChatGPT branded malicious extensions. This time upgraded with a threatening technique to take over your Facebooks accounts as well as a sophisticated worm-like approach for propagation.
The malicious stealer-extension, titled “Quick access to Chat GPT” is promoted on Facebook-sponsored posts as a quick way to get started with ChatGPT directly from your browser. Although the extension gives you that (by simply connecting to the official ChatGPT’s API) it also harvests every information it can take from your browser, steals cookies of authorized active sessions to any service you have, and also employs tailored tactics to take over your Facebook account.
From malvertising, extension installation, hijacking Facebook accounts, and back again to propagation
Once the Threat Actor takes ownership of your stolen data, it will probably sell it to the highest bidder as usual, yet while we dug deeper into this operation we’ve noticed their extra care on High-Profile Facebook business accounts. With this approach, the campaign can continue propagating with its very own army of hijacked Facebook bot accounts, publishing more sponsored posts and other social activities on behalf of its victim's profiles and spending business account money credits!
The above high-level campaign description hides inside it some sophisticated techniques to harvest victims' details and take over Facebook accounts. Those are abusing online services and powerful APIs from both Google and Facebook — giving those threat actors some very powerful tools for success.
Once the extension is installed, it gives you what’s advertised — a small popup window showing up after you click on the extension icon, with a prompt to ask ChatGPT whatever you want.
Yet, this is exactly where it starts to get fishy. The extension is now an integral part of your browser. Thus, it can send any request to any other service — as if the browser owner itself was initiating this from the same context. This is crucial — as the browser, in most cases, already has an active and authenticated session with almost all your day-to-day services, e.g. Facebook.
More specifically, this allows the extension to access Meta’s Graph API for developers — allowing the threat actor to quickly access all your details and also take actions on your behalf directly in your Facebook account using simple API calls.
There are of course limitations and security measures taken by Facebook— e.g., making sure the requests are originating from an authenticated user as well as from the relevant origin. The extension already has an authenticated session with Facebook, but what about the origin of the requests it sends? Well, thanks to Chrome’s declarativeNetRequest API, the extension has a simple way to circumvent facebook’s protection.
The following piece of code is called on the malicious extension right on initiation, making sure all requests made to facebook.com by any source on your browser (including the extension itself) will have their headers modified to reflect the origin as “facebook.com” as well. This gives the extension the ability to freely browse any Facebook page (including making API calls and actions) using your infected browser and without any trace.
Note that the variable d is holding the relevant domain (in our case facebook.com), as was sent back to the extension from the C2 server at api2[.]openai-service[.]workers[.]dev
Now, once the victim opens the extension windows and writes a question to ChatGPT, the query is sent to OpenAIs servers to keep you busy — while in the background it immediately triggers the harvest.
Following are some examples of deobfuscated code from the malicious extension source. It was written in typescript and packed/minified, yet using the .map files inside we managed to reassemble the code to be more readable — showing all function and variable names that emerged to be truly informative and quite obvious to the real intentions of this code from first sight:
The above are the main functions that execute different queries using Facebook’s Graph API as well as other Chrome APIs like getting all your cookies. A noteworthy examples from the code:
The above Graph API call will give the attackers everything they need about your Business Facebook account (if available) including your currently active promotions and credit balance. Later, the extension examines all the harvested data, preps it, and sends it back to the C2 server using the following API calls — each according to relevancy and data type:
Each call includes a detailed JSON formatted payload with ALL that they need, including session cookies, money balance, and whatnot. Just a quick example of the basic data being exfiltrated:
Example of out-going data from the extension to C2 on API call “add-data-account”
Example of out-going data from the extension to C2 on API call “add-ads-manager”
In the first example, the full list of cookies was reduced for display, yet you will find there are ALL cookies stored on your browser — including security and session tokens to services like YouTube, Google accounts, Twitter, etc.
In the second example — once the extension finds out you have a business page, it will collect your Facebook account details and all your current ads configuration as well as financial data as seen above.
Now the threat actors have enough data to make a profit from — And yet, if they found your account interesting enough for themselves (e.g. you have a business page with tons of likes and an advertisement plan with credits waiting to be spent) — it’s time to take over and get control!
A specifically developed module in the extension code (Portal.ts) includes a class named Potal (yep, with a typo..) that is the one responsible for this magic. Instead of trying to harvest account passwords, or try to bypass 2FA with session tokens (which is not that easy due to Facebook’s security measures), this threat actor chooses another way — a Malicious Facebook Application.
An application under Facebook’s ecosystem is usually a SaaS service that was approved to be using its special API, allowing the 3rd party service to get account information as well as make actions on your behalf. We all remember those apps spamming our feed with promotional posts, but this threat actor is taking it to another level.
The Potal module is, once again, abusing the ChatGPT popup context to send requests to Facebook servers on your behalf — this time automating the entire process of registering an app on your account and approving it to get, basically, A FULL ADMIN MODE.
This threat actor uses 2 main apps, as seen in the code:
The first malicious Facebook app (portal) is not available anymore, yet the second one is still alive and kicking. To really understand what it does, we’ve manipulated Facebook’s settings page, changing the app_id of a real installed app on our account with the one used by this threat actor:
This way we’ve revealed its name, icon, and most important — the long (really long) list of permissions granted:
This app, which for some reason is actually approved by Facebook and functional, seems to request all permissions available! From full control of your Facebook profile and activity to admin powers on all your groups, pages, businesses, and of course advertisement accounts. They can even manage your connected WhatsApp and Instagram accounts!
Moreover, it uses the same name and icon as an official app from Facebook:
The listing of the official Messenger Kids app by Facebook
The process of automating the addition of the app to the victims' accounts can be seen in this main function of the Potal module. All the functions here are using, yet again, the Facebook Graph API with no single interaction needed from the victim — from the request to add the application, through authentication and final confirmation:
This time, the data exfiltrated here is being encrypted before being sent back home — we assume this is due to the threat actor targeting only truly valuable targets with this method, and for their use of self-propagation of this and other malicious activities using Facebook-promoted posts created with those accounts.
Not only this malicious extension is free-roaming on the official Chrome store (and still live as those lines are being written), but it is also abusing Facebook’s official applications API in a way that should have triggered policy enforcers' attention already. Not to mention the false and malevolent promoted posts being so easily approved by Facebook.
There are more than 2000 users installing this extension on a daily basis since its first appearance on 03/03/2023 — each one gets his Facebook account stolen and probably this is not the only damage.
We see lately a troublesome hit on the trust we used to blindly give to the companies and big names that are responsible for the majority of our online presence and activity — Google still allows malvertising on its promoted search results, and YouTube can’t get rid of those hijacked channels promoting Cryptoscams, and Facebook allows permission-hungry fake applications that mimic Facebook’s own apps!
These activities are, probably, here to stay. Thus we must be more vigilant even on our day-to-day casual browsing — don’t click on the first search result, and always make sure you won’t click on sponsored links and posts unless you are pretty sure who is behind them!