Latest news with #Mandiant
Techday NZ
29-05-2025
- Techday NZ
Fake AI social media ads spread malware to millions globally
Mandiant Threat Defense has released research identifying a Vietnam-linked cyber campaign that exploits public interest in artificial intelligence tools by distributing malware via social media advertisements. The research traces the campaign to a group known as UNC6032, which uses paid advertisements on platforms such as Facebook and LinkedIn to draw victims toward counterfeit websites masquerading as well-known AI brands including Luma AI, Canva Dream Lab, and Kling AI. These fake advertisements redirect users to domains designed to closely resemble legitimate AI service platforms. However, instead of offering genuine AI-generated content, these fraudulent websites deliver malware. The malicious software is designed to extract sensitive information such as login credentials, credit card data, cookies, and other personal details from victims' systems. "Our research shows this campaign has already reached millions of users globally. The threat actors have cleverly leveraged the explosive interest in AI tools, combining realistic branding with paid ads on trusted platforms like Facebook and LinkedIn. A well-crafted spoofed website can pose a significant risk to anyone—from consumers to enterprise users," Yash Gupta, Senior Manager at Mandiant Threat Defense, commented. Mandiant reports that the campaign was first detected in late 2024 and has since been monitored across a large number of deceptive advertisements. Mandiant analysts employed transparency resources such as Meta's Ad Library and LinkedIn's Ad Transparency Center to uncover the scale of the activity, which involved more than 30 unique fake domains promoted through thousands of social media ads. Among the findings was a sample of over 120 malicious Facebook ads whose estimated reach exceeded 2.3 million users within the European Union. The attackers ran these campaigns using both fraudulent pages that they created and compromised legitimate accounts, often limiting the lifespan of each campaign to avoid being detected and removed by the platforms' security measures. On LinkedIn, Mandiant detected approximately 10 malicious ads, including content directing users to recently registered domains such as klingxai[.]com, which first appeared in late 2024. Once directed to the spoofed websites, users download a Python-based malware referred to by Mandiant as STARKVEIL. This type of malware enables attackers to deploy multiple information stealers and backdoors on the victims' devices. The malware extracts sensitive data and communicates with operators via channels such as Telegram, facilitating exfiltration of the stolen information to attacker-controlled infrastructure. Mandiant's M-Trends 2025 report notes that compromised credentials are the second most common initial access point for cybercriminals, highlighting the broader risk posed by this type of activity to individuals and organisations alike. "A significant portion of Meta's detection and removal activity began independently in 2024, ahead of our alerts. But with new malicious ads appearing daily, ongoing cross-industry collaboration remains essential to defend users at scale," Gupta said, highlighting the efforts of social media platforms in tackling such threats ahead of external alerts. Mandiant additionally cautions that similar malicious operations are likely to be active on a range of other platforms, as cybercriminal groups continue to adapt their methods in response to detection and removal efforts. The company advises users to exercise caution by avoiding AI tool ads from unverified sources, inspecting URLs prior to downloading software, keeping antivirus and endpoint protection updated, and reporting suspicious advertisements directly to platform providers.
Scoop
28-05-2025
- Business
- Scoop
Fake AI Tools Lure Social Media Users In Global Malware Scam
Cybercriminals are exploiting the booming interest in artificial intelligence (AI) tools to spread malware through fake ads on Facebook and LinkedIn, a new report has revealed. According to cybersecurity firm Mandiant, a Vietnam-linked hacking group is behind a widespread scam that uses realistic-looking online ads to trick people into downloading malicious software. The ads claim to promote popular AI platforms—like Luma AI, Canva Dream Lab, and Kling AI—but instead redirect users to fake websites designed to steal personal information. 'These attackers are tapping into the public's growing fascination with AI to carry out digital theft,' said Yash Gupta, a senior manager at Mandiant. 'A site that looks like an exciting new AI tool could actually be stealing your passwords, credit card numbers, or social media accounts.' Millions Exposed Mandiant's investigation, which began in late 2024, has uncovered thousands of ads linked to the scam, with many of them reaching audiences in the millions. A sample of 120 Facebook ads targeting European users alone had a combined reach of over 2.3 million people, the report said. The hackers, identified by researchers as UNC6032, use a rotating set of websites and fake business pages to keep the scam alive. In some cases, they also hijack real user accounts to spread the ads. Once a victim clicks the ad and visits the fake AI site, the page appears to offer an AI-generated video or image service. But instead of any real AI functionality, the website automatically downloads malware that installs itself in the background. That malware, known as STARKVEIL, is capable of stealing sensitive data and secretly sending it back to the attackers. Global Victims While the fake ads have been found mostly on Facebook, Mandiant also spotted smaller campaigns on LinkedIn. In one example, a fraudulent website was registered in September 2024 and promoted to tens of thousands of users within a day. Victims include both individual users and employees of businesses across various industries. 'This isn't just a consumer issue,' Gupta said. 'These stolen credentials can give attackers access to corporate networks, making it a risk for organisations too.' Tech Platforms Respond Mandiant says both Meta (Facebook's parent company) and LinkedIn were cooperative and proactive in responding to the findings. Meta had already begun taking down many of the malicious ads and domains before Mandiant alerted them to additional activity. However, the report warns that the threat is far from over. The attackers continue to launch new ads and websites daily, constantly adjusting tactics to avoid detection. How to Stay Safe Experts advise people to be cautious when clicking on social media ads—especially those that promote unfamiliar AI tools. To stay safe: Visit websites directly rather than through ads Double-check URLs before downloading software Use up-to-date antivirus protection Report suspicious ads to the platform The scam is part of a growing trend in cybercrime where criminals take advantage of popular tech trends to deceive the public. With AI tools rising in popularity, experts say this likely won't be the last attempt to turn AI hype into a cyber threat. 'Criminals go where the attention is,' Gupta said. 'Right now, that's AI.'
