- Security researchers discover hundreds of fake Reddit and WeTransfer pages
- These are used in an elaborate scheme to deploy the Lumma Stealer
- The pages are well-built and probably distributed via SEO poisoning and malicious landing pages
There are hundreds of fake Reddit and WeTransfer websites out there, all designed to trick people into downloading and running the Lumma Stealer malware, experts have warned.
Cybersecurity researchers from Sekoia have shared a complete list of the pages on GitHub, which includes 59 fake Reddit pages, and 407 fake WeTransfer pages.
The tactic is simple: the fake Reddit page displays a thread in which a person asks help finding a specific piece of software. One of the responses shares a link to the fake WeTransfer page, where the tool can be downloaded. Other people in the thread share their thanks for the contribution, and the discussion continues.
Targeting forensic analysts
The researchers could not say for certain how victims end up on these pages, but it’s safe to assume there is a little SEO poisoning, malicious landing pages, or instant messaging communication involved.
The choice of fake software is also curious. Usually, that is where researchers could find clues to who the targets are. If the attackers are faking software development tools, the targets are devs. If they’re faking games, crypto wallets, or Discord clients, the targets are retail buyers in the Web3 space.
In the example shared by Sekoia researchers, the attackers went for OpenText Encase Forensic – a tool used for scanning, collecting, and securing forensic data for law enforcement, government agency and corporate investigations. This is not exactly software the police, cybersecurity pros, or enterprises would pirate, and also not something average internet users would need.
Both the Reddit and WeTransfer pages were designed to look almost identical to the originals. Their URLs both contain brand names, followed by random numbers and characters. They are both on .org and .net top-level domains, further boosting their legitimacy.
However, clicking the download button on the WeTransfer one leads to Lumma Stealer hosted on “weighcobbweo[.]top.”
Via BleepingComputer