Facebook Users Are Preyed Upon By Fake ChatGPT

My Facebook feed has been bombarded with 13 ads these last few weeks for OpenAI's ChatGPT - which is unusual to me, since OpenAI doesn't run any ads on its platform.

‍

In reality, these ads are intended to spread malware from advanced cybercriminals and are spreading a dangerous form of malware called Kermit. The fake software claims to provide a convenient way of communicating with ChatGPT AI, but it is secretly stealing victims' personal information.

‍

Malvertising is the act of spreading malware via advertisements, a practice that has been around for a long time. It has even been used by U.S. intelligence agencies and the military for their personnel due to the dangers this brings.

‍

Despite this, Facebook or Google are often using these ads in a non-safe manner due to the proliferation of such ads.

‍

This issue seems to be getting worse. According to Nati Tal, a security researcher at Guardio Labs, we have seen more instances of it in the past few months. It is highly adaptive, evading platforms' efforts to stop it, Tal expressed.

‍

A cloned website that distributes malware is also a common occurrence on other websites, including Google, where users searching for cryptocurrency wallets or software for YouTube streamers are directed to advertisements resembling what they are looking for when they click on those advertisements. It is quite common for malware to contain a variant of the real software with a backdoor, meaning that victims don't realize immediately that they have been hacked, Tal told me. 

‍

• A spokesman for Google, Davis Thompson, said that the company bans scam ads, that it has invested in its anti-scam capabilities, and that over the past year, the company has blocked or removed over 5.2 billion advertisements across its platform.

‍

A cyberattacker may be able to steal your cookies that allow you to access your online accounts and sell them on the black market, Tal says. Or they might post scams that will result in thousands of dollars being earned in just a few hours, he says. Additionally, these scammers use the victims’ Facebook ad accounts in order to advertise in more places and keep the scam going, perpetuating the scam.

‍

A cloaking site, for example, shows the platforms' ad approval systems a benign page, while the dangerous site itself displays a dangerous one so they're fooled into accepting the ad. The more sophisticated sites are using tricks such as cloaking in order to fool the platforms.

‍

It goes without saying that OpenAI confirmed that the Facebook ads that I was shown weren’t from them (it goes without saying, but OpenAI has confirmed that they are not from them). A few of the advertisements came from Bard, the chat tool that Google uses.

‍

• Often, the text of the advertisements included a direct link that led to the website of the chat app or organization software that hosted the malicious software, providing a means for a victim to download it. 

‍

• I've watched this campaign closely over the past few weeks, and I've seen the details of how the malware has been distributed change repeatedly - an indication that the attackers (or attackers) are sophisticated and are adapting to countermeasures in a timely manner.

‍

The ads can be easily located due to all of these indicators. Searching the Facebook ad library for "password 888" resulted in 59 active ads, some of which had been running for as long as February. Several dozen of them were found in April. It does not appear that Facebook discloses the amount of money that the hackers spent on these ads or the number of people who were shown them.

‍

A spokesperson for Facebook parent Meta told me that the problem is complex as bad actors are evading detection quite frequently. I asked why these ads appear on Facebook's platform. According to her, the company tries to detect threats when they arise and to take action by disrupting them, training automated systems to block them, and sharing information throughout the industry. In her opinion, some of those ads have been taken down by Facebook.

‍

Franklin added that cybercriminals are switching from one type of lure to another across the internet as a way of obtaining information. In other words, the latest & greatest is what the cybercriminals are calling ChatGPT and Facebook ads.

‍

Facebook's ad targeting tools were cleverly used in the ads that appeared in my feed to reach the most valuable victims with these advertisements. In the instructions of the cybercriminals, Facebook was instructed to show ads only to people who had access to Facebook ads, that is, people with access to Facebook ad accounts. These were people who administered a Facebook page or were interested in online marketing. There are two ways to find out why you are seeing an ad on Facebook: You can see what the ad is about and then decide whether or not you want to see it. Facebook discloses that information to users who are shown ads; Facebook does not provide it to users who aren't served ads.

‍

A major part of the problem, Tal said, lies in the fact that many online advertising companies fail to verify the identities of their customers. Aside from that, there has to be a constant check on bad actors because they tend to hide until their tools are widely distributed. It is not easy. This is why we can understand why they are unable to do that," he stated.

‍

• As Thompson pointed out, many bad actors make use of sophisticated means to conceal their identities and to evade our policies and enforcement processes in order to avoid being caught and punished by them.

‍

The Guardio product, Tal explained, is intended to close a huge security breach that isn't being addressed by traditional security tools like anti-virus software. Tal says there is a huge security gap that Guardio is trying to close. The main service that you use on the internet is Facebook, or even searching. You have no way to ensure that all information that you enter there is safe, and that’s why you don’t know that.