The Sun
28-05-2025
- Business
- The Sun
Google warns of Facebook post you must NEVER click or you risk getting your passwords stolen & your texts spied on
GOOGLE owned threat hunters have warned Facebook users of a post that you must never click or you will risk getting your passwords stolen & your texts spied on. Thousands of malicious ads on Facebook and about 10 on LinkedIn have been identified since November 2024. 2 2 A group of criminals tracked as UNC6032 is exploiting interest in AI video generators and users need to be vigilant. They do so by planting malicious ads on social media platforms to steal credentials, credit card details, and other sensitive information. Fake AI Video Generator Tools These ads directed viewers to more than 30 phony websites masquerading as legitimate AI video generator tools. Including Luma AI, Canva Dream Lab, and Kling AI, falsely promising text- and image-to-video generation reports The Register. If a user visits the fake website and clicks on the "Start Free Now" button, they're led through a bogus video-generation interface that mimics a real AI tool. After selecting an option and watching a fake loading bar, the site delivers a ZIP file containing malware that, once executed, backdoors the victim's device, logs keystrokes, and scans for password managers and digital wallets. UNC6032, assessed by Mandiant and Google Threat Intelligence as having ties to Vietnam, has found success with this campaign. The malicious ads have reached more than two million users across Facebook and LinkedIn. Mandiant used both companies' Ad Library tools, designed to comply with the European Union 's Digital Services Act (DSA), to identify the fake websites and the malicious ads' reach. Threat analysts Diana Ion, Rommel Joven, and Yash Gupta said: "Mandiant Threat Defense performed further analysis of a sample of over 120 malicious ads and, from the EU transparency section of the ads, their total reach for EU countries was over 2.3 million users." Although they note that the "reach does not equate to the number of victims." The 10 LinkedIn ads had a total impression estimate of 50,000 to 250,000, with the US accounting for the highest percentage of impressions. Facebook ads were published on both attacker-created pages and compromised accounts. New ads are created daily With UNC6032 "constantly" rotating the domains mentioned in the ads to avoid detection and account bans, while new ads are "created on a daily basis." A Meta spokesperson said the social media company doesn't know how many victims the campaign may have affected. " Meta removed the malicious ads, blocked the URLs, and took down accounts behind them — many before they were shared with us," the spokesperson told The Register. "Cyber criminals constantly evolve their tactics to evade detection and target many platforms at once, and that's why we collaborate with industry peers like Google to strengthen our collective defences to protect our users." Mandiant, in its report, does give Meta credit for its "collaborative and proactive threat hunting efforts in removing the identified malicious ads, domains, and accounts." And explained that a "significant portion" of these detections and removals began last year, prior to Mandiant alerting Meta about its investigation. The malware is designed for information theft All of the websites investigated served up the same payload: STARKVEIL, a malware dropper that deploys three different modular malware families designed for information theft, all capable of downloading plugins. The Mandiant team provides a deep dive into one particular attack that started with a Facebook ad for "Luma Dream AI Machine," mimicking a text-to-video AI tool called Luma AI, but instead redirecting the user to an attacker-created website. After visitors to the phony website click the download button, they receive a ZIP archive containing a Rust-based malware dropper named STARKVEIL. When executed, it extracts its payloads and displays a fake error message to coax the user into running it a second time, completing the infection chain. In reality, however, its alleged that for a successful compromise, the executable needs to run twice. It drops its components during the first execution, and then runs a launcher during the second execution. Fake 'AI websites' pose a significant threat One of the malware dropped is GRIMPULL, a .NET-based downloader with anti-VM and anti-malware analysis capabilities, which uses Tor for C2 server connections. Another is XWORM, also a .NET-based backdoor with capabilities including keylogging, command execution, screen capture, and spreading to USB drives. The third is FROSTRIFT, a .NET backdoor loaded via DLL sideloading into a legitimate Windows process. This malware attempts to establish persistence on the compromised machine, and checks for the existence of 48 browser extensions related to password managers, authenticators, and digital wallets. The Mandiant team wrote: "Although our investigation was limited in scope, we discovered that well-crafted fake 'AI websites' pose a significant threat to both organizations and individual users. "These AI tools no longer target just graphic designers; anyone can be lured in by a seemingly harmless ad." Meanwhile, Android users who follow dangerous phone myths are putting themselves at risk from Big Brother-style spying. Plus, three new Google warnings you must obey or risk having your bank emptied in seconds – and the exact pop-up signs to look out for. And a warning was given to all Gmail users over password hack as Google shared how long you have to act if you fall for the scam. Finally, millions of Netflix users were warned of 'red alert' scam that could wipe your bank account as customers are told 'don't click'.
