Nearly 1,000 fake Reddit and WeTransfer pages are being used to spread Lumma Stealer malware, a Sekoia.io researcher reported this week.
The Sekoia lead cybercrime analyst, who goes by crep1x, posted screenshots of the spoofed Reddit and WeTransfer pages on X Monday, and also shared a full list of the phishing domains.
The web pages, which appear nearly identical to the legitimate Reddit and WeTransfer user interfaces, all have domain names including “reddit” or “wetransfer” followed by one or two numbers and four random letters. The top-level domains of all the pages are either .pw, .net or .org.
The fake Reddit pages are designed to imitate realistic Reddit conversations in which a user requests help finding a particular software and another user responds with a link to a WeTransfer page where the software can be downloaded, after which the original user thanks them.
In the screenshot shared by crep1x, the fake page imitates a post on the r/techsupport subreddit, which has more than 3 million members on the legitimate Reddit site.
The WeTransfer download links lead to a spoofed WeTransfer page where the target can download a password-protected archive file that purports to be the software mentioned in the fake Reddit conversation.
However, the archive actually contains an AutoIT dropper known as SelfAU3, which subsequently executes the Lumma infostealer, crep1x wrote.
The researcher said in a reply on X that they are unsure how the phishing links are spread, although possibilities include SEO poisoning, malvertising and posting the links on other websites.
Another researcher, nhegde610, previously discovered the campaign in late December, according to an X post, but was not able to access and install the malware payload. A screenshot posted by nhedge610 shows that the fake Reddit page originated from a Google Colab notebook, which appeared in a Google search result.
Crep1x noted that the malicious websites check that the target is using Windows and has a residential IP address before redirecting them to the fake WeTransfer site.
Spoofing and impersonating trusted websites are common tactics among cybercriminals; crep1x discovered a similar campaign in 2023 involving more than 1,300 domains that imitated the AnyDesk website and led to installation of the Vidar infostealer.
In another campaign discovered by Malwarebytes Senior Director of Threat Intelligence Jérôme Segura in 2023, a “very convincing lookalike” of the Bitwarden website at the typosquatted domain bitwariden[.]com was leveraged to spread a remote access trojan dubbed ZenRAT.
Lumma Stealer, also known as LummaC2, is a popular malware-as-a-service (MaaS) offering capable of stealing sensitive information such as credentials, cookies and cryptocurrency wallet details. According to SpyCloud’s 2024 Malware and Ransomware Defense Report, Lumma was the most common infostealer preceding ransomware attacks.
