AI Photo Editor Impersonation: Hackers Hijack Social Media Pages with Phishing Links to Harvest Credentials

AI Photo Editor Impersonation: Hackers Hijack Social Media Pages with Phishing Links to Harvest Credentials

Recently, security experts found a sophisticated Malvertising campaign that uses social media pages to propagate malware and phishing attacks. The campaign targets pages, especially those related to photography, and alters their names to appear as though they are associated with renowned AI photo editors.

What is Malvertising?

Malvertising (a portmanteau of "malicious software (malware) advertising") is the use of online advertising to spread malware. Basically, it is a tactic where cybercriminals embed malware or redirect users to malicious sites through seemingly legitimate online advertisements. 

In this most recent campaign, the perpetrators of the attack have taken advantage of the growing interest in AI technology, namely content creation tools backed by AI, to attract their victims.

Let us go through this malvertising campaign step by step.

Sourc:e: Trend Micro

A step-by-step breakdown of the Malvertising Campaign

  • The attacker sent a phishing message disguised as a complaint or terms of service violation to the page admin.
  • These phishing messages include links or custom link pages like linkup.top, bio.link, s.id, and linkbio.co. Some links use Facebook's open redirect URL, >, to seem more legitimate.

Spam message with phishing link

  • The attacker typically uses an empty profile with randomly generated usernames followed by a few digits.


The profile of the attacker

  • If the targeted page admin clicks on the custom links, the screen below shows up.


Example - Personalized link
Example - Personalized link

  • If you click on the "Verify Your Information Here" links, you will be taken to a fake account security page. On this page, you will be asked for your phone number, email address, birthday, and password, among other things, so that someone else can log in and take over your account.


Phishing page, Step 1
Phishing page, Step 2
Phishing page, Step 3

  • Once the victim gives the attacker all the information they need, they take their profile and post malicious ads that link to the fake AI photo editor domain.

Here, Evoto is the legitimate photo editor exploited.

Malicious ads for the "Evoto photo editor" from various Facebook pages

  • The target believes they are downloading a photo editor because the fake photo editor web page looks like the real one. 

Instead, they are downloading and installing endpoint management software.

Download page for the fake photo editor

  • Impressively, the JavaScript that downloads the package stores download_count. At the time of writing, Windows binary has 16,000 hits and MacOS 1,200 (which redirects to apple.com and does not return binary).

Downloaded JavaScript with statistics

  • When the target executes the installation MSI package, which looks like an installer for a photo editor, their devices are automatically enrolled for management. This lets the threat actor take full control of the device from afar.

  • The link downloads an ITarian remote desktop tool configured to launch a downloader that automatically deploys the Lumma Stealer malware.

ITarian is a free endpoint management software.

After stealthily infiltrating their system, the malware harvests credentials, cryptocurrency wallet files, browser data, and password management databases

Note: In April, a similar Facebook malvertising campaign promoted a malicious page impersonating Midjourney to target almost 1.2 million users with the Rilide Stealer Chrome browser extension.

How to Safeguard Yourself from Malvertising Attacks?

  • Check website legitimacy and reviews before clicking ads or links.

  • Ensure strong and unique passwords for all accounts.

  • Add an extra security layer with Two-Factor Authentication.

  • Avoid granting extensive permissions to apps/websites.

  • Keep updated on cybersecurity threats and tactics.

So far, the malicious software associated with the campaign has generated about 16,000 downloads on Windows and 1,200 on macOS.

How Can Threactcop Help Safeguard Your Organization from Malvertising Attacks?

Security Awareness Training & Malvertising Simulation

By being aware of how malvertising operates and identifying malicious advertisements, employees can avoid clicking on questionable advertisements, hence minimizing the likelihood of becoming infected.

DNS Service

A secure DNS service can block access to known malicious domains used in malvertising campaigns.

Malvertising poses a significant threat to organizations by exploiting online advertising to distribute malware. If you put these fundamentals into practice, you will be able to strengthen the defenses of your firm against malicious advertising and safeguard your most important assets.

To view or add a comment, sign in

More articles by Threatcop

Insights from the community

Others also viewed

Explore topics