Hackers are utilizing Facebook ads and pirated pages to promote phony Artificial Intelligence services, such as MidJourney, OpenAI’s SORA and ChatGPT-5, and DALL-E, to contaminate unwary users with password-stealing malware.
The malvertising projects are developed by pirated Facebook profiles that impersonate popular AI services, pretending to provide a preview of brand-new functions.
Users deceived by the advertisements enter of deceitful Facebook neighborhoods, where the danger stars publish news, AI-generated images, and other associated details to make the pages look genuine.
Advertisement for OpenAI’s Sora video generation tool
Source: Bitdefender
The neighborhood posts frequently promote limited-time access to upcoming and excitedly expected AI services, deceiving the users into downloading harmful executables that contaminate Windows computer systems with information-stealing malware, like Rilide, Vidar, IceRAT, and Nova.
Information-stealing malware concentrates on taking information from a victim’s internet browser, consisting of saved qualifications, cookies, cryptocurrency wallet info, autocomplete information, and charge card details.
This information is then offered on dark web markets or utilized by the opponents to breach the target’s online accounts to promote additional rip-offs or perform scams.
Midjourney project
The reach of those projects is staggering sometimes, as individuals’s interest in AI is presently extremely high. The advancements in the field are so fast that it’s difficult for individuals to maintain and recognize genuine statements from apparent phonies.
In among the cases seen by scientists at Bitdefender, a destructive Facebook page impersonating Midjourney accumulated 1.2 million fans and stayed active for almost a year before it was ultimately removed.
The page wasn’t produced from scratch; rather, the assaulters pirated an existing profile in June 2023 and transformed it to a phony Midjourney page. Facebook closed down the page on March 8, 2024.
The harmful Facebook profile
Source: Bitdefender
Numerous posts deceived individuals into downloading the infostealers by promoting a non-existent desktop variation of the tool. Some posts highlighted the release of V6, which isn’t formally out yet (the most recent variation is V5).
Promoting a non-existent MJ variation
Source: Bitdefender
In other cases, the harmful advertisements promoted chances to produce NFT art and monetize their productions.
Phony NFT promo
Source: Bitdefender
As you can see the targeting specifications of Facebook advertisements in the Meta Advertisement Library, the scientists discovered that the advertisements targeted a market of guys aged 25 to 55 in Europe, mostly Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, and Sweden.
Rather of utilizing Dropbox and Google Drive links to host the payloads, the operators of this project established numerous websites that cloned the main Midjourney landing page, deceiving users into downloading what they believed was the most recent variation of the art-generating tool through a GoFile link.
Among the phony websites utilized for malware shipment
Source: Bitdefender
Rather,