Cybercriminals have been utilizing fake AI editor websites as a tool for their malicious activities, aiming to deceive users and extract sensitive information from them. These malevolent actions include tricking users into giving away personal data, downloading malware onto their devices, making illicit payments, and more.
The cybersecurity experts at Trend Micro recently uncovered a sophisticated malvertising campaign that targeted social media users by employing a complex scheme to steal their login credentials. These threat actors hijack pages related to images and convert them into AI photo editor sites to carry out their malicious deeds.
To lure unsuspecting users into their trap, the hackers promote posts with links to fake photo editing platforms through sponsored advertisements. Users who download the purported editor software from these sites unwittingly install an innocent-looking endpoint administration tool embedded with a malicious setup file. This allows threat actors to remotely control the victims’ devices and execute various nefarious activities, such as stealing credentials or pilfering valuable data.
By sending phishing messages to social media page administrators, threat actors exploit personalized link pages or Facebook’s open redirect URL to make their malicious communications appear legitimate. Trend Micro reported that once the attackers gain access to these accounts, they post malevolent ads containing links to fake AI photo editor websites disguising endpoint management software as legitimate services like Evoto.
This malicious campaign has attracted significant traffic, with approximately 16,000 downloads on the Windows version and 1,200 hits on a non-functional macOS version, demonstrating the extensive reach and effectiveness of this operation in deceiving users across various platforms.
Victims’ devices are surreptitiously enrolled in the remote management system of ITarian after being deceived into believing it is a photo editor MSI package. This enrollment grants the threat actors full control over the devices without the need for explicitly malicious components. Subsequently, two actions are carried out through this enrollment: a Python script downloads and executes Lumma Stealer, encrypted with PackLab Crypter, while another script disables Microsoft Defender scans for the C: drive.
Following this, Lumma Stealer establishes communication with its command and control server through specific POST requests, receiving a base64 encoded configuration. Once decrypted, this configuration instructs the stealer on what data to target and exfiltrate, with a focus on social media credentials and other sensitive information.
To mitigate the risks associated with such malicious campaigns, several recommendations are provided. These include enabling multi-factor authentication on all social media accounts, regularly updating and using strong, unique passwords, educating employees on phishing threats, verifying the legitimacy of links asking for personal information, monitoring accounts for unusual activity, utilizing security solutions to detect abnormal behavior, and implementing endpoint technologies for layered protection.
In conclusion, the use of fake AI editor websites by cybercriminals highlights the evolving nature of cyber threats and the importance of staying vigilant and implementing robust cybersecurity measures to safeguard against such malicious activities.