Facebook ads for this fake AI image editor were just an excuse to infect your PC with malware
Attackers are abusing the popularity of AI image editing tools to trick users into installing applications that mimic legitimate tools packed with malicious software.
The campaign uses hijacked Facebook accounts to promote the applications on social media, using paid advertisements to distribute the malware.
The attackers trick Facebook pages into giving up their login credentials with phishing messages. These messages lead users to fake account security pages, where their passwords are then stolen.
Facebook malvertising
Jaromir Horejsi, a threat researcher for Trend Micro who analyzed the campaign, said: “We detected a malvertising campaign where a threat actor steals social media pages and changes their names to make them look like popular AI photo editors. The threat actor then creates malicious posts with links to fake websites that resemble the legitimate photo editor’s real website. To increase traffic, the perpetrator then promotes the malicious posts through paid advertisements” (via BleepingComputer).
The software package that victims install is not the AI image editor, but the Itarian remote desktop tool that then launches a downloader on the victim’s device that installs the Lumma Stealer malware. This malware stealthily snoops through the victim’s files looking for valuable data, such as cryptocurrency wallet files, login credentials, password manager files, and browser facts.
This data is then sold on the dark web or used to take over other accounts using compromised credentials, promoting more scams.
In response to the campaign, Horejsi provided some ways to stay safe from the campaign, stating: “Users should enable multi-factor authentication (MFA) on all social media accounts to add an extra layer of protection against unauthorized access. Organizations should educate their employees about the dangers of phishing attacks and how to spot suspicious posts and links. Users should always verify the legitimacy of links, especially those that ask for personal information or login credentials.”