Fake Reddit sites found pushing Lumma Stealer malware

News
By
published

Hackers are faking Reddit threads, trying to trick users into downloading malware

A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
(Image credit: Getty Images)
  • Security researchers discover hundreds of fake Reddit and WeTransfer pages
  • These are used in an elaborate scheme to deploy the Lumma Stealer
  • The pages are well-built and probably distributed via SEO poisoning and malicious landing pages

There are hundreds of fake Reddit and WeTransfer websites out there, all designed to trick people into downloading and running the Lumma Stealer malware, experts have warned.

Cybersecurity researchers from Sekoia have shared a complete list of the pages on GitHub, which includes 59 fake Reddit pages, and 407 fake WeTransfer pages.

The tactic is simple: the fake Reddit page displays a thread in which a person asks help finding a specific piece of software. One of the responses shares a link to the fake WeTransfer page, where the tool can be downloaded. Other people in the thread share their thanks for the contribution, and the discussion continues.

Targeting forensic analysts

The researchers could not say for certain how victims end up on these pages, but it’s safe to assume there is a little SEO poisoning, malicious landing pages, or instant messaging communication involved.

The choice of fake software is also curious. Usually, that is where researchers could find clues to who the targets are. If the attackers are faking software development tools, the targets are devs. If they’re faking games, crypto wallets, or Discord clients, the targets are retail buyers in the Web3 space.

In the example shared by Sekoia researchers, the attackers went for OpenText Encase Forensic - a tool used for scanning, collecting, and securing forensic data for law enforcement, government agency and corporate investigations. This is not exactly software the police, cybersecurity pros, or enterprises would pirate, and also not something average internet users would need.

Both the Reddit and WeTransfer pages were designed to look almost identical to the originals. Their URLs both contain brand names, followed by random numbers and characters. They are both on .org and .net top-level domains, further boosting their legitimacy.

However, clicking the download button on the WeTransfer one leads to Lumma Stealer hosted on “weighcobbweo[.]top.”

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.