Falling into the Trap After Just 1 Click: Fake AI Ads Are Stealing Facebook User Data

Artificial intelligence (AI) is exploding with a series of new tools to support photo creation, video editing, content writing, data analysis… attracting millions of users worldwide. However, while the whole world is focusing on the “AI wonders”, another hidden danger is also growing – sophisticated cyberattack campaigns disguised as attractive AI ads.

Recently, a report from Mandiant - a cybersecurity intelligence company owned by Google, warned about an extremely sophisticated malware campaign through AI video creation tool ads on Facebook and LinkedI n. These ads not only fool users with familiar names like Luma AI , Canva Dream Lab or Kling AI , but also lead them into a digital trap to steal personal information. In this article, we will analyze in detail how this campaign works, the real risks behind the "seemingly legitimate" ads and especially how you can protect yourself from becoming a victim.

1. Fake AI Ads

We live in an era where every time a new AI tool is released, the entire tech and creative community is in an uproar. From AI content writing, image generation, to AI video editing, text-to-film conversion – the pace of development of these tools is so fast that users always feel that if they don’t experience it soon, they will be left behind. And it is this eagerness and curiosity that is inadvertently turning many people into ideal prey for sophisticated cyberattacks.

Cybercriminals today no longer use obvious tricks like sketchy phishing emails or “fake” links. Instead, they invest carefully in online advertising, exploiting the trust that users place in platforms like Facebook and LinkedIn. These ads often have three prominent characteristics:

1.1. Eye-catching and engaging advertising content

To attract users, fake ads are often professionally designed – from sharp illustrations to “addictive” headlines. Some typical examples include:

"Create awesome 3D AI videos with just 1 click – 100% Free!"

"New AI Turns Text into Animation in Just 10 Seconds – Try It Now!"

"AI Tool to Create Videos from Ideas – No Technical Knowledge Required!"

Along with that, the display interface looks exactly like the real thing, even using the exact logo, colors and fonts of famous AI brands. This makes it very difficult for users to distinguish between real and fake, especially when surfing social networks unconsciously.

1.2. Disguised under a familiar name

Cybercriminals’ strategy is to exploit the trust that people already have. Instead of creating unfamiliar brands, they impersonate well-known names in the AI ​​world, such as:

Luma AI – features 3D scene creation technology from real videos.

Runway ML – specializes in creating videos from text using AI.

Kling AI – the text-to-movie tool that is "causing a storm".

Canva Dream Lab – the name sounds like an official subsidiary product of Canva, which is very familiar to designers.

With these names, users often do not check the source, but will easily trust and click on the ad just because it "sounds familiar".

1.3. Dissemination on major social networking platforms

Facebook and LinkedIn – two platforms that were once considered trustworthy – have become major distribution points for these fake advertising campaigns. Users are often skeptical of ads labeled “Sponsored” because they assume they have been approved by the platform.

Furthermore, cybercriminals can also invest in running targeted ads, for example:

Targeting user groups who love AI and content creation.
Choose a geographic area with high network traffic density.
Customize ad content in local languages.

The danger here is that from the time the user sees the ad until they are infected with malware, it only takes less than 1 minute.

Users click on ads, eager to try out the fancy AI tool.

They are directed to a fake website that looks very similar to the official site (usually just a few letters different in the domain name, e.g. lumaai-official.com instead of luma.ai).

The website asks to download an installer under the pretext of “trial”, “free demo” or “unlock premium features”.

The user downloads and runs the file – unaware that he has just installed malware.

As a result, their computer or device will then:

Remote control hijacked.
Automatically collect cookies, browsing history, login information.
Send all data to the hacker's server without leaving any obvious traces.
More seriously, some malware also has the ability to monitor the keyboard (keylogger), helping hackers obtain passwords, OTP codes or bank account information when users log in.

2. Phishing Campaign Details: Malware, Information Stealers, and Hacker Group Behind It

According to a report from Mandiant – a cybersecurity unit under Google, this is not a spontaneous action. This malware campaign, named UNC6032, started in mid-2024 and is still continuing on a large scale.

Attack Methods: From Fake Ads to Malware

Step 1: Fake ads are posted on social media

Hackers post fake ads for AI video creation tools on Facebook or LinkedIn. Reputable brands like Luma AI, Kling AI, Runway, or Canva Dream Lab are often used to create a sense of trust.

Step 2: Direct users to a fake website

When users click on the ad, they are redirected to a website that looks exactly like the official one – with a very cleverly crafted domain name, such as:

lumaai-official.com

dreamlab-ai.net

canvaai-download.org

The goal is to make the user unsuspecting and proceed to download the software.

Step 3: Malware is secretly installed on the device

When users download or click the "try" button, malware is silently installed. The two most common types of malware include:

Stealer: Usually written in Python, this type of malware can steal all sensitive data from users' browsers and applications.

Backdoor: Allows hackers to remotely control the device, monitor activity, download additional software, or take over system administration.

2.1. What hackers can steal from you

Once the malware has successfully penetrated, the victim’s device becomes a “gold mine of data” to exploit. Specifically, the hacker group can access:

Social media login information such as Facebook, Instagram, LinkedIn…
Personal and work email, with contact list.
Browser cookies, which provide access to active login sessions.
Credit card data, bank accounts, e-wallets.
Access information to cloud storage services, financial platforms or internal systems.

2.2. Alarming scale of dissemination

Although only discovered in recent months, the UNC6032 campaign has shown alarming speed of spread:

More than 30 malicious domains have been identified by Mandiant – all of which are used to distribute malware.

