- Security researchers discover hundreds of fake Reddit and WeTransfer pages
- These are used in an elaborate scheme to deploy the Lumma Stealer
- Pages are well constructed and likely distributed via SEO poisoning and malicious landing pages
There are hundreds of fake Reddit and WeTransfer websites, all designed to trick people into downloading and running Lumma Stealer malware, experts have warned.
Cybersecurity researchers at Sekoia shared a comprehensive list of pages on GitHub, which includes 59 fake Reddit pages and 407 fake WeTransfer pages.
The tactic is simple: The fake Reddit page displays a thread in which a person asks for help finding specific software. One of the answers shares a link to the fake WeTransfer page, where the tool can be downloaded. Others in the thread share thanks for their contribution and the discussion continues.
Target forensic analysts
Researchers couldn’t say for sure how victims end up on these pages, but we can assume it’s a little SEO poisoning, malicious landing pages, or instant messaging communication .
The choice of fake software is also curious. This is usually where researchers can find clues to the identity of targets. If attackers simulate software development tools, the targets are the developers. If they’re simulating games, crypto wallets, or Discord clients, the targets are retail buyers in the Web3 space.
In the example shared by Sekoia researchers, the attackers opted for OpenText Encase Forensic, a tool used to analyze, collect and secure forensic data for investigations by law enforcement, government agencies and businesses . It’s not exactly software that police, cybersecurity professionals, or businesses would hack, nor is it something that average internet users would need.
The Reddit and WeTransfer pages were designed to look almost identical to the originals. Their URLs both contain brand names, followed by numbers and random characters. They both belong to the .org and .net top-level domains, further boosting their legitimacy.
However, clicking the WeTransfer download button leads to Lumma Stealer hosted on “weighcobbweo[.]high.”
Via BeepComputer
