 |
| Source: CPR. Sample posts on fake Facebook pages inviting viewers to download malware. |
A new scam uncovered by Check Point Research (CPR) uses Facebook to scam victims by taking advantage of the interest in generative AI. Many of these fake pages have tens of thousands of followers, with a mix of real content and malware, Check Point said.
Criminals first create fake Facebook pages or groups for a popular brand, even including engaging content. The pages can offer tips, news and enhanced versions of AI services Google Bard or ChatGPT, for example.
Unsuspecting Facebook users end up passionately discussing the role of AI in the comments and like or share posts, thereby ensuring it shows up on the feeds of their friends and attracting them to the page as well.
The scam occurs when visitors are invited to obtain new services or special content via a link on the page. Most of the Facebook pages lead to landing pages which
encourage users to download password-protected archive files that are
allegedly related to generative AI engines. When the link is clicked, victims unknowingly download malware, designed to steal their online passwords, crypto wallets and other information saved in their browser.
There are many versions, from Bard New, Bard Chat, GPT-5, G-Bard AI and others. Some posts and groups also try to take advantage of the popularity of other AI services such as Midjourney and Jasper AI. Seemingly small details matter, such as the fact that the real Jasper AI page has 2 million fans or the length of time the page has been in operation, in telling the genuine from the fake.
According to Sergey Shykevich, Threat Intelligence Group Manager, Check Point Research: "Unfortunately, thousands of people are falling victim to this scam. They are interacting with the fake pages, which furthers their spread – and are even installing malware which is disguised as free AI tools. We urge everyone to be vigilant in ensuring they are only downloading files from authentic and trusted sites."
CPR observed that criminals have gone to great lengths to ensure their pages appear authentic. When a user searches for ‘Midjourney AI’ on Facebook and encounters a page with 1.2 million followers, they are likely to believe it is an authentic page. The principle applies to other indicators of page legitimacy: when posts on the fake page have numerous likes and comments, it indicates that other users have already interacted positively with the content, reducing the likelihood of suspicion.
Additionally, the links to malicious websites are mixed with links to legitimate Midjourney reviews or social networks.
CPR attributed the surge to expanding underground markets, where initial access brokers specialise in acquiring and selling access or credentials to compromised systems. Additionally, the growing value of data used for targeted attacks such as business email compromise and spear-phishing, has fuelled the proliferation of infostealers.
As authentic AI services make it possible for cybercriminals to create and deploy sophisticated, credible scams, it is essential for individuals and organisations to stay vigilant, CPR said. Some rules of thumb to protect yourself include:
- Ignore display names: Phishing sites or emails can be configured to show anything in the display name. Instead of looking at the display name, check the sender’s email or web address to verify that it comes from a trusted and authentic source.
- Verify the domain: Phishers will commonly use domains with minor misspellings or that seem plausible. For example, company.com may be replaced with cormpany.com or an email may be from company-service.com. These misspellings are good indicators.
- Always download software from trusted sources: Instead of downloading software from a Facebook group, go directly to a trusted source, such as the official web page for that software. Do not click on downloads from groups, unofficial forums etc.
- Check the links: URL phishing attacks are designed to trick recipients into clicking on a malicious link. Hover over the links within an email and see if they actually go where they claim. Enter suspicious links into a phishing verification tool like phishtank.com, which will tell you if they are known phishing links. If possible, don’t click on a link at all; visit the company’s site directly and navigate to the indicated page.
