Skip to content

Deceptive AI ads on Facebook are being used to disseminate malware

  • by
  • 3 min read

As the industry is dealing with the adoption and after-effects of large language models (LLMs), malevolent actors use the rising curiosity surrounding them to promote malicious advertisements to further their sinister agendas.

Cybersecurity researchers from Trend Micro unravelled a scheme where threat actors manipulated paid Facebook promotions spotlighting LLMs to disseminate malicious code. Their ultimate goal was to implant a treacherous browser add-on and steal users’ credentials.

The hackers employed seemingly open tools like URL shorteners for URL redirection, Google Sites for hosting web content, and cloud storage such as Google Drives and Dropbox to house their malicious files.

When the researchers shared their findings with Meta, they tracked the rogue actor and their tactics and deleted the deceitful pages and ads. Meta also pledged to bolster its detection mechanisms to root out analogous fraudulent content, incorporating insights gleaned from internal and external threat intelligence.

The modus operandi of the threat actor entails leveraging paid Facebook promotions to allure unsuspecting victims. The ads exhibit faux profiles of marketing companies or departments, readily distinguishable by telltale signs like artificially inflated follower counts, counterfeit reviews, and a scant online history.

These ads, adorned with the allure of productivity enhancement, amplified outreach, revenue augmentation, or even AI-driven learning, are designed to entice users into their trap. Some ads dangle access to the elusive Google Bard or Meta AI before users’ eyes, promising a world of AI-aided benefits.

A sample of the malicious AI advertisement on Facebook. | Source: Trend Micro

Once a user succumbs to temptation and clicks the ad link, they are steered to a simplistic webpage extolling the merits of LLMs. Ostensibly innocuous, this page harbours a link tempting users to download the coveted ‘AI package’.

The devious malefactors employ encrypted archives with rudimentary passwords, like ‘999’ or ‘888’, to evade antivirus detection. Hosted on cloud storage platforms like Google Drive or Dropbox, these archives house a solitary MSI installer file. Once executed, the installation process commences, planting various files essential for a Chrome extension. The malefactors then orchestrate browser restarts, cloaking their malicious extension under the guise of Google Translate.

When the researchers analysed the malicious extension, they found it intrusive. It delves into the realm of information theft, targeting Facebook cookies and access tokens, subsequently mining information from Facebook’s GraphQL API. To evade suspicion, the extension even attempts to gather victims’ IP addresses.

Users can protect themselves by using common sense and enquiring about the advertisement on Google and other search engines. Alongwith that, the proliferation of antivirus solutions with web reputation services, cautious file downloading, and the cultivation of a vigilant mindset serve as formidable safeguards against these emerging threats.

In the News: Leaked data of 2.6 million Duolingo users is available for $2.13


Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: [email protected]