Fake AI Editor Sites Stealing Login Credentials – Beware!

Threat actors hijack social media photography pages, rebrand them as popular AI photo editors, and distribute malicious links through paid ads. Phishing attacks targeting admin credentials are used to gain control, after which endpoint management utilities disguised as photo editors are promoted and installed. 

The utilities are leveraged to deploy credential stealers like Lumma Stealer, exfiltrating sensitive data including cryptocurrency wallets, browser data, and password manager information. 

Attack chain

Attackers aiming to seize control of social media pages bombard administrators with phishing messages, which contain links that appear legitimate by abusing Facebook’s open redirect URL format. 

The senders typically use fake profiles with generic usernames and random numbers to avoid detection, known as spamvertising, which aims to trick admins into clicking malicious links that could compromise their accounts and ultimately grant control of the targeted page. 

Spam message with phishing link

An attacker employs personalized phishing links on targeted Facebook pages, redirecting victims to a fraudulent account protection page, which entices users to divulge sensitive information, including their phone number, email, birthday, and password, through a multi-step process. 

Upon acquiring these credentials, attackers hijack the compromised account to disseminate malicious advertisements. 

Phishing page

Threat actors are hijacking Facebook pages, repurposing them as platforms to distribute malicious advertisements promoting a fake AI photo editor. By masquerading as legitimate promotions for a reputable photo editor, Evoto, they are strategically placed to maximize visibility through paid advertising. 

According to Trend Micro, the ultimate goal is to lure unsuspecting users to a fraudulent website, potentially for credential theft or malware distribution.   

Download page for the fake photo editor

They are using fake photo editor web pages to trick users into downloading endpoint management software (EMS), which closely resembles legitimate photo editors, making them appear trustworthy.  

The download itself is triggered by Javascript containing a variable called “download_count,” which tracks the number of successful downloads, indicating roughly 16,000 users downloaded the Windows binary, while the MacOS version redirects to apple.com without offering a download (potentially a decoy tactic). 

Attackers exploit free remote management software, ITarian, to gain full control of victim devices by creating a disguised MSI installer that enrolls victims upon execution. 

 Malicious ITarian configuration

The installer itself is clean, but it retrieves a malicious configuration from a subdomain-controlled server upon enrollment, which triggers scheduled tasks including a Python downloader for additional payloads (like Lumma Stealer) and a script to disable Microsoft Defender on drive C:.  

Lumma Stealer is the final payload delivered through two consecutive POST requests to a /api endpoint. The first request initiates communication, while the second fetches a Base64-encoded configuration. 

The configuration, decrypted using an XOR key embedded within the data, is formatted in JSON and outlines the specific data the stealer is designed to exfiltrate from the compromised system. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here