Protecting Against AI-Driven Cyber Attacks
- Cybercriminals hijack social media pages, renaming them to popular AI photo editors and posting harmful links to fake websites to steal administrators’ login credentials.
- The attack uses ITarian software to execute additional malicious code like Lumma Stealer, which exfiltrates sensitive data such as cryptocurrency wallets and password management databases.
- Cybercriminals send phishing links via spam emails to gain control of social media pages and then post ads linking to fake AI photo editors.
- When users click on these links, they are redirected to fake account protection pages where they are prompted to enter login information.
- The fake websites appear to be legitimate AI photo editors but instead install ITarian endpoint management software that enables remote device control.
- After installing ITarian software, the attacker can download and execute malicious code like Lumma Stealer, which exfiltrates sensitive data.
A new report from Trend Micro has revealed that malicious actors are using a proven method to arm Facebook ads to lure AI users into downloading malware disguised as AI photo editing tools.
Cybercriminals leverage popular AI tools to deceive users into downloading malicious software through fake ads on social media platforms like Facebook. This campaign involving a threat actor hijacking social media pages and renaming them to resemble popular AI photo editors is an example of how cybercriminals utilize AI’s popularity to carry out hostile actions.
Overview of the Campaign
The campaign starts with the threat actor taking control of social media pages usually related to photography. They alter the page names to make them more like famous AI photo editors and then post harmful links to fake websites resembling the legitimate photo editors’ sites. To boost traffic to these fake sites, they pay for ads on Facebook.
When victims click on these ads and visit the fake websites, they are prompted to download and install a package claiming to be a photo editor but is actually a legitimate endpoint management software with a malicious configuration. After installation, the attacker can remotely control the device and use the tool’s features to download and run attacks that steal sensitive data and authentication credentials.
How the Attack Works
To take over the target pages, the threat actor first sends messages to administrators containing phishing links. These links lead to fake pages resembling Facebook’s login pages or other security pages where victims are asked to enter their login credentials. Once victims fall for this scam, the attacker takes over the page and starts posting ads linking to the fake AI photo editor.
Security Recommendations
To protect against such attacks, the following measures are recommended:
- Use multi-factor authentication (MFA) on all social media accounts for extra security.
- Regularly update and use strong, unique passwords for your social media accounts.
- Always be wary of links requesting personal information or login credentials, especially if they come from unexpected sources.
- Monitor your accounts for unusual behavior, such as unexpected logins or changes in account information.
- Utilize security solutions that can detect abnormal account activities and block malicious tools before they can cause any harm.