At least 120 malicious ads were detected in Europe alone, reaching a total of 2.3 million users.

Hackers constantly change the content and ad domains every day to bypass the filters and detection algorithms of Meta (parent company of Facebook and Instagram).

This campaign is likened to a “perfect digital trap”: using users’ trust, curiosity, and tendency to try new technology to lure them in. When users let their guard down, all important data can be stolen in just a few minutes.

This is a strong reminder that, even when ads appear on trusted platforms, you should still be cautious with any links or software that invite downloads.

3. Why are users easily fooled?

In an era where AI technology is developing at a rapid pace, many people can easily fall into traps just because of a few thoughtless clicks. There are three main reasons why users easily become victims of phishing campaigns disguised as AI tools:

3.1. Fear of missing out (FOMO)

We live in a world where technology is changing every day. Today there is AI creating images, tomorrow it is AI making videos, AI dubbing… The rapid pace of development makes users easily fall into the mindset of “I will be left behind if I don’t try it now”.

Taking advantage of this, hackers often design ads that play on the fear of missing out:

“Create AI Videos for Free – The New Trend of 2025!”

“AI Video Editing in 10 Seconds – Experience It Before It's Limited!”

As a result, out of curiosity and fear of missing out, users click on ads without thinking, creating conditions for malware to enter.

3.2. The “fake credibility” from a large platform

When people see a sponsored ad appear on Facebook or LinkedIn, many assume:

“If it's approved and displayed here, it must be trustworthy.”

This is the biggest danger. In fact, social media platforms do not censor technical content or malware embedded in ads. Hackers can reach millions of users by simply spending money on ads. They even buy fanpages with large followings to increase their fake credibility.

3.3. Lack of knowledge about cybersecurity

Most users do not know how to distinguish between real and fake websites, or are unfamiliar with warning signs such as:

Domain names with unusual “-” or unofficial .net, .org.
No security certificate (HTTPS).
Same interface but missing navigation items, terms of use…
In addition, users rarely check the source of downloaded files, do not know how to scan for viruses before opening, or have not installed the necessary protection software. This is the reason why hackers can easily install malware on their computers without being detected.

4. What can you do to protect yourself from AI scams?

In the age of technology, you are the “first line of defense” to protect your personal information and digital assets. Here are the dos and don’ts if you don’t want to become a victim of cyber fraud.

4.1. Things to DO

Always visit the official page of the AI ​​tool

If you want to try a tool like Runway, Luma AI, or Canva Dream Lab, type the website address directly into your browser, for example:

https://www.luma.ai/

https://runwayml.com/

https://www.canva.com/

Avoid clicking on links in ads unless you are sure they are a reliable source.

Use reputable security software

Install antivirus (like Kaspersky, Bitdefender, Norton...)

Turn on firewall.

Use additional anti-malware tools like Malwarebytes to detect unusual behavior early.

This is a necessary layer of protection if you accidentally access a dangerous site.

Enable two-factor authentication (2FA)

For important accounts such as:

Personal/work email

Social media accounts

Cloud storage or financial services

Enabling 2FA will help prevent hackers from gaining access even if they have your password.

Regular software updates

Make sure:

The operating system is always at the latest version.
Web browsers and anti-virus software are updated regularly.
Security patches help you plug exploitable holes.

4.2. Things NOT to do

Do not download software from ads without verification

Unless you check the source, never click “Download” from an ad that appears on Facebook, LinkedIn, or any other platform. Instead, manually search for the tool name and visit the official site.

Do not provide personal information to unknown sources

If an email, pop-up, or web page asks:

Login to access AI tool
Enter OTP code or card information
Confirm account access
Be suspicious immediately. This could be a ploy to steal information.

Do not save financial information on the browser

Although convenient, saving bank card, e-wallet or financial account information in the browser is a risky action if the device is accidentally taken over.

If you need to buy products online, use a virtual wallet or separate payment card, and limit linking to your main account.

5. What does Meta say about this campaign?

After a report from cybersecurity firm Mandiant was published, Meta - the parent company of Facebook and Instagram - officially spoke out about the fake advertising campaign of AI video tools that is causing confusion in the community.

According to information from Meta, they received a warning from Mandiant and immediately deployed countermeasures:

Remove a series of malicious ads that show signs of impersonating AI tools such as Luma, Runway, Canva...
Enhanced early detection of abnormal advertising behavior based on AI analysis of user behavior, keywords, and display frequency.
Meta also said it is working with outside security experts to update its ad filtering algorithms to be more sophisticated, minimizing hackers' exploitation of the platform to spread malware.

While Meta is actively handling the incident, they also emphasize one clear fact: Security is not only the platform's responsibility, but also the personal responsibility of each user.

Meta encourages users to:

Proactively report suspicious ads via the “Report Ad” button displayed in the upper right corner of each ad.
Use Facebook's Link Scanner to verify the safety of a link before clicking.
Always check the website address and do not log into your personal account from unknown sites.
Even though Meta and other major platforms have implemented censorship measures, hackers are still finding new ways to “get around the rules.” They can:

Change domain name daily to avoid being scanned.
Use real brand images and logos to build trust.
“Test” ads with normal content before changing to malicious content after approval.
Therefore, no system is 100% perfect, and self-awareness when interacting with new technology is the strongest shield to help you avoid risks.

The rapid development of AI brings great opportunities, but also brings many new risks. When you see an advertisement for a “super cool” and “free” AI video maker on social media, do not click on it. Being a little careful can help you avoid losing information, assets and time. Be a smart user, experience new technology selectively, safely and proactively.