Tag Archives: malware

Fake Facebook MidJourney AI Page Promoted Malware To 1.2 Million People



Hackers are using Facebook advertisements and hijacked pages to promote fake Artificial Intelligence services, such as MidJourney, OpenAI’s SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware, Bleeping Computer reported.

The malvertising campaigns are created by hijacked Facebook profiles that impersonate popular AI services, pretending to offer a sneak peak of new features.

Users tricked by the ads become members of fraudulent Facebook communities, where the threat actors post news, AI-generated images, and other related info to make pages look legitimate.

However, the community posts often promote limited-time access to upcoming and eagerly anticipated AI-services, tricking the users into the download malicious executables that infect Windows computers with information-stealing malware like Rilide, Vidar, IceRAT, and Nova.

Information-stealing malware focuses on stealing data form a victim’s browser, including stored credentials, cookies, cryptocurrency wallet information, autocomplete data, and credit card information.

The Record reported cybercriminals are taking over Facebook pages and using them to advertise fake generative artificial intelligence software loaded with malware.

According to researchers at the cybersecurity company Bitdefender, the cybercrooks are taking advantage of the popularity of new generative AI tools and using “malvertising” to impersonate legitimate products like Midjourney, Sora AI, ChatGPT-5, and others.

The campaigns follow a certain blueprint. Cybercriminals take over a Facebook account and begin to make changes to the page’s descriptions, cover and profile photo. According to Bitdefender, they make “the page seem as if it is run by well-known AI-based image and video generators.”

They then populate the pages with purported product news and advertisements for software, which are themselves generated with AI software.

The downloads contain various types of info steeling malware – like Riide, Vidar, IceRAT, and Nova Stealers — which are available for purchase on the dark web, allowing unsophisticated cybercriminals to launch attacks.

According to The Record, the most notable Facebook page hijack involved the application Midjourney, a popular tool for creating AI-generated images. Its hijacked page had 1.2 million followers and was active for nearly a year before it was shut down earlier this month.

Tom’s Guide reported once an account is compromised, the hackers then give it an AI-themed makeover with a new cover and profile photos as well as descriptions to make it appear as if it is run by one of the well-known AI-generated photos and advertisements to further impersonate whichever AI image generator of video generate service they want to leverage in their attacks.

During their investigation, Bitedefender’s security researchers found that the hackers responsible used a much different approach with MidJourney. For other AI tools, they urged visitors to download the latest versions from Dropbox or Google Drive, but with Midjourney, they created more than a dozen malicious sites that impersonated the tool’s actual landing page. These sites then tried to trick visitors into downloading the latest version of the took via a GoFile link.

In my opinion, the cybercriminals are obviously terrible people who want to take advantage of others. I’m hoping that Facebook has taken swift action against the crooks who likely caused harm to several Facebook users.


Facebook Pages Impersonating Meta Are Spreading Malware



Sketchy Facebook pages impersonating businesses are nothing new, but a flurry of recent scams is particularly brazen, TechCrunch reported.

A handful of verified Facebook pages were hacked recently and spotted slinging likely malware through ads approved by and purchased through the platform. But the accounts are easy to catch – in some cases, they were impersonating Facebook itself.

TechCrunch also reported that the compromised accounts include official-sounding pages like “Meta Ads” and “Meta Ads Manager.” Those accounts shared suspicious links to tens of thousands of followers, though their reach probably extended well beyond the paid posts.

In another instance, a hacked verified account purporting to be “Google AI” pointed users toward fake links for Bard, Google’s AI chatbot. That account previously belonged to Indian singer and actress Miss Pooja before the account name was changed on April 29. That account, which operated for at least a decade, boasted more than 7 million followers.

Meta posted on their Engineering at Meta blog information titled: “The malware threat landscape: NodeStealer, DuckTail, and more” Here is part of what the company posted:

  • We’re sharing our latest threat research and technical analysis into persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise our industry’s collective defenses across the internet.
  • These malware families – including Ducktail, NodeStealer and newer malware posing as ChatGPT and other similar tools – targeted people through malicious browser extensions, ads, and various social media platforms with an aim to run unauthorized ads from compromised business accounts across the internet.
  • We’ve detected and disrupted these malware operations, include previously unreported malware families, and have already seen rapid adversarial adaptation in response to our detection, including some of them choosing to shift their initial targeting elsewhere on the internet.

