- Security researchers discover hundreds of false pages of Reddit and Wetransfer
- These are used in an elaborate plan to deploy Lumma Stealer.
- The pages are well constructed and are probably distributed through Malicious SEO poisoning and pages.
There are hundreds of Reddit and Wetransfer fake websites, all designed to deceive people to discharge and execute the Lumma Stealer malware, experts warned.
Sekoia’s cybersecurity researchers have shared a complete list of pages in Github, which includes 59 false Reddit pages and 407 false pages of Wetransfer.
The tactic is simple: Reddit’s false page shows a thread in which a person asks for help to find specific software. One of the answers shares a link to the false page of Wetransfer, where you can download the tool. Other people in the thread share their gratitude for the contribution and the discussion continues.
Go to forensic analysts
The researchers could not say with certainty how the victims end in these pages, but it is sure to assume that there is a small poisoning of SEO, malicious destination pages or communication of instant messaging involved.
The choice of false software is also curious. In general, that is where researchers can find clues about who the objectives are. If the attackers counterfeit software development tools, the objectives are developers. If these are false games, cryptographic wallets or discord customers, the objectives are retail buyers in the web3 space.
In the example shared by Sekoia researchers, the attackers chose OpenText enase Forensic, a tool used to scan, collect and protect forensic data for order forces, government agencies and corporate investigations. This is not exactly a software that the police, cybersecurity professionals or companies would hack, and it is not something that the average Internet users would need.
Both Reddit’s and Wetransfer page were designed to be almost identical to the originals. Its URL contain brand names, followed by random numbers and characters. Both are in higher level domains .org and .net, which further increases their legitimacy.
However, by clicking on the download button in Wetransfer it is accessed Lumma Stealer hosted in “Weighcobweo[.]above.”
Through Pitidocomputadora
