https://www.bleepingcomputer.com/news/security/hacker-trap-fake-onlyfans-tool-backstabs-cybercriminals-steals-passwords/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + US cracks down on Russian disinformation before 2024 election US cracks down on Russian disinformation before 2024 election + Revival Hijack supply-chain attack threatens 22,000 PyPI packages Revival Hijack supply-chain attack threatens 22,000 PyPI packages + New Eucleak attack lets threat actors clone YubiKey FIDO keys New Eucleak attack lets threat actors clone YubiKey FIDO keys + FTC: Over $110 million lost to Bitcoin ATM scams in 2023 FTC: Over $110 million lost to Bitcoin ATM scams in 2023 + Apache fixes critical OFBiz remote code execution vulnerability Apache fixes critical OFBiz remote code execution vulnerability + Microsoft removes revenge porn from Bing search using new tool Microsoft removes revenge porn from Bing search using new tool + This ethical hacking course deal helps get you started in cybersecurity This ethical hacking course deal helps get you started in cybersecurity + Russian military hackers linked to critical infrastructure attacks Russian military hackers linked to critical infrastructure attacks * Tutorials + Latest + Popular + How to access the Dark Web using the Tor Browser How to access the Dark Web using the Tor Browser + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide * Home * News * Security * Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwords * * Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwords By Bill Toulas * September 5, 2024 * 05:15 AM * 1 OnlyFans Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. The operation, discovered by Veriti Research, constitutes a characteristic example of the blurred lines between being a predator or prey in the world of cybercrime, where ironic twists and backstabs are abundant. "Checking" into a Lumma infection OnlyFans is an extremely popular subscription-based adult content platform where creators can earn money from users (referred to as "fans") who pay for access to their content. Creators can share videos, images, messages, and live streams with their subscribers, while subscribers pay a recurring fee or one-time payments for exclusive content. Given its popularity, OnlyFans accounts often become targets of threat actors who attempt to hijack them to steal fan payments, extort the account owner to pay a ransom, or simply leak private photos. Checker tools are designed to help validate large sets of stolen login credentials (usernames and passwords), checking if the login details match any OnlyFans accounts and whether they're still valid. Without those tools, cybercriminals would have to manually test out thousands of credential pairs, an impractical and tedious process that would render the scheme nonviable. However, these tools are commonly created by other cybercriminals, causing hackers to trust that they are safe to use, and in some cases, this backfires. Veriti discovered a case of an OnlyFans checker promising to verify credentials, check account balances, verify payment methods, and determine creator privileges but instead installed the Lumma information-stealing malware. Threat actor's checker ad on a hacker forumThreat actor's checker ad on a hacker forum Source: Veriti The payload, named "brtjgjsefd.exe," is fetched from a GitHub repository and loaded into the victim's computer. Lumma is an information-stealing malware-as-a-service (MaaS) that has been rented to cybercriminals since 2022 for $250-$1000/month and distributed via various means, including malvertising, YouTube comments, torrents, and, more recently, GitHub comments. It is an advanced information stealer with innovative evasion mechanisms and the ability to restore expired Google session tokens. It is mostly known for stealing two-factor authentication codes, cryptocurrency wallets, and passwords, cookies, and credit cards stored on a victim's browser and file system. Lumma also doubles as a loader itself, capable of introducing additional payloads onto the compromised system and executing PowerShell scripts. A broader deception operation Veriti found that when the Lumma Stealer payload is launched, it will connect to a GitHub account under the name "UserBesty," which the cybercriminal behind this campaign uses to host other malicious payloads. Malicious GitHub repositoryMalicious GitHub repository Source: Veriti Specifically, the GitHub repository contains executables that resemble checkers for Disney+ accounts, Instagram, and a supposed Mirai botnet builder: * Disney+ account thieves are targeted with "DisneyChecker.exe" * Instagram hackers are lured by "InstaCheck.exe" * Wannabe botnet creators are lured with "ccMirai.exe" Digging deeper into the malware's communications, Veriti's researchers found a set of ".shop" domains that acted as command and control (C2) servers, sending commands to Lumma and receiving the exfiltrated data. This campaign is not the first time threat actors have targeted other cybercriminals in malicious attacks. In March 2022, hackers targeted hackers with clipboard stealers disguised as cracked RATs and malware-building tools to steal cryptocurrency. Later that year, a malware developer backdoored their own malware to steal credentials, cryptocurrency wallets, and VPN account data from other hackers. Related Articles: Admins of MFA bypass service plead guilty to fraud Greasy Opal's CAPTCHA solver still serving cybercrime after 16 years Ransomware rakes in record-breaking $450 million in first half of 2024 UK arrests suspected Scattered Spider hacker linked to MGM attack RansomHub extortion gang linked to now-defunct Knight ransomware * Account * Credentials Checker * Cybercrime * Hacker * OnlyFans * * * * * Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. * Previous Article * Next Article Comments * DyingCrow Photo DyingCrow - 7 hours ago + + Thanks for sharing! Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Mandiant mWise Conference 2024 Popular Stories * Cisco Cisco warns of backdoor admin account in Smart Licensing Utility * Windows New Windows PowerToy launches, repositions apps to saved layouts Follow us: * * * * * Main Sections * News * VPN Buyer Guides * SysAdmin Software Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2024 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT