Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor

A malvertising campaign uses phishing to steal legitimate account pages, with the endgame of delivering the Lumma stealer.

Attackers are
hijacking pages
on Facebook to lure victims into downloading a legitimate artificial intelligence (AI) photo editor, but then serving up a widely distributed infostealer to rob users of their credentials instead.
The malvertising campaign,
discovered by researchers
at Trend Micro, exploits the popularity of AI and combines a variety of popular threat tactics, including phishing, social engineering, and the use a legitimate utility in a malicious way. The ultimate payload is the
Lumma stealer,
which targets sensitive information, including user credentials, system details, browser data, and extensions.
The attack hinges on the abuse of
paid Facebook promotions,
which
attackers have leveraged
to lure users into engagement and ultimately deliver malware, the researchers noted in a blog post today.
“Once the attacker gains control of the page, ads are posted promoting the AI photo editor, leading victims to download an endpoint management utility disguised as the photo editor,” Trend Micro threat researcher Jaromir Horejsi wrote.
Attackers also are taking advantage of the current attention on
AI technology
and tools associated with it by using these tools as lures for malicious activities, which includes phishing scams, deepfakes, and automated attacks, he wrote.
So far, the malicious package associated with the campaign has generated about 16,000 downloads on Windows and 1,200 on macOS. However, the macOS version redirects to the Apple website instead of an attacker-controlled site, suggesting that attackers are only targeting Windows users with the campaign.
A typical attack in the campaign starts before a potential victim even sees an ad. Attackers begin by sending phishing messages to owners of the targeted social media page to gain control of the page for their own malicious use. The sender account typically looks like an empty profile with randomly generated user names.
The
phishing links
in the messages are sent either as direct links or personalized link pages, such as linkup.top, bio.link, s.id, and linkbio.co, among others. Sometimes attackers even abuse Facebooks open redirect URL for these links to appear more legitimate.
If the page operator clicks on the links, they are presented with a screen to verify their information with a Business Support Center for Meta developers. Clicking on that screens Verify Your Information Here link leads to a fake account protection page, which in several subsequent steps, asks users for the information necessary to log in and take over their account, such as their phone number, email address, birthday, and password, Horejsi explained.
After the target provides this info, the attacker steals the profile and begins creating and posting malicious ads for an AI photo editor with links to a fake domain that uses the name of a legitimate tool,
such as Evoto
.
The fake photo editor web page looks very similar to the original one, which helps in tricking the victim into thinking that they are downloading a photo editor, Horejsi wrote.
However, what a user who takes the bait actually downloads is the freely available ITarian endpoint management software. The attacker, using a series of back-end processes controls, ultimately controls the victims machine to download the final payload, the Lumma stealer.
There are a number of ways that people can avoid falling victim to the campaign and threats that
abuse social media pages
, which not only can compromise users but also lead to secondary attacks via stolen credentials that act as initial entry into enterprise infrastructure, according to Trend Micro.
Social-media users should enable
multifactor authentication
on all their accounts to add an extra layer of protection against unauthorized access, as well as regularly update and use strong, unique passwords across all accounts.
Organizations also should regularly practice
education and awareness
to let their employees know of the dangers lurking on social media while accessing corporate networks, as well as how to identify suspicious messages and links associated with phishing attacks.
Finally, both organizations and individual users should monitor their accounts for any unusual behavior, such as unexpected login attempts or changes to account information. Organizations should employ some kind of detection and response mechanisms.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor