Lumma Stealer Campaign Spoofs Reddit and WeTransfer Pages
Warning: Nearly 1,000 Fake Reddit and WeTransfer Pages Distributing Lumma Stealer Malware
In a concerning cybersecurity alert, nearly 1,000 counterfeit Reddit and WeTransfer pages are being utilized to spread the Lumma Stealer malware, as revealed by a researcher from Sekoia.io. This alarming trend highlights the sophisticated tactics employed by cybercriminals, making it crucial for internet users to remain vigilant against potential threats. The primary keyword for this article is "Lumma Stealer malware," which reflects the growing concerns surrounding this malicious software.
Understanding the Lumma Stealer Malware Campaign
According to Sekoia’s lead cybercrime analyst, known as crep1x, the fake pages were spotted and reported on X this week. These sites closely mimic the legitimate interfaces of Reddit and WeTransfer, featuring domain names that include “reddit” or “wetransfer,” followed by random numbers and letters. Most of these malicious websites use top-level domains such as .pw, .net, or .org, further obscuring their true nature.
How the Fake Pages Operate
The counterfeit Reddit pages are designed to simulate realistic conversations, where a user asks for software recommendations, and another user provides a link to a WeTransfer page for the download. For example, one fake page imitated a post from the popular r/techsupport subreddit, which has a community of over 3 million members.
Once users click on the provided WeTransfer link, they are directed to a spoofed page that prompts them to download a password-protected archive file, supposedly containing the requested software. However, this archive is actually an AutoIT dropper known as SelfAU3, which subsequently installs the Lumma infostealer on the user’s device.
The Spread of Phishing Links
Crep1x expressed uncertainty about how these phishing links are disseminated, suggesting potential methods such as SEO poisoning, malvertising, or sharing on other websites. Another researcher, nhegde610, had previously discovered this campaign in late December but could not install the malware payload.
Notably, a screenshot shared by nhegde610 revealed that the fake Reddit page originated from a Google Colab notebook, demonstrating how easily these malicious sites can appear in search results.
Targeting Windows Users
The malicious websites contain checks to identify if the target user is on a Windows system with a residential IP address before redirecting to the fraudulent WeTransfer site. This technique underscores the lengths to which cybercriminals will go to ensure their attacks are successful.
Cybercriminal Tactics and Historical Context
Spoofing and impersonating trusted websites have become common strategies among cybercriminals. For instance, crep1x previously identified a similar campaign in 2023 involving over 1,300 domains that imitated the AnyDesk website, leading to the installation of the Vidar infostealer. Similarly, Malwarebytes’ Senior Director of Threat Intelligence, Jérôme Segura, discovered a convincing imitation of the Bitwarden website in 2023 that was designed to spread a remote access trojan called ZenRAT.
Lumma Stealer, also referred to as LummaC2, is a malware-as-a-service (MaaS) product known for its capability to extract sensitive information, including credentials, cookies, and cryptocurrency wallet details. According to SpyCloud’s 2024 Malware and Ransomware Defense Report, Lumma was notably the most prevalent infostealer prior to ransomware attacks.
Stay Informed and Safe
As the threat of Lumma Stealer malware continues to evolve, it’s vital for users to stay informed and exercise caution online. Always verify the authenticity of websites and be wary of unsolicited links, especially on popular platforms like Reddit and WeTransfer.
We encourage readers to share their experiences or thoughts on this topic in the comments below. For more information on cybersecurity threats and how to protect yourself, explore our related articles on online safety and malware prevention.