Channel Post MEA
19-05-2025
- Business
- Channel Post MEA
Tenable Appoints Eric Doerr As Chief Product Officer
Tenable has announced the appointment of Eric Doerr as Chief Product Officer (CPO). Doerr brings nearly three decades of experience building and scaling security products at some of the world's most respected technology companies, including Microsoft and, most recently, Google Cloud. At Tenable, Doerr will lead the company's global product organisation, overseeing strategy, innovation and execution across its growing cybersecurity portfolio. His appointment comes at a pivotal moment, as Tenable prepares to launch a significantly expanded version of its Tenable One platform—designed to deliver the most comprehensive exposure management capabilities in the industry. It also coincides with Tenable's demonstrated momentum in cloud security. 'Tenable has a clear and compelling vision for the future of cybersecurity—one that unifies visibility, prioritisation and remediation across the modern attack surface,' said Steve Vintz, co-CEO, Tenable. 'Eric's deep expertise in cloud-native security, threat intelligence, and large-scale product innovation makes him the ideal leader to advance our exposure management vision and accelerate our impact across the enterprise.' Doerr most recently served as Vice President of Security Products at Google Cloud, where he led a broad portfolio including Google SecOps (formerly Chronicle) and Google Threat Intelligence, as well as the Mandiant integration. Prior to Google, he spent more than 20 years at Microsoft in senior leadership roles across the security and identity space, including General Manager of Microsoft Account and Corporate Vice President of Cloud Security and the Microsoft Security Response Center (MSRC). 'Tenable is transforming how organisations think about and reduce cyber risk,' said Doerr. 'Its forward-thinking approach to exposure management and its rapid innovation in cloud security make this an incredibly exciting time to join. I'm thrilled to be part of a team that's building the future of cybersecurity.' Shai Morag, Tenable's current CPO, will remain at the company during the transition period. The company thanks Mr. Morag for his leadership and many contributions to Tenable's product strategy and growth. 0 0
Web Release
16-05-2025
- Business
- Web Release
Tenable Appoints Eric Doerr as Chief Product Officer
Business and Economics Technology By Editor_wr On May 16, 2025 Tenable® , the exposure management company, today announced the appointment of Eric Doerr as Chief Product Officer (CPO). Doerr brings nearly three decades of experience building and scaling security products at some of the world's most respected technology companies, including Microsoft and, most recently, Google Cloud. At Tenable, Doerr will lead the company's global product organization, overseeing strategy, innovation and execution across its growing cybersecurity portfolio. His appointment comes at a pivotal moment, as Tenable prepares to launch a significantly expanded version of its Tenable One platform—designed to deliver the most comprehensive exposure management capabilities in the industry. It also coincides with Tenable's demonstrated momentum in cloud security. 'Tenable has a clear and compelling vision for the future of cybersecurity—one that unifies visibility, prioritization and remediation across the modern attack surface,' said Steve Vintz, co-CEO, Tenable. 'Eric's deep expertise in cloud-native security, threat intelligence, and large-scale product innovation makes him the ideal leader to advance our exposure management vision and accelerate our impact across the enterprise.' Doerr most recently served as Vice President of Security Products at Google Cloud, where he led a broad portfolio including Google SecOps (formerly Chronicle) and Google Threat Intelligence, as well as the Mandiant integration. Prior to Google, he spent more than 20 years at Microsoft in senior leadership roles across the security and identity space, including General Manager of Microsoft Account and Corporate Vice President of Cloud Security and the Microsoft Security Response Center (MSRC). 'Tenable is transforming how organizations think about and reduce cyber risk,' said Doerr. 'Its forward-thinking approach to exposure management and its rapid innovation in cloud security make this an incredibly exciting time to join. I'm thrilled to be part of a team that's building the future of cybersecurity.' Shai Morag, Tenable's current CPO, will remain at the company during the transition period. The company thanks Mr. Morag for his leadership and many contributions to Tenable's product strategy and growth. Tenable Appoints Eric Doerr as Chief Product Officer Comments are closed.
