Attackers have been found hijacking pages on Facebook in a sophisticated scheme to deceive users into downloading what appears to be a legitimate artificial intelligence (AI) photo editor, only to infect their devices with a notorious infostealer that steals valuable credentials. This malvertising campaign, identified by researchers at Trend Micro, capitalizes on the popularity of AI technology and combines various malicious tactics such as phishing, social engineering, and the misuse of a genuine utility to carry out their attacks. The end goal of this scheme is to distribute the Lumma stealer, a dangerous malware strain designed to extract sensitive data including user credentials, system information, browser details, and extensions.
The exploitative nature of this attack relies heavily on the misuse of paid Facebook promotions, which the attackers have leveraged to entice unsuspecting users into engaging with their malicious content. Once control of a targeted page is obtained by the attackers, deceptive ads promoting the fake AI photo editor are posted, prompting victims to download what appears to be the photo editing tool but is, in reality, an endpoint management utility masquerading as the legitimate software. This tactic is intended to deceive users into believing they are engaging with a harmless application, only to have their credentials stolen by the Lumma stealer once the malicious payload is deployed.
Moreover, attackers are taking advantage of the widespread interest in AI technology and its associated tools to further lure users into their nefarious activities. By using AI-related tools as bait, including phishing scams, deepfakes, and automated attacks, the attackers aim to exploit the current fascination with AI advancements to further their malicious agenda.
As part of the malicious campaign, approximately 16,000 downloads on Windows devices and 1,200 downloads on macOS systems have been recorded. Interestingly, the macOS version of the malware redirects users to the official Apple website instead of an attacker-controlled domain, indicating a clear focus on targeting Windows users exclusively.
The attack methodology begins with a phishing component, where attackers send deceptive messages to the owners of targeted social media pages in an effort to gain control over the account for illicit purposes. The phishing links embedded in these messages utilize various personalized link pages and open redirect URLs, adding a layer of authenticity to the malicious content. Once a victim falls into the trap and provides their personal information, the attacker proceeds to hijack the profile and initiate the distribution of malicious ads promoting the fake AI photo editor.
To safeguard against falling victim to such campaigns, users are advised to enable multifactor authentication on all their accounts, regularly update and utilize strong, unique passwords, and exercise caution while interacting with content on social media platforms. Organizations should prioritize cybersecurity education and awareness among employees, educating them on the risks associated with social media and the importance of identifying and reporting suspicious activities online.
In conclusion, vigilance and proactive security measures are crucial in mitigating the risks posed by sophisticated cyber attacks such as the one targeting Facebook users. By staying informed, practicing good cybersecurity hygiene, and remaining vigilant against evolving threats, users and organizations can better protect themselves against malicious actors seeking to exploit vulnerabilities for their gain.