Tuesday, November 12, 2024
HomeCyber Security NewsBeware Of Fake AI Editor Website That Steals Your Login Credentials

Beware Of Fake AI Editor Website That Steals Your Login Credentials

Published on

Malware protection

Hackers often make use of fake AI editor websites for several illicit purposes with malicious intent. 

Among their prime activities are deceiving users into providing personal information, downloading malware, making payments for fraudulent services, and many more.

Recently, cybersecurity researchers at Trend Micro identified a sophisticated malvertising campaign that targeted social media users through a multi-step deception process that enabled them to steal login credentials.

- Advertisement - SIEM as a Service

Threat actors do so by taking over pages that deal with pictures and changing them to AI photo editors.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Fake AI Editor Website

To boost these posts, the threat actor publishes deceiving posts with links to fake photo editing sites via sponsored advertising.

By downloading the alleged editor from these sites, the customers inadvertently install a harmless endpoint administration tool embedded with an infected setup file.

In this way, threat actors can control victims’ devices distantly in order to deploy credential stealers or steal valuable data.

Spam message with phishing link (Source – Trend Micro)

Threat actors send Phishing messages to social media page administrators, often utilizing personalized link pages or Facebook’s open redirect URL to make them look genuine.

Trend Micro said that after gaining access to the accounts, the attackers posted malicious ads with links to fake AI photo editor websites.

These platforms imitate legitimate services such as Evoto, but in reality, they disseminate endpoint management software.

Attack chain (Source – Trend Micro)

The campaign has seen significant traffic, with around 16,000 downloads for the Windows version and 1,200 hits on a non-functional macOS version, further illustrating how extensive and efficient this operation is at tricking users across different platforms.

Download page for the fake photo editor (Source – Trend Micro)

The victims’ devices are unknowingly enrolled in the remote management system of ITarian after the latter disguises it as a photo editor MSI package.

This can be done by granting them full control without needing to use explicitly malicious components. Consequently, two actions will take place through enrollment that we have mentioned below:-

  1. A Python script downloads and executes Lumma Stealer, encrypted with PackLab Crypter. 
  2. Another script disables Microsoft Defender scans for the C: drive. 

Afterward, via specific POST requests, Lumma Stealer establishes communication with its command and control server where it gets base64 encoded configuration.

The stealer, when decrypted, gives instructions on what data to target and exfiltrate, especially focusing on social media credentials and other sensitive information contained here within this configuration.

Recommendations

Here below we have mentioned all the recommendations:-

  • Enable MFA on all social media accounts.
  • Regularly update and use strong, unique passwords.
  • Educate employees on phishing dangers and recognizing suspicious links.
  • Verify the legitimacy of links, especially those asking for personal information.
  • Monitor accounts for unusual behavior.
  • Use security solutions to detect abnormal activities.
  • Employ endpoint technologies for multilayered protection.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...