Recently, Trend Micro researchers uncovered a sophisticated malvertising campaign targeting social media users with a multi-step deception to steal login credentials.
Hackers use fake AI editor websites to trick users into providing personal information, downloading malware, and paying for fraudulent services.
Fake AI Editor
The threat actor promotes fake photo editing sites through sponsored ads. When users download software from these sites, they inadvertently install a tool that, while appearing harmless, is actually embedded with malicious code. This allows hackers to control the users’ devices remotely, enabling them to deploy credential stealers or access valuable data.
Threat actors send phishing messages to social media page admins, using personalized links or Facebook’s open redirect URLs to appear legitimate. Once they access the accounts, they post malicious ads linking to fake AI photo editor sites.
These platforms mimic real services like Evoto but actually distribute endpoint management software.
The campaign has generated notable traffic, with about 16,000 downloads for the Windows version and 1,200 hits on a non-functional macOS version, showing its broad reach and effectiveness in deceiving users.
Victims’ devices are unknowingly enrolled in ITarian’s remote management system, disguised as a photo editor MSI package. This setup allows full control without using obvious malicious components.
Two key actions occur:
- A Python script downloads and runs Lumma Stealer, encrypted with PackLab Crypter.
- Another script disables Microsoft Defender scans for the C: drive.
Lumma Stealer then communicates with its command and control server via POST requests to receive a base64 encoded configuration. This configuration directs the stealer to target and exfiltrate social media credentials and other sensitive data.
Recommendations for protecting against fake AI editor scams:
- Verify Sources: Only download software from official and trusted sources. Be cautious of links from unsolicited emails or social media ads.
- Check URLs: Ensure that the URL of the website is legitimate and not a lookalike or misspelled version of a real site.
- Use Security Software: Keep your antivirus and anti-malware software up to date to detect and block malicious downloads.
- Enable Browser Security Features: Use browser extensions or settings that warn you about potentially dangerous sites and downloads.
- Be Cautious with Permissions: Avoid granting excessive permissions to software or apps that request more access than necessary.
- Educate Yourself and Others: Stay informed about common phishing tactics and scams to better recognize and avoid them.
- Report Suspicious Activity: Report any suspicious ads or websites to the relevant platforms or authorities to help prevent others from falling victim.
- Regularly Update Software: Ensure that your operating system and applications are up-to-date with the latest security patches.
Leave A Comment