Malvertising campaign uses fake AI editor ads on Facebook

A new malvertising campaign on Facebook targets users looking for AI editor tools to steal their credentials by tricking them into downloading fake apps that pose as legitimate software on ads.

Researchers stated that these attackers take advantage of the popularity of AI-driven image-generation tools by generating malicious websites that closely resemble legitimate services and deceiving victims into infecting themselves with infostealer malware.

This cybercriminal operation starts its campaign with phishing messages sent to Facebook page owners or admins. These messages redirect people to bogus account protection pages that could fool them into disclosing their login credentials.

Once these victims submit their credentials, the threat actors can hijack their accounts, take over their pages, publish malicious social media postings, and promote their malvertisement through paid advertising.

 

The fake AI editor ads in this malvertising campaign commonly target channels about photography.

 

According to investigations, the malvertising campaign that uses fake AI editor ads involves social media pages typically linked to photography to push malware. This tactic allows the operators to increase the legitimacy of their fake product since it targets photo editor users who seek such tools.

The threat actor then publishes malicious posts with links to bogus websites that resemble the authentic photo editor’s website. They also promote destructive posts with sponsored advertisements to increase user traffic.

Once Facebook users click the URL featured in the malvertisement, they will be redirected to a fake web page that poses as authentic AI photo editing and producing tools, prompting them to download and install a software package.

However, instead of downloading an AI picture editing software, the victims install the ITarian remote desktop utility, which is set to launch a downloader and immediately distribute the Lumma Stealer malware.

The virus will then discreetly breach their machine, allowing the operators to capture and exfiltrate sensitive data such as credentials, cryptocurrency wallet files, browser data, and password management databases.

This stolen information is then sold to other cybercriminals or used by attackers to hack victims’ internet accounts, steal their money, and execute other malicious campaigns.

Organisations should train employees to spot phishing attempts and identify strange messages and links. Lastly, users should always verify the legitimacy of links, especially those requesting personal information or login credentials.