Hundreds of Fake Reddit Sites Push Lumma Stealer Malware
Summary:
Almost 1000 fake websites, discovered by the Sekoia researcher, “crep1x”, are being distributed by a threat actor to deliver malware that leads to the deployment of Lumma Stealer malware on the victim’s machine. These fake pages mimic Reddit and the WeTransfer file-sharing service and use social engineering techniques like abusing the Reddit brand by displaying a specially crafted fake discussion thread that asks for help downloading a specific tool. The thread shows that another Reddit user is offering assistance finding the tool by sharing a link to the tool they uploaded to WeTransfer. To help the lure appear more legitimate, the fake original poster thanks the link sharer, claiming that the link worked. Victims tricked into clicking the link are taken to a fake WeTransfer site that mimics the service’s interface and the page displays a download button that directs the victim to the Lumma Stealer payload hosted on “weighcobbweo[.]top.” All sites used in this campaign contain a string of the brand they impersonate followed by random numbers and characters to appear legitimate for those not closely paying attention. The top-level domains for the observed fake sites are all “.org” or “.net”. All the domains contain a string of the brand they impersonate followed by random numbers and characters.
Security Officer Comments:
There are 529 pages impersonating Reddit and 407 posing as the official WeTransfer service serving a download. Sekoia researcher “crep1x” has shared a full list of the fake web pages utilized in this scheme here. A year ago, the same researcher discovered a similar campaign where 1,300 sites abused the AnyDesk brand to push the Vidar Stealer malware. Although it is unclear exactly how users are redirected to these fake Reddit pages, some trending techniques that were potentially used include redirecting from a phishing site, SEO poisoning, malvertising, or likely a combination of them all. Another researcher noted on X (Twitter) that he also observed Reddit pages using the exact same lure template. This researcher, “Niranjan”, observed the adversary utilizing SEO poisoning to get victims to click on a Google Colab notebook link that directs to a fake Reddit page. By combining the findings of these two researchers, one can confirm that SEO poisoning techniques are part of the initial infection vector of these cyberattacks and potentially have a clear outline of the infection chain.
Suggested Corrections:
https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/
https://x.com/crep1x/status/1881404758843699402
Almost 1000 fake websites, discovered by the Sekoia researcher, “crep1x”, are being distributed by a threat actor to deliver malware that leads to the deployment of Lumma Stealer malware on the victim’s machine. These fake pages mimic Reddit and the WeTransfer file-sharing service and use social engineering techniques like abusing the Reddit brand by displaying a specially crafted fake discussion thread that asks for help downloading a specific tool. The thread shows that another Reddit user is offering assistance finding the tool by sharing a link to the tool they uploaded to WeTransfer. To help the lure appear more legitimate, the fake original poster thanks the link sharer, claiming that the link worked. Victims tricked into clicking the link are taken to a fake WeTransfer site that mimics the service’s interface and the page displays a download button that directs the victim to the Lumma Stealer payload hosted on “weighcobbweo[.]top.” All sites used in this campaign contain a string of the brand they impersonate followed by random numbers and characters to appear legitimate for those not closely paying attention. The top-level domains for the observed fake sites are all “.org” or “.net”. All the domains contain a string of the brand they impersonate followed by random numbers and characters.
Security Officer Comments:
There are 529 pages impersonating Reddit and 407 posing as the official WeTransfer service serving a download. Sekoia researcher “crep1x” has shared a full list of the fake web pages utilized in this scheme here. A year ago, the same researcher discovered a similar campaign where 1,300 sites abused the AnyDesk brand to push the Vidar Stealer malware. Although it is unclear exactly how users are redirected to these fake Reddit pages, some trending techniques that were potentially used include redirecting from a phishing site, SEO poisoning, malvertising, or likely a combination of them all. Another researcher noted on X (Twitter) that he also observed Reddit pages using the exact same lure template. This researcher, “Niranjan”, observed the adversary utilizing SEO poisoning to get victims to click on a Google Colab notebook link that directs to a fake Reddit page. By combining the findings of these two researchers, one can confirm that SEO poisoning techniques are part of the initial infection vector of these cyberattacks and potentially have a clear outline of the infection chain.
Suggested Corrections:
- Phishing Awareness Training: Regular training programs to educate employees on recognizing and avoiding phishing attempts, including those involving fake websites, malicious domains, and SEO poisoning. Teach them to spot suspicious URLs, hover over links to see the actual destination, be wary of unexpected emails or messages, and verify the authenticity of websites before entering sensitive information.
- Develop and enforce strong security policies: Establish clear policies regarding email usage, password security, data handling, and acceptable use of public internet.
- Deploy web filters: Block access to known malicious websites, phishing sites, and sites hosting malware.
- Utilize URL filtering: Block access to URLs that match specific patterns or contain known malicious keywords.
- Implement content filtering: Analyze website content for malicious code or suspicious activity.
- Antivirus & Anti-malware software: Install and maintain up-to-date antivirus and anti-malware software on all devices.
- Endpoint Detection and Response (EDR) solutions: Implement advanced threat hunting and response capabilities.
https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/
https://x.com/crep1x/status/1881404758843699402