Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor

Attackers are hijacking pages on Facebook to lure victims into downloading a legitimate artificial intelligence (AI) photo editor, but then serving up a widely distributed infostealer to rob users of their credentials instead.

The malvertising campaign, discovered by researchers at Trend Micro, exploits the popularity of AI and combines a variety of popular threat tactics, including phishing, social engineering, and the use a legitimate utility in a malicious way. The ultimate payload is the Lumma stealer, which targets sensitive information, including user credentials, system details, browser data, and extensions.

The attack hinges on the abuse of paid Facebook promotions, which attackers have leveraged to lure users into engagement and ultimately deliver malware, the researchers noted in a blog post today.

“Once the attacker gains control of the page, ads are posted promoting the AI photo editor, leading victims to download an endpoint management utility disguised as the photo editor,” Trend Micro threat researcher Jaromir Horejsi wrote.

Attackers also are taking advantage of the current attention on AI technology and tools associated with it by using these tools "as lures for malicious activities, which includes phishing scams, deepfakes, and automated attacks," he wrote.

So far, the malicious package associated with the campaign has generated about 16,000 downloads on Windows and 1,200 on macOS. However, the macOS version redirects to the Apple website instead of an attacker-controlled site, suggesting that attackers are only targeting Windows users with the campaign.

Phishing Leads to Hijacked Pages

A typical attack in the campaign starts before a potential victim even sees an ad. Attackers begin by sending phishing messages to owners of the targeted social media page to gain control of the page for their own malicious use. The sender account typically looks like an empty profile with randomly generated user names.

The phishing links in the messages are sent either as direct links or personalized link pages, such as linkup.top, bio.link, s.id, and linkbio.co, among others. Sometimes attackers even abuse Facebook's open redirect URL for these links to appear more legitimate.

If the page operator clicks on the links, they are presented with a screen to verify their information with a "Business Support Center" for Meta developers. Clicking on that screen's "Verify Your Information Here" link leads to a fake account protection page, "which in several subsequent steps, asks users for the information necessary to log in and take over their account, such as their phone number, email address, birthday, and password," Horejsi explained.

After the target provides this info, the attacker steals the profile and begins creating and posting malicious ads for an AI photo editor with links to a fake domain that uses the name of a legitimate tool, such as Evoto.

"The fake photo editor web page looks very similar to the original one, which helps in tricking the victim into thinking that they are downloading a photo editor," Horejsi wrote.

However, what a user who takes the bait actually downloads is the freely available ITarian endpoint management software. The attacker, using a series of back-end processes controls, ultimately controls the victim's machine to download the final payload, the Lumma stealer.

Avoiding Compromise

There are a number of ways that people can avoid falling victim to the campaign and threats that abuse social media pages, which not only can compromise users but also lead to secondary attacks via stolen credentials that act as initial entry into enterprise infrastructure, according to Trend Micro.

Social-media users should enable multifactor authentication on all their accounts to add an extra layer of protection against unauthorized access, as well as regularly update and use strong, unique passwords across all accounts.

Organizations also should regularly practice education and awareness to let their employees know of the dangers lurking on social media while accessing corporate networks, as well as how to identify suspicious messages and links associated with phishing attacks.

Finally, both organizations and individual users should monitor their accounts for any unusual behavior, such as unexpected login attempts or changes to account information. Organizations should employ some kind of detection and response mechanisms.