I never thought I would write an article about OnlyFans, the website where you can view naked celebrities. In a recent investigation, Veriti's cyber research team uncovered a deceptive operation targeting aspiring OnlyFans hackers. A user on a notorious hacking forum, Bilalkhanicom, offered a tool to "check" OnlyFans accounts. What appeared to be an opportunity for cybercriminals was a trap. The supposed hacking tool was, in fact, malware known as Lummac stealer, designed to infect the devices of those attempting to use it.
OnlyFans is an online platform that allows content creators to monetize their content by offering paid subscriptions to their followers. While it hosts various types of content, it’s primarily known for adult and sexually explicit material. Creators can share photos, videos, and live streams with paying subscribers, keeping a significant portion of the earnings. The platform gained widespread popularity during the COVID-19 pandemic and has sparked discussions about online sex work and content monetization.
This news highlights the brutality of the cybercrime underworld, where would-be predators are quickly turned into prey. Veriti's findings serve as a reminder that engaging in illegal activity often comes with significant risks, especially when dealing with tools from questionable sources.
"I think this is as simple as there is no honor among thieves," said Richard Halm, Senior Attorney at Clark Hill PLC. "On the cybersecurity side, it reinforces the need to only download or run items from trusted sources. On the hacker side, it reinforces the need for OPSEC."
Lummac stealer is a sophisticated malware that collects sensitive data, including passwords, banking details, and more. While Bilalkhanicom initially deployed it to target OnlyFans hackers, it can also infect unsuspecting users, demonstrating the widespread danger it poses.
The Veriti research underscores cybercrime's cyclical and often self-destructive nature. The incident is a powerful example of how the digital underworld operates and a reminder for organizations to remain vigilant in their cybersecurity defenses.
Veriti's researchers played a pivotal role in exposing the scheme. By infiltrating the hacking forum and engaging with Bilalkhanicom, they could identify and analyze the malicious tool's functionality. This investigation allowed Veriti to warn potential victims and disrupt the distribution of the Lummac stealer.
"In a twist that adds layers of intrigue to an already complex narrative, our researchers uncovered a potential geopolitical link hidden in the malware’s architecture. The folder names used in the malware’s file structure paint a picture of global influences:
- 'Hiyang' and 'Reyung' whisper of East Asian connections
- 'Zuka' echoes African influences
- 'Lir' invokes Celtic mythology
- 'Popisaya' hints at Indigenous Latin American roots
The investigation did not stop there. Veriti traced the malware's communication back to a series of recently created .shop domains, all with high detection rates. These domains, such as caffegclasiqwp/.shop and ponintnykqwm/.shop, serve as command-and-control (C2) servers, orchestrating the malware's activities across infected machines."
The incident reminds us that even those who seek to exploit others can fall victim to cybercrime. It highlights the importance of exercising caution when downloading tools from untrusted sources, no matter how tempting they may seem. "That serves them right; you live by the sword, you die by the sword!" said Shawn Tuma, Co-Chair of the Data Privacy & Cybersecurity Practice at Spencer Fane LLP, of the aspiring hackers.
To protect against similar threats, Veriti recommends:
- Only download software from trusted sources;
- Be wary of unsolicited offers or promises of easy profits;
- Keep your security software up-to-date;
- Be cautious about clicking on links or opening attachments from unknown senders.
- Stay off porn sites.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefing
https://register.gotowebinar.com/register/5378972949933166424
Comments