Insights: Cyrius Bytes

Sign up to our e-newsletter for industry updates, resources, advice, freebies and more!

Sign up for Cyrius Bytes

A call for improved accountability of tech giants

Tech giants should be held accountable as malware spreads through fake Sora ad

Tech giants deserve far more scrutiny and consequence after cybercriminals exploited the Sora AI brand to distribute malware through deceptive ads on their platforms. The scam involves fake websites designed to look identical to the official Sora AI homepage, complete with working videos and convincing design elements. The bait was a supposed "new prompt engine tool," which, when downloaded, installed a trojan that quietly stole user data and sent it to attackers via Telegram.

This incident has once again raised questions about tech giants’ advertising policies and the company’s responsibility to protect its users from such threats. By allowing these deceptive ads, tech giants not only profited from the scammers but willingly helped cybercriminals identify and gain direct access to potential victims. To add insult to injury, the crime was uncovered months ago, yet the platforms are still profiting from tha facilitation of the crime.

The Sophisticated Scam Behind the Malware

Cybersecurity firm Cyble revealed (here) that cybercriminals have been using convincing copies of Sora AI’s website to lure victims. These fake sites used “typo-squatted” domains—web addresses with minor misspellings of the legitimate domain—to make them appear real. The design of these sites was so well-crafted that even tech-savvy users could easily be fooled.

Malicious ads promoting these fake sites were approved and displayed on social media platforms, greatly expanding their reach. Users, who were prequalified by the advertising system’s data insights and who clicked on the ads were redirected to the fraudulent site, where they were encouraged to download an executable (.exe) file posing as a new tool. Once installed, the file operated covertly, collecting sensitive information such as login credentials, personal files, and browser data, and then sending this data to attackers via encrypted channels.

Tech giants’ role in the security breach

The real issue here lies in platforms’ role in this cybersecurity breach. By allowing the malicious ads, they essentially sold access to their user base without properly vetting the advertiser – and continued to do so for months after the crime had been exposed.

These advertising platforms serve billions of users worldwide, but its failure to perform due diligence has put those users at risk and damaged trust in online platforms. This is not an isolated case—these platforms have faced multiple accusations in the past for hosting misleading or harmful ads. Their automated ad approval process is simply not rigorous enough, making it easy for bad actors to exploit the system and use the platforms’ own customer profiling to identify the most vulnerable victims.

The Psychology of the Scam

Why do such scams work so well? It comes down to the neuroscience of human cognition. Cybercriminals exploit cognitive biases and emotional triggers to manipulate people into taking actions they might normally avoid.

The excitement of a new, cutting-edge tool can trigger the brain to release dopamine, which enhances focus on the potential reward. This “reward-induced blindness” diminishes a person’s ability to critically assess risks, making them more susceptible to scams—especially when the bait matches their interests.

Pushing for Greater Accountability

In response to incidents like this, lawmakers need to seriously consider strategies to hold tech giants accountable for the security failures that allow scams to spread. One solution is to mandate that platforms implement the highest reasonable security checks for ads and prove they’ve done everything possible to prevent harmful content from reaching users. Failure to comply should result in heavy fines that cover the societal costs of the crimes enabled by these platforms.

The truth is, implementing measures like running a simple bot to check the links provided by advertisers would be an easy enhancement. Considering the complexity of their advertising systems—designed to extract maximum revenue from advertisers—investing in straightforward security measures should be a no-brainer.

Proposed Measures for Accountability

Some potential solutions to increase accountability include:

  1. Stricter Ad Vetting Processes: Platforms should improve their ad approval systems, using advanced algorithms and increased human oversight to detect and block malicious content.
  2. Financial Penalties: Significant fines should be imposed for non-compliance, accumulating daily until the company takes action.
  3. Transparency Reports: Platforms should be required to disclose their advertising practices, including the number of ads rejected for security reasons and the criteria used for approval.
  4. Third-Party Audits: Independent audits of platform security measures should be conducted to ensure compliance.
  5. User Compensation Funds: Funds collected from fines could be used to compensate victims of scams facilitated by the platforms.

These strategies aim to shift the cost of negligence back onto the platforms that profit from ad revenue. This creates a system where the financial risks of lax security outweigh the benefits of approving ads quickly.

Corporate Responsibility and Tech Solutions

As pressure mounts, tech companies need to invest in better detection technologies, such as machine learning models that identify malicious intent based on patterns and behaviors. While artificial intelligence can play a crucial role in stopping harmful ads before they reach users, technology alone isn’t enough—it must be part of a broader commitment to corporate responsibility.

Protecting Yourself in the Digital Age

While legislative and corporate measures are essential for long-term solutions, individuals must also take steps to protect themselves:

  • Be Skeptical of Unsolicited Offers: Treat unexpected ads or offers with caution, especially if they seem too good to be true.
  • Verify Website Authenticity: Check URLs for misspellings, unusual domain extensions, or discrepancies in security certificates.
  • Download Software Cautiously: Only download software from official websites or verified app stores.
  • Stay Informed: Educate yourself about common scams and stay updated on threats in your areas of interest.
  • Utilize Security Tools: Use reputable antivirus and anti-malware programs, and keep them updated.

Tech giant platforms’ failure to prevent malware distribution via fake ads for Sora AI highlights a significant vulnerability in our digital world. It underscores the need for a combination of legislative action, corporate responsibility, and personal vigilance to protect users from cyber threats.

Tech giants must prioritize user safety alongside profit by implementing rigorous security measures and facing penalties for non-compliance. In the meantime, individuals should stay cautious and informed to navigate an increasingly sophisticated online environment.

Contact us to discuss your cybersecurity concerns and the various ways we can help you and your organisation improve your level of protection.

petrea

Stefan Sojka

Managing Director