Malicious ChatGPT Extensions Add to Google Chrome Woes

The second malicious ChatGPT extension for Chrome has been discovered, giving malicious actors access to users Facebook accounts through stolen cookies.

Yet another version of the malicious, Facebook account-stealing ChatGPT browser extension for Google Chrome has emerged, representing a new variant in a campaign affecting thousands of users daily.
The extension, discovered by
Guardio Labs
, was downloaded more than 9,000 times before Google removed it from the Chrome store on March 22.
The extension also had been advertised through sponsored Google search results, aiming at users who were searching for details about OpenAIs latest Chat GPT4 algorithm. Individuals who clicked on sponsored results for the popular generative AI app were directed to a counterfeit ChatGPT for Google webpage, then led to the malicious extensions page on Chromes official store.
Once installed, the malware exploits the Chrome Extension API to pilfer session cookies for Facebook accounts, giving threat actors full access to a victims Facebook account.
Based on
version 1.16.6
of the open source project, this FakeGPT variant does only one specific malicious action, right after installation, and the rest is basically the same as the genuine code — leaving no reasons to suspect it,
Nati Tal, head of Guardio Labs
, wrote in a blog post.
The latest version of the malicious extension
follows one discovered earlier this month
by the researchers at Guardio, which could hijack Facebook Business accounts.
From March 3 to March 9, a minimum of 2,000 individuals per day acquired that malicious Quick access to ChatGPT Chrome extension from the Google Play app store.
If the extension was able to access a Facebook Business account, it immediately collected all relevant data related to that account, such as ongoing promotions, available credit, currency, minimum billing threshold, and any linked credit facility.
Malicious Chrome extensions have been a global concern for users of the popular browser. In August 2022, a group of McAfee Labs analysts published a list of five browser extensions that engage in cookie stuffing, one of them using the video streaming service Netflix as a hook.
These extensions monitor the browsing activity of the user and insert illegitimate IDs into e-commerce websites, resulting in fabricated affiliate payments.
In that case,
the applications were downloaded 1.4 million times
, according to their findings.
In November 2022, researchers at Zimperium zLabs uncovered a Swiss Army knife-like
malicious browser extension called Cloud9
, aimed at Chrome and Microsoft Edge users. It enables attackers to seize control of a users browser session remotely and execute a broad range of attacks.
The Zimperium report noted that because the Cloud9 malware does not target any specific group, it is as much an enterprise threat as it is a consumer threat.
More recently, the German Federal Office for the Protection of the Constitution (BfV) and the South Korean intelligence service (NIS)
issued a warning of a cyber-espionage group
that is said to target government agencies and research organizations worldwide.
The
Kimsuky group of cybercriminals
, aka Velvet Chollima or Thallium, is thought to be based in North Korea and uses malicious Chrome browser extensions as well as app store services to target individuals conducting research on the inter-Korean conflict.
The hackers use so-called spear-phishing attacks. In these, targets are lured by emails to fake versions of well-known websites disguised as legitimate or tricked into installing a manipulated browser extension.
In the process, login data and other personal information could be intercepted by the attackers. Another method used by the hackers is to install malware unnoticed on Android smartphones via the Google Play app store.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Malicious ChatGPT Extensions Add to Google Chrome Woes