How AI-Powered Facebook Ads are Weaponized to Hijack Business Accounts

Facebook Ads Used to Spread Malicious Chrome Extension Targeting Business Accounts

Overview

A threat actor has been exploiting paid Facebook ads to disseminate a malicious Chrome browser extension, aiming to steal users’ credentials and gain control over business accounts. The fraudulent campaign utilized meta-information boosting on the social media platform, leveraging AI technology as a lure. Meta, Facebook’s parent company, promptly removed the deceptive pages and advertisements after being alerted by Trend Micro. The attack targeted social networking managers, administrators, and marketing professionals, as they often have access to company social networking sites. This report delves into the incident, explains how the attack works, discusses the use of AI as a popular lure, and provides advice for avoiding compromise.

The Attack

If a Facebook user fell for the bait and clicked on one of the campaign’s ads, they would be directed to a simple website listing the benefits of large language models (LLMs) and offering a link to download the supposed “AI package.” The threat actor distributed the package as an encrypted archive, usually hosted on cloud storage platforms like Google Drive or Dropbox, with easily guessed passwords. Once decrypted, the package contained an MSI installer file, which dropped a few files related to a Chrome extension. This extension aimed to steal Facebook cookies, the user’s access token, browser user agent, managed pages, business account information, advertisement account details, and even the user’s IP address.

Exploiting Interest in AI

The attackers capitalized on the growing interest in AI technology and its benefits for professionals. Trend Micro researchers noted that early adopters in industries like marketing, copywriting, and data analysis gain a competitive advantage. However, this interest also creates opportunities for cybercriminals to deceive users. In a campaign discovered in April, criminals concealed the RedLine Stealer behind sponsored ads on hijacked Facebook pages, promoting free downloads of AI chat apps. A report by Deep Instinct found that 70% of security professionals believe generative AI positively impacts employee productivity and collaboration, and 63% stated it improves employee morale.

Meta’s Response and Countermeasures

Meta promptly removed the fraudulent pages and ads after being alerted by Trend Micro. In addition, the company has shared with Trend Micro its plans to strengthen detection systems and identify similar fraudulent ads and pages using insights from internal and external threat research. Trend Micro suggests deploying an antivirus solution with web reputation services as a countermeasure to such threats. They also advise users to scan files downloaded from the internet and remain vigilant against threat actors exploiting the hype surrounding new developments in artificial intelligence.

Red Flags and Protective Measures

To avoid falling victim to similar campaigns, users should be aware of the following red flags:
– A landing site that looks too good to be true, with a “hot shot” appearance, and containing a link to a malicious file.
– Promises of access to Google Bard, despite its limited availability.
– Services offered that seem overly advantageous, as official access to AI-based systems is typically expensive or limited.
– Any inconsistencies in the wording and appearance of promotional posts.
– A password-protected file offered on the landing site, seemingly available to everyone.

Conclusion

This recent incident involving Facebook ads being used to spread a malicious Chrome extension highlights the need for heightened internet security measures and user awareness. Threat actors are increasingly leveraging users’ interest in AI technology to deceive and exploit them. It is crucial for both individuals and organizations to adopt strong cybersecurity practices, including deploying reputable antivirus solutions, scanning downloaded files, and remaining vigilant against suspicious campaigns. As AI continues to evolve and play an increasingly significant role in our daily lives, the risks associated with its misuse must be carefully addressed to ensure the protection of individuals and businesses from cyber threats.