Hackers are utilizing Facebook advertisements and compromised pages to promote counterfeit Artificial Intelligence services, including MidJourney, OpenAI’s SORA, ChatGPT-5, and DALL-E, in a scheme to distribute password-stealing malware to unsuspecting users.
These malvertising endeavors involve the creation of deceptive Facebook profiles that mimic popular AI services, offering a false glimpse of upcoming features to lure users into fraudulent Facebook communities. Within these communities, threat actors share news, AI-generated images, and other content to lend an air of legitimacy to the pages.
However, the posts within these communities often entice users with promises of early access to highly anticipated AI services, prompting them to download malicious executables that infect Windows systems with data-stealing malware such as Rilide, Vidar, IceRAT, and Nova.
The stolen information focuses on extracting data from the victim’s browser, including login credentials, cookies, cryptocurrency wallet details, autofill data, and credit card information. This pilfered data is either sold on dark web platforms or exploited by attackers to compromise the victim’s online accounts for further illicit activities.
The scope of these campaigns is substantial, given the heightened interest in AI among the public. The rapid advancements in the field make it challenging for individuals to discern authentic announcements from fraudulent ones.
For instance, Bitdefender researchers uncovered a case where a malevolent Facebook page posing as MidJourney amassed 1.2 million followers over nearly a year before being dismantled. The page, which was repurposed from an existing profile in June 2023, was shut down by Facebook on March 8, 2024.
The deceptive posts on this page coerced users into downloading malware by promoting a fictitious desktop version of the tool or enticing them with non-existent features like the unreleased V6 version. Additionally, the malicious ads offered opportunities for users to create NFT art and monetize their creations.
The malvertising tactics extended to targeted advertising, focusing on men aged 25 to 55 in European countries like Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, and Sweden. Instead of using conventional file-sharing services like Dropbox or Google Drive, the operators of the campaign employed cloned sites resembling the official MidJourney landing page to deceive users into downloading malware disguised as the latest version of the art-generating tool via a GoFile link.
Subsequently, users unwittingly downloaded Rilide v4, disguised as a Google Translate extension, which covertly harvested Facebook cookies and other data in the background. Despite the removal of the initial deceptive page, threat actors swiftly established a new page with over 600,000 members, perpetuating the distribution of malware under the guise of MidJourney.
The persistence of these cyber threats underscores the need for heightened awareness and caution when interacting with online advertisements. The intricate nature of social media-based malvertising underscores the critical importance of robust vigilance to combat the proliferation of malware and mitigate the extensive damages resulting from these infections.