CloudSEK researchers have exposed nefarious tactics employed by threat actors to hijack Facebook accounts and misuse the popularity of ChatGPT to spread malware.
The finding shows that ChatGPT, a popular language model developed by OpenAI, is being exploited by these actors to attract users and trick them into downloading malware onto their devices.
Threat actors are using previously compromised data, phishing techniques, and stealer logs to infiltrate existing Facebook accounts and pages. Compromised accounts and pages are being used to distribute malware through various channels, such as Trello boards, Google Drive, and individual websites embedded in Facebook ads.
A password accompanies the download link to lend further credibility to the scam. Compromised accounts can also result in the theft of personally identifiable information (PII) and sensitive details such as payment information.
Infection chain – compromised Facebook accounts spreading malware
CloudSEK’s investigation has revealed the presence of 13 Facebook pages/accounts, totaling over 500K followers, that have been compromised and are being used to disseminate the malware via Facebook ads.
The oldest instance of such a hijacking, as identified by their researcher, dates back to 13 February 2023 and pertains to a page with over 23K followers.
”Cybercriminals are capitalizing on the popularity of ChatGPT, exploiting Facebook’s vast user base by compromising legitimate Facebook accounts to distribute malware via Facebook ads, putting users’ security at risk. Our investigation has uncovered 13 compromised pages with over 500K followers, some of which have been hijacked since February 2023. We urge users to be vigilant and aware of such malicious activities on the platform,” said Bablu Kumar, Cyber Intelligence Analyst, CloudSEK.
The research paper also highlights the repeated use of a specific video to attract and engage the audience across the majority of the compromised accounts. This pattern suggests that this campaign, of deploying malware via Facebook ads, is most likely the activity of a distinct group of threat actors or an individual threat actor.
CloudSEK’s investigation has uncovered at least 25 websites engaging in the nefarious practice of impersonating the OpenAI.com website. These malicious sites are duping individuals into downloading and installing harmful software, posing a severe risk to their security and privacy.
Majority of compromised accounts were being controlled by Vietnamese actors. Semrush, SMIT, Evoto, and OBS Studio are a few other websites targeted in a similar manner.
“The malicious malware is not only capable of stealing sensitive information such as PII, system information, and credit card details from the user’s device, but also has replication capabilities to spread across systems through removable media. With the ability to escalate privileges and persistently remain on the system, it poses a significant threat. Its malicious nature is evident from being flagged by 9 out of 61 security vendors on VirusTotal,” said Bablu Kumar, Cyber Intelligence Analyst, CloudSEK.
The report also provides details of the threat actors and the Trello cards used by them to disseminate malware. CloudSEK’s findings are a testament to the growing threat landscape and highlight the need for individuals and organizations to remain vigilant and take proactive measures to protect their systems and networks.