Fake Facebook MidJourney AI page promoted malware to 1.2 million people

WhatsApp Group Join Now
Telegram Group Join Now
Instagram Group Join Now

Hackers are using Facebook ads and hijacked pages to promote fake artificial intelligence services like MidJourney, OpenAI’s SORA and ChatGPT-5, and DALL-E, to trick unsuspecting users into stealing passwords. can be infected with malware.

Disinformation campaigns are created by hijacked Facebook profiles that impersonate popular AI services, pretending to offer sneak previews of new features.

Users tricked by ads become members of fake Facebook communities, where threat actors post news, AI-generated images and other relevant information to make the pages look legitimate.

Advertisement for OpenAI’s Sora video generation tool
Source: Bitdefender

However, community posts often promote limited-time access to upcoming and eagerly anticipated AI services, forcing users to download malicious executables that infect Windows computers with information-stealing malware. , such as Rilide, Vidar, IceRAT, and Nova.

The information-stealing malware focuses on stealing data from the victim’s browser, including stored credentials, cookies, cryptocurrency wallet information, automated data, and credit card information.

This data is then sold on dark web markets or used by attackers to breach the target’s online accounts to promote further scams or commit fraud.

Mid-travel campaign

The reach of these campaigns is surprising in some respects, given the current high level of public interest in AI. The advancements in the field are so fast that it is not easy for people to keep up and discern the legitimate announcements from the obvious fakes.

In one case seen by Bitdefender researchers, a malicious Facebook page impersonating Midgernie amassed 1.2 million followers and remained active for nearly a year before being taken down.

The page was not created from scratch. Instead, the attackers hijacked an existing profile in June 2023 and turned it into a fake Midjourney page. Facebook shut down the page on March 8, 2024.

A malicious Facebook profile
Source: Bitdefender

Many posts tricked people into downloading InfoStealer by promoting a non-existent desktop version of the tool. Some posts highlighted the release of V6, which is not officially out yet (the latest version is V5).

Promoting a non-existent MJ version
Source: Bitdefender

In other cases, malicious ads promoted opportunities to create NFT art and monetize their creations.

Fake NFT Promotion
Source: Bitdefender

As you can see in the Facebook ad targeting parameters in the Meta Ad Library, the researchers found that the ads targeted 25- to 55-year-olds in Europe, primarily Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Targeted the male population of Romania, and Sweden.

Instead of using links to Dropbox and Google Drive to host payloads, the campaign’s operators set up a number of sites that cloned the official Midjourney landing page, tricking users into downloading what they believed to be theirs. The idea was the latest version of an art creation tool by GoFile. Link.

One of the fake sites used to deliver malware
Source: Bitdefender

Instead, they found Rilide v4, which masquerades as a Google Translate extension for their web browser, effectively hiding the malware as it takes Facebook’s cookies and other data in the background.

While that page has been taken down, threat actors started a new page that is still active with over 600,000 members promoting the fake Midjourney site that distributes the malware.

Although the fake page, which boasted more than 1.2 million followers, was recently shut down, our research revealed that cybercriminals set up a new page pretending to be Midsummer between March 8-9, 2024. Acted quickly for account, which also commented in the review section of the page and warned other users that the account had been hacked. Since we began our investigation, we have come across an additional four Facebook pages attempting to impersonate Midgerni, some of which have since been removed from the platform.

The latest malicious page impersonating Midgerni appears to have been taken over by attackers on March 18 when cybercriminals changed the original name of the original Facebook page. As of March 26, the scam profile has 637,000 followers (as seen below).

❖ Bitdefender.

The success of this campaign highlights the sophistication of social media-based disruption strategies and the importance of vigilance when engaging with online advertising.

The sheer scale of social media networks like Facebook, with insufficient moderation, allows these campaigns to continue for long periods of time, facilitating the unchecked spread of malware that can lead to widespread damage from malware infections. Is.

WhatsApp Group Join Now
Telegram Group Join Now
Instagram Group Join Now

Leave a Comment