Hackers are increasingly using ChatGPT lures to spread malware on Facebook

As public interest in generative AI chatbots grows, hackers are increasingly using ChatGPT-themed lures to spread malware across Facebook, Instagram and WhatsApp.

That’s according to Facebook’s parent company Meta, which said in a report out Wednesday that malware posing as ChatGPT was on the rise across its platforms. The company said that since March 2023, its security teams have uncovered 10 malware families using ChatGPT (and similar themes) to deliver malicious software to users’ devices.

“In one case, we’ve seen threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools,” said Meta security engineers Duc H. Nguyen and Ryan Victory in a blog post. “They would then promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware.”

Meta says that attackers distributing the DuckTail malware have increasingly turned to these AI-themed lures in an attempt to compromise businesses with access to Facebook ad accounts. DuckTail, which has targeted Facebook users since 2021, steals browser cookies and hijacks logged-in Facebook sessions to steal information from the victim’s Facebook account, including account information, location data and two-factor authentication codes. The malware also allows the threat actor to hijack any Facebook Business account that the victim has access to.

Meta on Wednesday attributed the distribution of DuckTail to threat actors in Vietnam, adding that it had issued cease-and-desist letters to the individuals behind the operation and notified law enforcement.

A screenshot showing a malware campaign that link to site hosting platforms began targeting smaller services, such as Buy Me a Coffee – a service used by creators to accept support from their audiences – to host and deliver malware.

Meta said it blocked malicious links that pointed to fake ChatGPT-themed pages that host and deliver malware. Image Credits: Meta (supplied)

The social media giant also noted a new malware it discovered in January called NodeStealer. Much like DuckTail, the malware targets Windows-based browsers with the ultimate aim of stealing cookies and saved login details to compromise Facebook, Gmail and Microsoft Outlook accounts. Meta said it took early action against the malware, which it has also attributed to Vietnamese threat actors. Meta said it submitted takedown requests with domain registrars and hosting providers, which were malware targeted to facilitate its distribution, within two weeks of discovering the malware.

“These actions led to a successful disruption of the malware. We have not observed any new samples of malware in the NodeStealer family since February 27 of this year and continue monitoring for any potential future activity,” said Nguyen and Victory.

Meta said it has also added new features to help business users of its products better fend off malware attacks. This includes a new support tool that guides people step-by-step through identifying and removing malware and new controls for business accounts to manage, audit and limit who can become an account administrator. Meta also announced it will launch Facebook at Work accounts later this year. These accounts will allow business users to log in and operate Business Manager without requiring a personal account, helping prevent attacks that begin with a compromised personal account.

Or, perhaps it’s finally time to delete your Facebook account?