Monday, February 10, 2025
HomeArtificial IntelligenceGoldDigger Malware Using Deep Fake AI Photos To Hijack Bank Accounts

GoldDigger Malware Using Deep Fake AI Photos To Hijack Bank Accounts

Published on

SIEM as a Service

Follow Us on Google News

Hackers use deep fake AI photos to impersonate individuals online, allowing them to deceive, manipulate, or gain unauthorized access to sensitive information or systems. 

Cybersecurity researchers at InfoBlox recently discovered GoldFamily, an evolved GoldDigger trojan targeting iOS devices to steal facial recognition data and bank access using AI for biometric authentication attacks. 

To defend proactively, Infoblox’s DNS Early Detection Program identifies potentially malicious domains rapidly before appearing on threat feeds, enabling early blocking to prevent attacks before the kill chain unfolds. 

GoldDigger Malware & Deep Fake

GoldFamily is an advanced version of GoldDigger that uses trickery to get people to give them facial recognition data and personal identification documentation. 

It focuses on Android (malicious app install) and iOS (MDM profile install directing to TestFlight URL) users, where it steals facial data, intercepts SMS, asks for ID images and serves as a network proxy once downloaded.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

In the case of iOS devices, the malware establishes communication with C2 over WebSockets for functions like heartbeat, initialization, photo requests, album sync, and self-destruct. 

The use of AI in deepfake authentication attacks demonstrates how much more complex cybersecurity defense needs to become.

Infoblox proactively identified suspicious GoldFamily domains months before OSINT disclosures in February 2024, with 70.83% flagged suspicious on average 197.7 days (6.5 months) earlier. 

Analysis showed that threat actors rapidly operationalized domains shortly after Infoblox’s designations, yet long before public visibility. While 64.71% were blocked within 2-3 days of registration, the expanded campaign potentially targeting financial institutions demands continued vigilance. 

This case highlights the benefits of early suspicious domain detection, which enables automated blocking well ahead of threat feed propagation from OSINT releases.

Proactive identification through DNS analysis empowers a defense-in-depth strategy.

Domains identified as suspicious prior to OSINT release (Source – InfoBlox)

Benchmarking threat intelligence feed performance can be done with WHOIS data, which shows domains blocked shortly after being registered – for example, 64.71% of GoldFamily domains within 2-3 days.

Malicious domains were rapidly identified as suspicious within days of WHOIS date (Source – InfoBlox)

If OSINT release dates are arguable and the sources can be overlooked, domain registration dates remain relatively accurate, thanks to WHOIS.

That’s because as soon as threat actors start rotating infrastructure, one can evaluate how effective suspicious DNS feeds are. 

So, the robust Early DNS Detection capabilities present tangible benefits in terms of timely detection, such as with emerging campaigns like GoldFamily.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

GitHub Copilot’s New Agent Mode Enables Autonomous Code Completion

GitHub has once again raised the bar for productivity in software development with the...

Marvel Game Vulnerability Exposes PCs & PS5s to Remote Takeover Attacks

A severe security vulnerability has been uncovered in the popular video game Marvel Rivals, raising...

Massive Brute Force Attack Launched With 2.8 Million IPs To Hack VPN & Firewall Logins

Massive brute force attacks targeting VPNs and firewalls have surged in recent weeks, with...

Penetration Testers Arrested During Approved Physical Penetration Testing

A routine physical penetration test conducted by cybersecurity professionals took an unexpected turn when...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems

Cybercriminals are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to...