People wearing stuff toy heads

Bogus Chat GPT extension takes over Facebook accounts

If you’re particularly intrigued by the current wave of interest in AI, take care. There’s some bad things lurking in search engine results waiting to compromise your Facebook account.

A rogue Chrome extension deployed in a campaign targeting Facebook users is “hitting thousands a day” according to researchers who made this discovery. The scam is based around Chat GPT-4. This is the latest iteration of what is essentially a supposedly very smart AI chatbot. As per the link, in addition to holding conversations with a user, it can also in theory “create” forms of content like works of fiction.

Whether we’re talking AI generating works of visual art, music, or even just fielding customer support questions, it’s increasingly becoming a topic you can’t avoid. Scammers are more than well positioned to take advantage of this trend, and this is a very strong hook given how many people want to see what all of the fuss is about.

The flow of attack from initial search to infection and compromise is as follows:

  • You search for Chat GPT-4 in Google, and the search returns a sponsored ad result.
  • The destination site claims to offer a form of Chat GPT inside of your search results.
  • This site eventually directs you to a Chrome extension download from the official extension store.

At this point, you may expect some malicious behaviour to happen while the actual extension itself is nothing like what it claims to be. After all, most scams offer up fake games, software, apps, and these programs typically do nothing because they’re an empty shell. In this case, the tool actually does integrate Chat GPT into search results. This is because the people behind it made use of a legitimate open-source product and created their own version of it instead.

If that was all the extension did, that would likely be the end of it.

However, the real aim of the game here is to compromise Facebook accounts. When the extension fires up, it tries to engage in a spot of cookie theft. If a malware author is able to steal your authentication cookie from your browser during a session, they can try and log in to the website they stole the cookie for.

Here, the extension filters for Facebook cookies specifically before sending the stolen cookie(s) on to the extension author’s server. Before sending the stolen cookies, they are encrypted as a way to try and discreetly get them off the target system. The act of encryption tries to ensure certain types of security tools fail to notice that something is amiss.

Once the extension authors have control of the Facebook account, they change the login details, profile image and name before posting whatever they need to in order to make their campaign a success. Examples given by the researchers include ISIS propaganda photographs and more generic allusions to spam and bogus services.

At time of writing, both the adverts and the extension itself have been taken down by Google, although that’s not to stop the people behind the campaign from simply trying again down the line.

Tips for avoiding rogue extensions

  • Download extensions from  the official store. Yes, this one was found on the official store. On the other hand, if you’re downloading anyway you may as well stick to genuine sources given they come with additional information you can use to make an informed decision.
  • Read the reviews. People tend to find out pretty quickly if something is amiss.
  • Check developer authenticity. Some developers have a tick next to their name, along with a userbase tally and mention of their “good record” for uploading non-malicious content.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.