A risk actor could have compromised hundreds of Fb accounts — together with enterprise accounts — through a complicated pretend Chrome ChatGPT browser extension which, till earlier this week, was accessible on Google’s official Chrome Retailer.
In line with an evaluation this week from Guardio, the malicious “Fast entry to Chat GPT” extension promised customers a fast solution to work together with the vastly widespread AI chatbot. In actuality, it additionally surreptitiously harvested a variety of data from the browser, stole cookies of all approved lively classes, and put in a backdoor that gave the malware creator super-admin permissions to the consumer’s Fb account.
The Fast entry to ChatGPT browser extension is only one instance of the various methods during which risk actors have been making an attempt to leverage the large public curiosity in ChatGPT to distribute malware and infiltrate programs. One instance is an adversary who arrange a pretend ChatGPT touchdown web page, the place customers tricked into “signing up” solely ended up downloading a Trojan referred to as Fobo. Others have reported a sharp enhance in ChatGPT themed phishing emails in latest months, and the rising use of pretend ChatGPT apps to unfold Home windows and Android malware.
Focusing on Fb Enterprise Accounts for a “Bot Military”
Guardio’s evaluation confirmed that the malicious browser extension really delivered on the short entry it promised to ChatGPT, just by connecting to the chatbot’s API. However, as well as, the extension additionally harvested an entire listing of all cookies saved within the consumer’s browser, together with safety and session tokens to Google, Twitter, and YouTube, and to another lively providers.
In circumstances the place the consumer might need had an lively, authenticated session on Fb, the extension accessed Meta’s Graph API for builders. The API entry gave the extension the flexibility to reap all knowledge related to the consumer’s Fb account, and extra troublingly, take a wide range of actions on the consumer’s behalf.
Extra ominously, a part within the extension code allowed hijacking of the consumer’s Fb account by basically registering a rogue app on the consumer’s account and getting Fb to approve it.
“An software underneath Fb’s ecosystem is normally a SaaS service that was accepted to be utilizing its particular API,” Guardio defined. Thus, by registering an app within the consumer’s account the risk actor gained full admin mode on the sufferer’s Fb account with out having to reap passwords or making an attempt to bypass Fb’s two-factor authentication, the safety vendor wrote.
If the extension encountered a Enterprise Fb account, it rapidly harvested all data pertaining to that account, together with presently lively promotions, credit score steadiness, foreign money, minimal billing threshold, and whether or not the account might need a credit score facility related to it. “Later, the extension examines all of the harvested knowledge, preps it, and sends it again to the C2 server utilizing the next API calls — every in line with relevancy and knowledge sort.”
A Financially Motivated Cybercriminal
Guardio assessed that the risk actor will most likely promote the knowledge it harvested from the marketing campaign to the very best bidder. The corporate additionally foresees the potential for the attacker to create a bot military of hijacked Fb Enterprise accounts, which it may use to submit malicious adverts utilizing cash from the victims’ accounts.
Guardio described the malware as having mechanisms for bypassing Fb’s safety measures when dealing with entry requests to its APIs. As an illustration, earlier than Fb grants entry through its Meta Graph API, it first confirms that the request is from an authenticated consumer and likewise from trusted origin, Guardio stated. To avoid the precaution, the risk actor included code within the malicious browser extension that ensured that every one requests to the Fb web site from a sufferer’s browser had their headers modified in order that they appeared to originate from there as properly.
“This provides the extension the flexibility to freely browse any Fb web page (together with making API calls and actions) utilizing your contaminated browser and with none hint,” Guardio researchers wrote within the report on the risk.
