noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Ministry of Foreign Affairs of the[...]

Congratulatory Letters from Prime Minister Lawrence Wong and Senior[...]
MCI - Ministry of Communication[...]

Second US Singapore Critical and Emerging Technology Dialogue: Joint[...]
CSC Holdings Ltd.

Announcement relating to Share Buyback

Technology

Trend Micro Inc.

01/08/2024 | News release | Distributed by Public on 01/08/2024 15:09

Social Media Malvertising Campaign Promotes Fake AI Editor Website for Credential Theft

Overview

In this blog entry, we examine how threat actors hijack social media pages, rename them to resemble a legitimate AI photo editor, then post malicious links to fake websites, which are boosted via paid ads.
The attackers use spam messages with phishing links to steal admin credentials. These links lead to fake account protection pages that trick users into providing their login information.
Once the attacker gains control of the page, ads are posted promoting the AI photo editor, leading victims to download an endpoint management utility disguised as the photo editor.
The ITarian software is used to execute additional payloads like Lumma Stealer, which exfiltrates sensitive data such as cryptocurrency wallet files, browser data, and password manager databases.
Cybercriminals are exploiting the popularity of AI tools by using them as lures for malicious activities, which includes phishing scams, deepfakes, and automated attacks.

We discovered a malvertising campaign involving a threat actor that steals social media pages (typically related to photography), changing their names to make them seem connected to popular AI photo editors. The threat actor then creates malicious posts with links to fake websites made to resemble the actual website of the legitimate photo editor. To increase traffic, the perpetrator then boosts the malicious posts via paid ads.

The abuse of paid Facebook promotions for malicious activities is not new. In 2023, we published two blog posts on profile stealers, which were implemented either as browser extensions or standalone application s.

When victims open the malicious websites, they are tricked into visiting the download section and installing the package, which is - as expected - not a photo editor, but a legitimate endpoint management utility using a malicious configuration. After successful installation, this utility allows for remote device management. The attacker can then abuse the tool's features to download and execute credential stealers, which ultimately leads to the exfiltration of sensitive data and credentials.

Technical analysis

Sharing and Personal Tools

Please select the service you want to use: