A threat actor is leveraging the allure of artificial intelligence chatbots to spread malware and is targeting businesses on Facebook.
In a report on August 23, cybersecurity firm Trend Micro shared images of paid Facebook ads posted by the threat actor. “These advertisements promise to boost productivity, increase reach and revenue, or assist in teaching, all with the help of AI,” the report said.
The ads promise to give companies access to Google Bard and other AI chatbots. However, the ultimate goal is to spread a malicious browser add-on — which impersonates Google Translate — and steal victims’ credentials.
The threat actor poses as legitimate marketing companies or departments on Facebook, but Trend Micro says the “purchased or bot followers, fake reviews by other hijacked or inauthentic profiles, and a limited online history” are signs that their profiles are fake.
Fake Google Translate Extension
The Facebook ad directs victims to a website that highlights the benefits of LLMs and offers users an “AI package” for download.
“To avoid antivirus detection, the threat actor distributes the package as an encrypted archive with simple passwords like “999” or “888,”” Trend Micro’s report said.
When users open and decrypt the archive, they’ll find an MSI installer for a malicious extension that spoofs Google Translate. The extension swipes Facebook cookies — specifically, a “c_user” cookie, which stores a unique user ID.
“Malicious browser extension can read cookies, it can get content of webpages, and from one particular webpage it can get access token of currently logged-in user, then it can use this token to get additional information,” Trend Micro researcher Jaromir Horejsi told VPNOverview.
“Having stolen the access token, the script can query Facebook’s GraphQL API for additional information.” the report explained. Once the access token and cookie are taken, hackers can execute GraphQL queries to extract data like business ID, advertising information, and verification status from the targeted Facebook account.
This data, which includes sensitive business information, is sent to a hacker-controlled server. The threat actor is targeting social media managers and marketers from different companies.
“In one case, one of the authors of this research helped with the incident response of a specific victim and observed that the threat actor had added suspicious users to the victim’s Meta Business Manager,” the report said. “They’ve also used the victim’s prepaid promotion budget to promote the threat actor’s own content. To date, the threat actor has not tried to contact the victim.”
Protecting Your System From Malware
While the identity of the threat actor remains unknown at this time, the researchers observed “several keywords and variables in Vietnamese,” indicating that the threat actor understands the Southeast Asian language.
“The infection vector starts with malicious advertisements. The user still needs to click on the link in the advertisement, download and install the malicious extension. So awareness is the key, having up-to-date security/antivirus software should also help,” Horejsi said.
Among other things, Trend Micro recommends being vigilant of AI-related scams and using a solid antivirus to prevent malware infection. We’ve tested several antivirus tools and rated their performance. Check out our article on the best antivirus for our top picks.
For more security news, follow us on X (Twitter), Threads, and Mastodon!