“…We know that malicious groups behind malware campaigns are extremely persistent, and we fully expect them to keep trying to come up with new tactics and tooling in an effort to survive disruptions by any one platform whee they spread. That’s why our security teams tackle malware – one of the most persistent threats online – as part of our defense-in-depth approach through multiple efforts at once. 

It includes: malware analysis and targeted threat disruption, continuously improving detection systems to block malware at scale, security product updates, community support and education, threat information sharing with other companies and holding threat actors accountable in court. This helps raise the cost for these malicious groups and limits the lifecycle of any single strain of malware – forcing threat actors to continue to invest time and resources into constantly adapting to stay afloat…

Meta provided some information about Ducktail:

“…A long-running malware family known in the security community as Ducktail is a good example. For several years, we’ve tracked and blocked iterations of Ducktail originating from Vietnam that have evolved as a result of enforcements by Meta and our industry peers. Ducktail is known to target a number of platforms across the internet, including:

LinkedIn to socially engineer people into downloading malware;

Browsers like Google Chrome, Microsoft Edge, Brave, and Firefox to gain access to people’s information on desktop; and

File-hosting services such as Dropbox and Mega, to host malware.

Meta also provided some information about Novel NodeStealer malware:

“In late January 2023, our security team identified a new malware NodeStealer that targeted internet browsers on Windows with a goal of stealing cookies and saved usernames and passwords to ultimately compromise Facebook, Gmail, and Outlook accounts. NodeStealer is custom-written in JavaScript and bundles the Node.js environment. We assessed the malware to be of Vietnamese origin and distributed by threat actors from Vietnam…”

Regarding NodeStealer, Meta wrote: “While the file is a Windows executable file (with an exe Extension) it is disguised as a PDF file with a PDF icon. We also observed metadata on the file that attempts to disguise the file as a product of “MicrosoftOffice”. 

The best advice I can give people who are on Facebook is to put a 2FA app (two-factor authentication) on your phone. In addition, be wary of sketchy looking ads that have clickable links in them.


Have You Been Gooliganed?



Check Point LogoA quick public service announcement….at the end of November security firm Check Point and Google announced that a variant of Ghost Push malware called Gooligan had infected over million Google accounts, with numbers increasing every day. The malware is present in apps typically downloaded outside of Google Play and infects devices on Android 4 (Jelly Bean and KitKat) and 5 (Lollipop).

Gooligan
Courtesy of Check Point

If infected, the malware exposes “messages, documents, photos and other sensitive data. This new malware variant roots devices and steals email addresses and authentication tokens stored on the device.” so it’s not very nice.

Fortunately, the team at Check Point have developed a tool which checks if your Google account has been compromised. All you have to do is enter the email address associated with your Android device.

While we are on the subject, if you want to check if your email address has been garnered in any of the recent security breaches, check out haveibeenpwned.com which tells you who’s been sloppy with your details (thanks, Adobe and LinkedIn).


Twitter banning Bit.ly, other URL Shortners on Direct Messages (DM)



Twitter logoToday I was trying to send a direct message to a friend. Included was a bit.ly link to a page I needed him to see. For some reason, Twitter kept saying there was an error and cannot send the DM. After checking his page to make sure he was still following me and sending a couple test DMs successfully, I realized the problem was the bit.ly link.

I did a search and found that indeed – Twitter was blocking DMs with bit.ly links. They found many different links could not be sent via DMs. CBS.com was one of those who were blocked by Twitter DMs.

Of course, this is because of Twitter allowing n0n-followers to DM people. You have to opt-in to the option, but with this you can get messages from many different people.

The Twitter error Message Needs to Be Fixed

So direct messaging with a link could come back saying the person might not be following you. That could be totally confusing – especially if you know they are. I almost chalked it up as a twitter database error but decided to check and see if there was any changes.

The only advantage of allowing non-followers to DM is if your Twitter account is a corporate one or you have over 10,000 followers and don’t want to follow them all back.

The Problem with Blocking Bit.ly – the Mask-Around

Spammers are smart and/or intuitive. Instead of using bit.ly, they’ll use another system that gets around the twitter issue. Twitter might then block that, but in the meantime, you don’t see a bit.ly link – you see a My.website link. Give a spammer/hacker 2-3 days with an $8 /year website domain and they could make enough to buy another $8 domain and start the process over again.

