Threat Actors Are Hijacking Legit Facebook Pages to Distribute Data Stealing Malware

• A new malware campaign has emerged on Facebook in which threat actors hijack Facebook pages and post malicious ads that lure the victims into downloading a fake AI photo editor.
• While the victims think they are downloading a legitimate photo editing app, in reality, they are downloading data-stealing malware.
• 16,000 Windows users and 1,200 macOS have already been affected by this scam.

In a new malware campaign, threat actors are hijacking Facebook pages and using them to trick victims into downloading a fake AI photo editor (Evoto photo editor) that mimics legitimate editing apps.

So far, more than 16,000 Windows users and 1,200 macOS users have unknowingly downloaded the malware. The campaign was discovered by TrendMicro researchers.

We discovered a malvertising campaign involving a threat actor that steals social media pages (typically related to photography), changing their names to make them seem connected to popular AI photo editors' - researcher Jaromir Horejsi

These miscreants are not only creating fake Facebook ads but also building websites that closely resemble the original ones so that the victims don't get suspicious during any stage of the process.

How Does the Attack Unfold?

Speaking of the malware, it's basically a data stealer - once the victim downloads the infected app, all their data is stolen. Here's how it works.

• The first victims of the attack are Facebook page owners. They are sent phishing emails or messages that lead them to fake security pages.
• Then, in the name of providing them with extra protection, the owners are tricked into sharing their login details.
• Once the threat actors get the login details, they take over the page, publish malicious social media posts, and promote them through paid ads.
• Once someone clicks on the links, they are sent to a malicious website where they are promoted to download and install software.

Image Credit: TrendMicro

The victims think they are downloading an image editing tool but what they are actually downloading is the legitimate ITarian remote desktop tool which has been configured to launch a downloader that automatically deploys the Lumma Stealer malware.

Once the malware is successfully in, all sensitive information such as passwords, browser data, login credentials, and even digital wallet login information is in their hands.

What exactly is done with the data is yet to be known. But they are either sold to other cybercriminals or the threat actors use them to commit financial scams.

How Can You Protect Yourself Against Such Scams?

The first thing that every user should do is download apps directly from the Google Play Store or the Apple App Store. Do not sideload apps or download them from unverified links.

As for organizations, they need to educate their employees on the dangers of phishing attacks. Familiarise them with the different types of attacks and show them a few examples so that if they encounter one, they can at least recognize the scam. Plus, page admins should not share their login credentials with an unknown external third party.

Last but not least, organizations should constantly monitor their devices. If there's any unusual activity, such as an unknown login attempt, the incident needs to be flagged and investigated before it's too late.

The post Threat Actors Are Hijacking Legit Facebook Pages to Distribute Data Stealing Malware appeared first on The Tech Report.