Cyble, the leading AI-powered cyber threat intelligence company, announced the discovery of a sophisticated and highly active social engineering campaign leveraging Artificial Intelligence to harvest sensitive biometric and device data from unsuspecting users.
Unlike traditional phishing attacks that primarily target login credentials, this new wave of attacks—identified by Cyble Research & Intelligence Labs (CRIL)—abuses browser-level hardware permissions. By tricking users into granting access to their cameras and microphones under the guise of “identity verification” or “service recovery,” threat actors are able to capture live images, video recordings, and audio directly from victim devices.
Key Findings from the Research:
· AI-Enhanced Development: The campaign’s operational logic contains structured annotations and emoji-based formatting, indicating the use of generative AI tools to accelerate the creation of malicious code.
· Biometric Harvesting: Attackers bypass traditional security by using legitimate browser APIs to exfiltrate high-resolution facial images and audio, which can be weaponized for deepfake attacks or bypassing Video-KYC (Know Your Customer) protocols.
· Abuse of Trusted Brands: The campaign impersonates popular platforms including TikTok, Telegram, Instagram, and Google Chrome, using lures such as “ID Scanners” and “Health Fund AI” to gain user trust.
· Scalable Infrastructure: Threat actors are utilizing edgeone.app infrastructure for low-cost hosting and Telegram Bot APIs as a streamlined Command and Control (C2) channel for data exfiltration.
Beyond the Screen: The Business Impact
The breadth of data collected—including approximate geographic location, contact lists, and device telemetry—allows attackers to build comprehensive victim profiles. For organizations, this results in:
· Increased Risk of Account Takeover (ATO): Stolen media can be used to bypass remote identity verification.
· Extortion and Fraud: Captured multimedia provides fuel for blackmail or sophisticated Business Email Compromise (BEC) attempts.
· Reputational Damage: The misuse of brand identities in these campaigns erodes consumer trust in digital onboarding systems.
Recommendations for Users and Organizations Cyble recommends that users remain vigilant when websites request hardware permissions. “If a site you don’t recognize asks for camera or microphone access, deny it immediately,” warns the CRIL team. Organizations are encouraged to implement domain monitoring for suspicious infrastructure and restrict outbound traffic to unauthorized messaging APIs like Telegram within corporate environments.
