A malicious ChatGPT-branded extension for Google Chrome can strip Facebook account details and create rogue admin accounts to distribute malware, according to Guardio Labs researcher Nati Tal.

Dubbed “Quick access to ChatGPT”, the extension was pulled from the Chrome Web Store on 9 March 2023 after accumulating an average of 2,000 installations per day since 3 March.

“By hijacking high-profile Facebook business accounts, the threat actor creates an elite army of Facebook bots and a malicious paid media apparatus,” Tal said.

“This allows it to push Facebook paid ads at the expense of its victims in a self-propagating worm-like manner.”

The extension is promoted through Facebook-sponsored posts.

While it does allow users to connect to ChatGPT, the extension is also designed to collect cookies and Facebook account data through already active and authenticated sessions.

It uses two fake Facebook applications — msg_kig and portal — to maintain access and take complete control of profiles. It adds the two applications automatically and unbeknownst to the user.

The campaign then goes full circle, with hijacked Facebook accounts being used for advertising the extension and malware.

Malicious actors appear to be trying to capitalise on the immense popularity of OpenAI’s ChatGPT language model.

In early March 2023, cybersecurity researchers warned of scammers turning Microsoft’s ChatGPT-powered Bing Chat language model into a con artist.

By planting a prompt on a web page in 0-point font, threat actors could get the language model to ask victims for personal information when interacting with it.