Of course this is a very common problem with url shorteners. Tiny URL added spam block and virus protect tools shortly after they started. Bit.ly also has some preventative measures (using companies like Sophos, Verisign, Websense and more). Still, they are not responsible for 3rd party content using their links.

Bottom Line – Don’t click on unknown links

Usually bad links start with “Hey, is this you” or “I got a way you can make money” which really translates to “I got a way for ME to make money using you”. If you choose to opt-in to letting anyone DM you, keep in mind you will get spam in your message box. If you don’t feel confident you can sniff out the good from bad, then simply don’t check the box.


Fake Bad Piggies Malware Hits Google Play, Android Phones



Bad-PiggiesIf you are a fan of the Angry Birds series, then you know about Bad Piggies – a sequel to the popular bird game. Security company F-Secure detected there was a faux app in the Play store that looked and felt like the Bad Piggies by Rovio. However, this app had a slight alteration to the name (Bad Pigs) and a different developer name.

Since the detection, Google Play has removed this malware version from their store. Unfortunately  10,000 downloads have occurred since May 25, 2013. The app asks the user for permission to do more than just push notification and simple data collection.

If any app asks for more information – including full access to your location and personal information, you should remove the app and report it. Usually trojanized apps are popular games, since they see more downloads.

Bad Piggies is a free app that sees between 10,000 – 50,000 app downloads on Google Play. It is available on Android and iOS apps, along with Mac and PC.

If you are one of the duped app users, simply delete the app through Android App Manager.


GNC-2012-04-13 #757 Are you an Enabler?



I have a couple of fantastic stories to tell you tonight, but you have to listen all the way through to get the impact. I leave for Vegas and NAB tonight. I would expect the Monday show to be a complication of content from the first day at NAB. Next weeks Thursday show may be a challenge as I get back into Honolulu very late.

Support my Show Sponsor: Best Godaddy Promo Codes
$11.99 – For a New Domain Name cjcfs3geek
$6.99 a month Economy Hosting (Free domain, professional email, and SSL certificate for the 1st year.) Promo Code: cjcgeek1h
$12.99 a month Managed WordPress Hosting (Free domain, professional email, and SSL certificate for the 1st year.) Promo Code: cjcgeek1w
Support the show by becoming a Geek News Central Insider

Download the Audio Show File

Links to all the articles talked about in this Podcast are on the Show Notes Page [Click Here]


G Data Mobile Security for Android



G Data’s Mobile Security provides anti-virus and security monitoring for Android smartphones and tablets. Is this really necessary, you might ask, but I think after some of the recent malware removals by Google, there’s sufficient evidence that Android will increasingly be a target for malware and virus writers. Such is life.

Mobile Security provides three main functions, on-demand scans, blacklist control and authorisation checks for installed apps, all controlled from a main home screen.

G Data Mobile Security Main Screen

Tapping on any of the four areas will show the next screen for that function. Here’s the on-demand virus scanning – no surprises there – but Mobile Security also scans apps as they are installed from the Android Market (or elsewhere presumably) which gives additional protection against malicious software.

G Data Mobile Security Virus Scanning

The Permissions area shows a set of controlled features such as calls and internet access, and by selecting a particular feature Mobile Security shows the apps that have permissions for that feature. I thought that you might be able to then select an application and revoke its permissions to, say, access the internet, but the only option is to uninstall the app.

G Data Mobile Security Permissions    G Data Mobile Detailed Security Permissions

A settings screen is accessible from the menu key which provides greater control over the behaviour of Mobile Security’s activities. Usual stuff about scan intervals and automatic scans but all good stuff.

G Data Mobile Security Settings

The Logs area shows what Mobile Security has been doing and Update simply checks that the virus signatures are current and up-to-date. Nothing unexpected here.

G Data Mobile Security Logs

Unfortunately, I didn’t have any malware to hand so I wasn’t able to test out Mobile Security’s detection and disinfecting abilities but I would imagine that G Data’s got that covered.

It’s a free download from the Android Market to try it out, but it’s £9.99 per year to get updates for new malware and viruses. Alternatively, purchases of other G Data security products such as  G Data AntiVirus include a Mobile Security licence as part of the package.

The licence for this review was provided free of charge by G Data. Thanks.