Keypoints
- Malicious Chrome extension named “Quick access to Chat GPT” was promoted via Facebook-sponsored posts and installed by thousands of users daily.
- Once installed, the extension abuses the authenticated browser context to access active sessions and steal cookies and session tokens for services including Facebook.
- The extension modifies request headers using chrome.declarativeNetRequest to set the Origin to facebook.com, allowing it to make Graph API calls as the authenticated user without detection.
- Attackers query Facebook Graph API endpoints to enumerate business/pages/ad accounts and retrieve financial and ad-spend details (e.g., act_{account_id} fields including balance and insights).
- Harvested data and session artifacts are exfiltrated to attacker-controlled endpoints (notably api2.openai-service[.]workers[.]dev) via specific API calls per data type.
- The extension automates registering and approving a malicious Facebook app on victims’ accounts (app IDs seen: 1348564698517390, 1174099472704185) to obtain full admin privileges and enable abuse of ad budgets.
- High-value targets receive encrypted exfiltration and the compromised business accounts are used to self-propagate via paid ads and sponsored posts.
MITRE Techniques
- [T1204] User Execution – Victims install the malicious extension after interacting with malvertising and sponsored Facebook posts (‘promoted on Facebook-sponsored posts as a quick way to get started with ChatGPT directly from your browser’).
- [T1550.001] Use of Web Cookies – The extension steals cookies and authorized session tokens from the browser to impersonate users (‘harvests every information it can take from your browser, steals cookies of authorized active sessions’).
- [T1071.001] Application Layer Protocol – The extension issues Graph API and web requests from the browser context to interact with Facebook services and attacker C2 (‘the extension sends API calls from the authenticated browser context’).
- [T1041] Exfiltration Over C2 Channel – Harvested account, cookie and ad data are sent to attacker-controlled worker endpoints using dedicated API paths (‘api2[.]openai-service[.]workers[.]dev/api/add-data-account’).
- [T1098] Account Manipulation – The extension automates registering and approving a malicious Facebook application to gain elevated admin permissions on victims’ accounts (‘automating the entire process of registering an app on your account and approving it to get, basically, A FULL ADMIN MODE’).
Indicators of Compromise
- [Facebook posts/pages] Malicious promotion pages – https://www[.]facebook[.]com/chatgpt.google/videos/719341863011965/, https://www[.]facebook[.]com/chatgpt.google/
- [Extension IDs] Malicious Chrome extensions – kgnddmccicfibljeodejjmekeiilkfhk, coegmjlpjblmfpcnleenkhggdebdcpho (and 1 more)
- [C2 Domains] Attacker-controlled worker domains used for exfiltration – api2.openai-service[.]workers[.]dev, xfks[.]workers[.]dev (and df3233[.]workers[.]dev)
- [C2 API endpoints] Exfiltration paths used by the extension – /api/add-data-account, /api/add-business-manager, /api/add-pages, /api/add-ads-manager (hosted on api2.openai-service[.]workers[.]dev)
- [Facebook App IDs] Rogue apps used to gain permissions – 1348564698517390 (portal), 1174099472704185 (Messenger Kids for iOS – active)
- [Graph API endpoints] Facebook API calls used to enumerate and control accounts – graph[.]facebook[.]com/v14.0/act_{account_id}?…, graph[.]facebook[.]com/v12.0/me/adaccounts?, graph[.]facebook[.]com/v13.0/me/facebook_pages?
After installation, the extension leverages the victim’s already-authenticated browser context to perform privileged actions: it modifies outgoing request headers via chrome.declarativeNetRequest to set the Origin to facebook.com, enabling Graph API calls that would normally require a valid origin. Using these capabilities it enumerates pages, business managers, and ad accounts and issues queries like https://graph.facebook.com/v14.0/act_{account_id}?fields=…&access_token={token} to retrieve balances, spend, owners, and user roles.
The extension collects browser cookies, session tokens, and detailed ad/account metadata, then bundles and transmits that data to attacker-controlled worker domains through structured API endpoints (for example: api2.openai-service.workers[.]dev/api/add-data-account and /api/add-ads-manager). Core control functions (getToken, getClientIP, fetchAds, getListAds, getListPages, getListBM) run automatically on start, and harvested data is exfiltrated according to type.
For takeover, a module named Potal automates the OAuth/device flows to register and confirm malicious Facebook applications on the victim’s account, perform device/session creation, and obtain full admin-like permissions (app_ids observed: 1348564698517390 and 1174099472704185). The sequence (getUserCode → authorize → oauth → confirm → addDevice → createSessionForApp) automates approval and then uses the implanted app to control pages, ad accounts, and connected services; high-value target payloads are encrypted before transmission and compromised ad accounts are abused to self-propagate via paid ads.