AI scams: Google explains how hackers are using AI-powered tools to dupe you; shares tips to stay safe

AI scams

Cybercriminals are capitalising on the global interest in artificial intelligence (AI) by establishing fake AI-themed websites to disseminate malware and steal personal data. The operation, uncovered by Google’s Mandiant Threat Intelligence team, has been ongoing since mid-2024 and is linked to a threat group with connections to Vietnam, identified as UNC6032.

According to Google, the attackers promote these fake AI tools through ads on social media platforms such as Facebook and LinkedIn. These ads mimic legitimate AI services like Luma AI, Canva’s Dream Lab, and Kling AI to trick users into visiting fraudulent websites. Once users land on these pages, they are shown an interface that claims to offer AI-generated videos or images.

Regardless of the input provided, the websites always serve a ZIP file for download. This archive contains an executable disguised with a double extension — for example, .mp4.exe — and uses common media icons to avoid raising suspicion. When launched, this file installs malware on the victim’s system.

Google’s researchers explain that the initial malware, named STARKVEIL, is a Rust-based dropper. It unpacks additional components designed to harvest data such as login credentials, credit card information, and cookies. In many cases, this data is exfiltrated via the Telegram API to remote servers.

The campaign also deploys other malware families, including GRIMPULL, XWORM, and FROSTRIFT, each with its own purpose — from keylogging and USB spreading to encrypted communication with command-and-control servers and gathering system details. These malware strains are built to avoid detection through sandbox and virtual machine checks.

Google’s report reveals that over 30 fake domains have been created since mid-2024. A sample of 120 Facebook ads tied to this campaign reached an estimated 2.3 million users in EU countries. Similar ads on LinkedIn reportedly received between 50,000 to 250,000 impressions, primarily targeting users in the US, Europe, and Australia.

Meta has been working with Google to remove the fraudulent content and disable accounts linked to the operation.

With AI tools gaining popularity, Google warns users to be cautious when engaging with new services online. It is important to verify website authenticity and avoid downloading files from unfamiliar or untrusted sources. Updated antivirus software and browser protections can also help guard against such threats.