Fake ChatGPT and AI pages on Facebook are spreading infostealers

Some of the pages have millions of likes on them, suggesting that this is a large-scale scam.
Fake ChatGPT and AI pages on Facebook are spreading infostealers

AI services like ChatGPT, Google BARD, and Jasper are being abused to spread malware like BundleBot and Doenerium through Facebook.

In a recent discovery by cybersecurity firm Check Point Research (CPR), cybercriminals have been found using Facebook as a platform to deceive unsuspecting users into downloading malicious malware, ultimately leading to the theft of private information and passwords.

In this attack trend, scammers are taking advantage of the increasing interest in generative artificial intelligence-based (AI) applications, such as Google Bard and OpenAI’s ChatGPT, to lure users into their traps.

The latest discovery by CPR should not come as a surprise, as Facebook has a track record of being abused by cybercriminals. Its features have been abused over the years to spread malware, or worse, even ransomware.

Just a couple of days ago, Malwarebytes confirmed that a Vietnamese threat actor was stealing malware through META Business Accounts. The scam is also utilizing malicious Chrome browser extensions to successfully exfiltrate Facebook login credentials.

The Scam Operation:

The modus operandi of these cybercriminals involves creating fake Facebook pages or groups, posing as popular AI brands, and generating engaging content to attract users’ attention.

Once users interact with the content by liking or commenting, it appears on their friends’ feeds, further spreading the scam. The fraudulent pages then offer a new service or exclusive content via a link, which leads users to unknowingly download malicious malware designed to steal their online passwords, cryptocurrency wallets, and other sensitive information stored in their browsers.

Examples of targeted AI brands include Bard New, Bard Chat, GPT-5, G-Bard AI, and the popular AI brand Jasper AI. These scammers meticulously replicate legitimate pages, using bots and Vietnamese chat language to give the appearance of authenticity and credibility.

The screenshot shows cybercriminals on Facebook pages sponsoring fake ChatGPT and Google BARD AI.
Fake Jasper AI page on Facebook with a malicious domain used to spread malware.
Fake Mid-Journey AI Page with over 1 million likes on Facebook
Fake Mid-Journey AI Page with a malicious domain to spread malware

The Malicious Payload:

The malware delivered by these fake Facebook pages is identified as “Doenerium,” an infostealer previously observed in various scams. This malware operates stealthily to gather various types of information, including browser data like cookies, bookmarks, and browsing history.

According to CPR’s report, the malware also steals cryptocurrency wallet information, FTP credentials, and sessions from social and gaming platforms. The stolen data is then consolidated into an archive and uploaded to file-sharing platforms.

Sophisticated Scams and the Rise of BundleBot:

While some scams rely on open-source toolsets and free services, others adopt more sophisticated techniques. Check Point Research recently uncovered advanced campaigns that employ Facebook ads and compromised accounts to distribute a stealthy stealer-bot called BundleBot.

This new malware operates under the radar, making it challenging to detect and shut down these campaigns. BundleBot specifically targets stealing Facebook account information, making the campaigns self-sustaining.

The Rising Threat of Infostealers:

The rise in infostealer usage can be linked to the growth of underground markets, where initial access brokers focus on obtaining and trading access or credentials to compromised systems. As the value of data increases for targeted attacks like business email compromise and spear-phishing, the proliferation of infostealers has grown.

Protecting Against Scams:

As public interest in AI-based solutions continues to rise, it’s crucial for individuals and organizations to stay vigilant against cybercriminal tactics. Users can identify phishing and impersonation attempts by verifying the sender’s email or web address, looking for domain misspellings, and downloading software only from trusted sources.

  1. Fake ChatGPT Extension Hijacks Facebook Accounts
  2. Alert: Scammers Pose as ChatGPT in New Phishing Scam
  3. WormGPT – The Malicious ChatGPT Alternative Goes Viral
  4. 100,000 Hacked ChatGPT Accounts Discovered on Dark Web
  5. FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks
Related Posts