New 'FakeGPT' Chrome Extension Hijacks Facebook Accounts

Diving into details

• It can steal Facebook session cookies and compromise accounts at go. 
• The cookies are, subsequently, sent to the attackers’ server via a GET request. The cookie list is AES-encrypted and attached to the X-Cached-Key HTTP header value. This ensures that the cookies could be pilfered without any deep packet inspection mechanisms raising alarms. 
• At the time of removal from the Google Play Store, the FakeGPT extension was downloaded by more than 9,000 users. 

Slightly different from the original

• This variant of FakeGPT is based on genuine code and performs only one malicious action. It filters Facebook-related cookies, encrypts them with AES, and sends them back to the attacker's server. 
• The use of the workers.dev service is notable, as it was also used in the previous version, which allowed attackers to hijack Facebook accounts using a ChatGPT Chrome extension.

Why this matters

• Threat actors can use the compromised profiles as a bot for promoting services or create pages and ad accounts, exploiting their identity.
• With the Facebook session overtaken, the profile will be controlled by the attacker, with no way for the victims to regain control. 
• The attacker can change the profile name and picture, harvest private data, and use the profile for further malicious actions. 
• Many users have fallen for this recently, leading to more malicious activity and propaganda within the Facebook ecosystem.

The bottom line