Meta Takes Down Malware Campaign That Used ChatGPT as a Lure to Steal Accounts

May 4, 2023IRavie LakshmananOnline Security / ChatGPT

Meta said it took steps to prevent more than 1,000 malicious URLs from being shared between its services that were found to leverage OpenAI’s ChatGPT as an attractor to spread about 10 malware families since March 2023.

The development comes in the context of fake ChatGPT web browser extensions being increasingly used to steal users’ Facebook account credentials in order to run unauthorized ads from hijacked business accounts.

“Threat actors create malicious browser extensions available on official web stores that claim to offer ChatGPT-based tools,” Meta said. “They would then promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware.”

Cyber ​​security

The social media giant said it has blocked several iterations of a multi-pronged malware campaign called Ducktail over the years, adding that it issued a cease-and-desist letter to those behind the operation which are located in Vietnam.

Trend Micro, in a series of tweets Last week, he detailed a hack that masquerades as the Windows desktop client for ChatGPT to extract passwords, session cookies, and history from Chromium-based browsers. The company said the malware shares similarities with Ducktail.

In addition to ChatGPT, threat actors have also been observed switching from other “hot issues and popular topics” such as Google Bard, TikTok marketing tools, pirated software and movies, and Windows utilities to trick people into clicking fake links.

“These changes are likely an attempt by threat actors to ensure that any service has only limited visibility into the entire operation,” said Guy Rosen, chief information security officer at Meta.

The attack chains are primarily designed to target the personal accounts of users who manage or are connected to business pages and advertising accounts on Facebook.

In addition to using social media to spread the malicious ChatGPT URLs, the malware is hosted on a variety of legitimate services, including Buy Me a Coffee, Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive and Trello.

Ducktail isn’t the only stealing malware spotted in the wild, as Meta revealed it discovered another new strain called NodeStealer that is capable of looting cookies and passwords from web browsers to ultimately compromise Facebook accounts, Gmail and Outlook.

The malware is assessed to be of Vietnamese origin, and Meta noted that it “took steps to disrupt it and help those who may have been targeted recover their accounts” within two weeks of its implementation at the end of January 2023.


Learn how to stop ransomware with real-time protection

Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.

Save my seat!

Samples analyzed by the Menlo Park company show that the NodeStealer binary is distributed via Windows executables disguised as PDF and XLSX files with filenames related to marketing and monthly budgets. The files, when opened, deliver JavaScript code designed to exfiltrate sensitive data from Chromium-based browsers.

NodeStealer gets its name from its use of the Node.js cross-platform JavaScript runtime, which is bundled with the main payload, to configure persistence and run the malware. No new artifacts have been identified as of February 27, 2023.

“After retrieving Facebook credentials from the target’s browser data, the malware uses them to make multiple unauthorized requests to Facebook URLs to list account information related to advertising,” Meta said . “The stolen information then allows the threat actor to assess and then use users’ advertising accounts to serve unauthorized ads.”

In an attempt to slip under the radar of the company’s anti-abuse systems, the rogue requests are made from the target user’s device to Facebook’s APIs, lending a touch of legitimacy to the activity.

To counter these threats, Meta said it is releasing a new support tool that guides users in identifying and removing malware, allows businesses to verify connected Business Manager accounts and requires additional authentication when accessing a line of credit or they change business administrators.

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
Ikaroa, a full stack technology company, is proud to announce that it has successfully taken down a malicious chatbot campaign aimed at stealing user accounts. The campaign, which used chatbot technology called ChatGPT, was first noticed by a number of internet security companies.

By leveraging its extensive experience in the industry, Ikaroa quickly identified the risk of attack and set forth a strategy to protect its customers. Its system blocks any communication between the malicious chatbot and the target’s accounts, and it continues to monitor the situation.

In addition to preventing malicious bot activity from targeting its own systems and customers, Ikaroa’s efforts have also prevented the same campaign from being successfully used against other companies. This is a strong indication that the company is serious about protecting its customers’ data and safeguarding their accounts.

Ikaroa has led the charge in protection against malicious bots and other malicious activities by distributing its machine learning technology to several organizations in the industry, ensuring that its partners and customers can benefit from space-age security.

This is yet another example of how Ikaroa is dedicated to the pursuit of excellent customer service and strives to ensure that customers’ security needs are met in the ever-changing digital world. Customers can be confident that Ikaroa’s protections will keep them safe from malicious bot activity and other security threats.


Leave a Reply

Your email address will not be published. Required fields are marked *