Hackers are utilizing Fb ads and hijacked pages to advertise pretend Synthetic Intelligence providers, similar to MidJourney, OpenAI’s SORA and ChatGPT-5, and DALL-E, to contaminate unsuspecting customers with password-stealing malware.
The malvertising campaigns are created by hijacked Fb profiles that impersonate common AI providers, pretending to supply a sneak preview of latest options.
Customers tricked by the adverts grow to be members of fraudulent Fb communities, the place the menace actors publish information, AI-generated photographs, and different associated information to make the pages look respectable.
Supply: Bitdefender
Nonetheless, the group posts typically promote limited-time entry to approaching and eagerly anticipated AI providers, tricking the customers into downloading malicious executables that infect Home windows computer systems with information-stealing malware, like Rilide, Vidar, IceRAT, and Nova.
Info-stealing malware focuses on stealing knowledge from a sufferer’s browser, together with saved credentials, cookies, cryptocurrency pockets info, autocomplete knowledge, and bank card info.
This knowledge is then offered on darkish internet markets or utilized by the attackers to breach the goal’s on-line accounts to advertise additional scams or conduct fraud.
Midjourney marketing campaign
The attain of these campaigns is staggering in some circumstances, as individuals’s curiosity in AI is presently very excessive. The developments within the subject are so speedy that it is not straightforward for individuals to maintain up and discern respectable bulletins from apparent fakes.
In one of many circumstances seen by researchers at Bitdefender, a malicious Fb web page impersonating Midjourney amassed 1.2 million followers and remained energetic for practically a 12 months earlier than it was ultimately taken down.
The web page wasn’t created from scratch; as a substitute, the attackers hijacked an current profile in June 2023 and transformed it to a pretend Midjourney web page. Fb shut down the web page on March 8, 2024.
Supply: Bitdefender
Many posts tricked individuals into downloading the infostealers by selling a non-existent desktop model of the software. Some posts highlighted the discharge of V6, which is not formally out but (the newest model is V5).
Supply: Bitdefender
In different circumstances, the malicious adverts promoted alternatives to create NFT artwork and monetize their creations.
Supply: Bitdefender
As you possibly can view the focusing on parameters of Fb adverts within the Meta Advert Library, the researchers discovered that the adverts focused a demographic of males aged 25 to 55 in Europe, primarily Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, and Sweden.
As a substitute of utilizing Dropbox and Google Drive hyperlinks to host the payloads, the operators of this marketing campaign arrange a number of websites that cloned the official Midjourney touchdown web page, tricking customers into downloading what they thought was the newest model of the art-generating software through a GoFile hyperlink.
Supply: Bitdefender
As a substitute, they received Rilide v4, which masquerades as a Google Translate extension for his or her internet browser, successfully hiding the malware because it siphoned Fb cookies and different knowledge within the background.
Whereas this web page has since been taken down, the menace actors launched a brand new web page that’s nonetheless energetic with over 600,000 members that’s pushing a pretend Midjourney website distributing malware.
Though the imposter web page boasting over 1.2 million followers was lately shut down, our analysis has proven that cybercriminals acted rapidly to arrange a brand new web page impersonating Midjourney between March 8-9, 2024. The web page was additionally arrange after taking up one other consumer’s Fb account, who additionally commented within the evaluation part of the web page warning different customers that the account was hacked. Since we started our investigation, we observed an extra 4 Fb pages making an attempt to impersonate Midjourney, a few of which had been additionally faraway from the platform.
The newest malicious web page impersonating Midjourney seems to have been taken over by the attackers on March 18 when the cybercriminals modified the unique title of the unique Fb web page. As of March 26, the rip-off profile has 637,000 followers (as seen under).
❖ Bitdefender.
This marketing campaign’s success highlights the sophistication of social media-based malvertising methods and the significance of vigilance when participating with on-line ads.
The huge scale of social media networks similar to Fb, coupled with inadequate moderation, permit these campaigns to persist for extended intervals, facilitating the unchecked unfold of malware that results in intensive damages from malware infections.
