Beware Of Fake ChatGPT Chrome Extensions Trying To Hack Your Facebook Account

hero chatgpt fakegpt malware
ChatGPT is undeniably fun to mess with. It's fascinating to have a conversation with a machine, especially when that machine is practically omniscient and can offer up interesting tidbits of information about whatever topic. That function is so useful, some folks added it to a Chrome extension that adds extra details to your Google, Bing, and DuckDuckGo search results, and it's rather popular, with over 2 million downloads.

If that sounds cool to you, make absolutely certain that you get the real "ChatGPT for Google" extension. Security firm Guardio reports that there have been multiple copies of the extension on the Chrome Web Store, and the copycat extensions come with something you really don't want: malware.

The modified extensions just ripped off the real thing for their stated function, but their real purpose was to hijack your Facebook account. Literally: the ChatGPT For Google extension—the real one—is open-source, so it was trivial to fork the project and throw in code for Facebook stealer malware. Guardio says the creation of these fake extensions probably takes 2 minutes or less.

fakegpt compromise path
Diagram from Guardio showing the path of exploitation.

The particularly pernicious part of this project is that it was not only available on the Chrome Web Store—implying a certain level of trustability—but that it was also advertised using Google sponsored search results. Maybe you read our story about GPT-4 and wanted to try out the new and improved ChatGPT, so you search for "Chat GPT 4". You'll get offered a Chrome extension to slap GPT-4 right into your browser window. Convenient!

Less convenient is that your Facebook account information will be copied from your browser directly into the bad guys' servers, and that'll lead to your account being compromised almost immediately. It's all done programmatically, you know; nobody has to type your password into Facebook. Using API access and clever scripting, your Facebook account gets added to a bot army within minutes or even seconds.

Cleverly, the compromised Chrome extensions don't do anything malicious or even unusual after their payload is delivered. Besides the single malicious action on install—stealing your Facebook account—it seems like the extension completely works as the real version, although we suspect it doesn't update when the real one does. You've got very little reason to suspect anything untoward from the cool new Chrome extension you just got.

lily collins compromised facebook
Image of a compromised Facebook account being used to spread ISIS propaganda. Image: Guardio

Compromised accounts are stripped of their personal data and have all of their account information reset, including e-mail address, which means you can't recover it. After that, they're added to a virtual army of the same, used for like farming (to game the algorithm) or sold to a third-party for exploitation in service of propaganda. Guardio notes that most of the accounts seem to get renamed to some variant of "Lily Collins" before being weirdly used to push ISIS propaganda.

As Guardio points out, you can protect yourself from this kind of thing by staying awake and alert at the PC. No joke—you need to be aware of exactly what you're installing and what applications you're running. If it comes from an advertisement, it's probably malicious, so don't install it.