Meta restricts malware campaign using ChatGPT as a trick to steal accounts

Meta has reported taking down over 1,000 malicious URLs that leverage OpenAI's ChatGPT to propagate about 10 malware families since March 2023. This follows an increase in the use of fake ChatGPT browser extensions to steal users' Facebook account credentials to run unauthorised ads from hijacked business accounts.

The social media giant has blocked several iterations of a malware campaign called Ducktail over the years and has issued a cease and desist letter to individuals behind the operation located in Vietnam. Additionally, cybersecurity firm Trend Micro has identified an information stealer that disguises itself as a Windows desktop client for ChatGPT to extract passwords, session cookies, and history from Chromium-powered browsers. The company claims the malware shares similarities with Ducktail.

Threat actors have also been observed shifting to other popular topics such as Google Bard, TikTok marketing tools, pirated software and movies, and Windows utilities to dupe people into clicking on bogus links. Guy Rosen, Chief Information Security Officer at Meta, said that these changes are an attempt to limit any one service's visibility into the entire operation.

The attack chains primarily target personal accounts of users who manage or are connected to business pages and advertising accounts on Facebook. The malware is propagated through social media and hosted on legitimate services such as Buy Me a Coffee, Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive, and Trello.

Meta has also disclosed another novel strain of malware called NodeStealer, which is capable of plundering cookies and passwords from web browsers to ultimately compromise Facebook, Gmail, and Outlook accounts. The malware is assessed to be of Vietnamese origin, and Meta reports that it "took action to disrupt it and help people who may have been targeted to recover their accounts" within two weeks of its deployment in late January 2023.

Samples analyzed by the company show that NodeStealer binary is distributed via Windows executables disguised as PDF and XLSX files with filenames relating to marketing and monthly budgets. The files, when opened, deliver JavaScript code that's designed to exfiltrate sensitive data from Chromium-based browsers.

After retrieving the Facebook credentials from the target's browser data, the malware uses them to make several unauthorised requests to Facebook URLs to enumerate account information related to advertising. The stolen information enables the threat actor to assess and use users' advertising accounts to run unauthorised ads.

To counter such threats, Meta is launching a new support tool that guides users to identify and remove malware, enables businesses to verify connected Business Manager accounts, and requires additional authentication when accessing a credit line or changing business administrators.