Phishing
We revealed a malvertising campaign in which the cybercriminal seizes control of social media pages, gives them names similar to popular AI photo editing tools, and then shares harmful links directing users to counterfeit websites.
Read time: ( words)
- Exploring how cybercriminals overtake social media pages, rename them to imitate legitimate AI editing programs, and share harmful links disguised as genuine websites via paid advertising.
- Spam messages with phishing links are utilized by attackers to steal administrative credentials, leading to deceptive account protection pages tricking users into revealing login details.
- After seizing page control, cybercriminals promote an AI editor through ads, directing users to download a management utility disguised as the editor.
- Using ITarian software, extra payloads like Lumma Stealer are executed, obtaining sensitive data such as cryptocurrency wallets, browser information, and password databases.
- Exploiting the appeal of AI tools, cybercriminals are employing them to perpetrate phishing scams, deepfakes, and automated assaults.
Discovery of a malvertising campaign involving a cybercriminal snatching and renaming social media pages (often related to photography) to mirror recognized AI editing tools. Subsequently, the cybercriminal crafts deceitful posts containing links to counterfeit websites mimicking authentic editor sites. To increase visibility, the perpetrator boosts the deceptive posts through paid advertising.
Upon accessing the deceitful websites, targets are lured into navigating to the downloading section and setting up the software, which is — as anticipated — not a photo editor, but a valid endpoint management tool utilizing a malicious setup. Following successful installation, this tool enables remote device administration. Subsequently, the perpetrator can exploit the functionalities of the tool to retrieve and run credential thieves, resulting in the extraction of confidential information and credentials.
To acquire dominance over the specific social media page, the malefactor will initially dispatch messages to the administrator containing phishing links, which may be direct links or customized link pages (linkup.top, bio.link, s.id, and linkbio.co, among others). On certain occasions, these links exploit Facebook’s open redirect URL, >, to appear more authentic.
The transmitter of the message commonly adopts a vacant profile with randomly generated usernames followed by a few digits.
If the operators of the designated Facebook pages select the customized links, they encounter a screen similar to those depicted below.
Clicking on the “Verify Your Information Here” links leads to a counterfeit account protection page, which in multiple subsequent phases, demands users to provide the details required to access and seize their account, such as their phone number, electronic mail address, date of birth, and passcode.
Upon furnishing all the required details, the assailant then appropriates their profile and commences disseminating malicious advertisements.
Subsequent to seizing authority over the Facebook pages, the malevolent actor will start disseminating advertisements linking to the counterfeit AI photo editor domain. In this instance, the name of the genuine photo editor being exploited is Evoto.
The fraudulent photo editor web page closely resembles the authentic one, facilitating in deceiving the victim into believing that they are downloading a photo editor. However, the reality is that they are essentially downloading and installing an endpoint management software.
Coincidentally, the JavaScript in charge of retrieving the package harbors data in a variable dubbed download_count. At present, there are approximately 16,000 accesses for the Windows binary and 1,200 accesses for the MacOS version (which solely redirects to apple.com and does not supply any binary).
Upon executing the installation MSI package (masked as a photo editor installer), the devices of the victims are swiftly enlisted for management, granting the threat actor complete control remotely over the device.
In accordance with the reference from Figure 9, the acquired file is an ITarian installer. ITarian represents a free endpoint management software. The hostile actor registers for a complimentary account, establishes a subdomain (observed in the subdomain itstrq in Figures 9 and 10), and devises an installation MSI package. This deployment package necessitates distribution to the victims for installation.
Remarkably, the MSI package itself does not harbor any malicious constituents. It does not even include any file with a malicious configuration. Instead, the format of the installer file name is: em_<token>_installer.msi. Upon querying >, the malevolent enrollment configuration is received.https://mdmsupport.comodo.com/enroll/resolve/token/<token>, the malevolent enrollment configuration is received.
Upon the successful enrollment of the device for remote management, a few scheduled tasks are initiated. The scheduled tasks pertain to the Python_Procedure genre and encompass
1) A basic downloader in Python for downloading and implementing an additional payload.
Noteworthy is the user agent value “Magic Browser”. The supplementary payload usually involves Lumma Stealer, with its binary frequently encrypted with PackLab Crypter.
2) A simple script to exclude disk C: from undergoing scanning by Microsoft Defender.
The script tweaks Windows Defender settings by triggering Add-MpPreference -ExclusionPath.
The ultimate payload is Lumma Stealer, with its initial C&C communication displaying two consecutive POST requests to the /api URL path with the x-www-form-urlencoded content type. The content of the first request is act=life, succeeded by the content of the second request, “act=recive_message&ver=<version>&lid=<id>&j=” (sic!), which yields a Base64 encoded stealer configuration.
The primary 32 bytes of the debased buffer represent an XOR key, while the remaining bytes constitute the encrypted configuration. The decrypted configuration adopts JSON format and enumerates all items the stealer is designed to pilfer.
Targeting social media users for malicious endeavors underscores the necessity of robust security measures to safeguard account credentials and prevent unauthorized breaches. Recommendations for best practices include:
- Users should enable multi-factor authentication (MFA) on all social media accounts to enhance defense against unauthorized intrusions.
- Users should routinely update and implement strong, unique passwords for their social media accounts.
- Organizations should educate their workforce on the perils of phishing assaults and methods to identify suspicious messages and links.
- Users should always validate the authenticity of links, especially those soliciting personal information or login credentials.
- Both organizations and individual users should monitor their accounts for any anomalous activities, such as unexpected login attempts or alterations to account details.
- Organizations should contemplate utilizing security solutions capable of detecting aberrant account behaviors.
- Organizations should consider deploying endpoint technologies such as Trend Vision One™ , which furnishes multilayered protection and behavior detection, aiding in thwarting malicious tools before inflicting damage.
- For addressing other forms of AI tool misuse, particularly those involving deepfakes, organizations can contemplate utilizing Trend’s Deepfake Inspector, which assists in shielding against malefactors employing AI face-swapping technology during live video sessions. Users can activate the tool when joining video calls and receive alerts about the presence of AI-generated content or deepfake scams.
The subsequent tactics and methodologies form part of the MITRE ATT&CK list.
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
