Since March, Meta has discovered malware using ChatGPT and other AI themes to steal user data and compromise business accounts. Credit: Thinkstock Facebook’s parent company, Meta, has issued a warning that hackers are taking advantage of people’s interest in ChatGP and other generative AI applications to trick them into installing malware that pretends to provide AI functionality. Since March, Meta has discovered about 10 malware families using AI themes to compromise business accounts across the internet — including social media business accounts — and blocked over 1,000 unique ChatGPT-themed malicious URLs from being shared on its platforms.“Over the past several months, we’ve investigated and taken action against malware strains taking advantage of people’s interest in OpenAI’s ChatGPT to trick them into installing malware pretending to provide AI functionality,” Meta said in a blog. Meta detected malware strains such as DuckTail and NodeStealer in ChatGPT browser plugins and productivity tools, attributing to Vietnam-based hackers. DuckTail steals browser cookiesOne of the malware strains that has increasingly been targeting victims using AI-themed lures is DuckTail. DuckTail steals browser cookies and hijacks Facebook sessions to retrieve victims’ account information such as location data and two-factor authentication codes. Threat actors use the malware strain to hijack Facebook business accounts that the victim has access to, in order to gain access to Facebook ad accounts. “In its latest iteration, DuckTail operators, likely in response to our round-the-clock detection terminating stolen sessions, began automatically granting business admin permissions to requests for ad-related actions sent by attackers as an attempt to speed up their operations before we block them,” Meta said. DuckTail is known to target a number of platforms, previously including LinkedIn, using social engineering techniques to trick people into downloading malware. The malware strain, once downloaded, can gain access to users’ information via browsers including Google Chrome, Microsoft Edge, Brave, and Firefox. It uses file-hosting and sharing services such as Dropbox and Mega to host malware.Meta has issued cease-and-desist letters to the individuals behind the operation and notified law enforcement.NodeStealer targets Windows browsersIn January, Meta discovered that the Nodestealer malware strain was targeting Windows-based browsers with the goal of stealing cookies and saved login details such as usernames and passwords to compromise the Facebook, Gmail, and Microsoft Outlook accounts of victims. “NodeStealer is custom written in JavaScript and bundles the Node.js environment. We assessed the malware to be of Vietnamese origin and distributed by threat actors from Vietnam,” Meta said. Meta identified Nodestealer within two weeks of it being deployed and took action to disrupt it and help users who may have been targeted recover their accounts. The company also submitted takedown requests with domain registrars and hosting providers, which the threat actors targeted to facilitate the distribution of the malware. “These actions led to a successful disruption of the malware. We have not observed any new samples of malware in the NodeStealer family since February 27 of this year and continue monitoring for any potential future activity,” Meta said. New security feature for business accountsAs a response to the new malware strains that specifically target Facebook business accounts, the company also launched new security features for the accounts. The company introduced a new support tool that guides users step-by-step to identify and remove malware. There are also new controls for business accounts to help them manage, audit, and limit who can become an account administrator. The company will also be launching Facebook at-Work accounts, through which a business account can be operated without requiring a personal account. This is likely to be launched later this year. Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe