Fbi, Microsoft, International Cops Bust Lumma Infostealer Service

International cops working with Microsoft have shut down infrastructure and seized web domains used to run a distribution service for info-stealing malware Lumma. Criminals paid $250 to $1,000 a month to get access to the infostealer.

Lumma is a popular malware variant first noticed in 2022. It’s been used by Scattered Spider, a slew of ransomware gangs, and other miscreants to swipe email and banking credentials and account info, browser data, and cryptocurrency wallets. 

According to FBI Deputy Assistant Director for Cyber Operations Brett Leatherman, who called it the “most prolific information stealer for sale in online criminal markets,” Lumma has been used in at least 1.7 million instances of this kind of data theft since November 2023.

Leatherman said the FBI attributes around 10 million infections to Lumma, and added that credit card theft linked to the stealer totaled $36.5 million in 2023 alone.

Lumma is also one of the infostealers that Mandiant says the criminals used to obtain credentials that were then used to break into Snowflake customers’ cloud storage environments last year.

On May 19, the FBI seized two domains [PDFs] that served as login panels allowing other crims to access and deploy the infostealer. The next day, the Lumma-distribution service’s administrator, believed to be located in Russia, told their users that they had set up three new websites to host the user panels. On May 21, the feds seized those newly set up login pages as well.

In a related action, Microsoft earlier this month obtained a court order allowing its Digital Crimes Unit to seize and take down more than 2,300 domains tied to the Lumma malware infrastructure. Of those, about 300 were actioned with support from Europol. Microsoft also worked with Japan’s Cybercrime Control Center to help dismantle Lumma servers hosted in the region.

All of this came after Redmond identified more than 394,000 Windows computers infected with the malware between March 16 and May 16, according to Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit.

Back in March, Microsoft sounded the alarm on a phishing campaign impersonating online travel agency Booking.com that used Lumma and other credential-stealing malware for financial fraud and theft.

“Lumma has also been used to target gaming communities and education systems and poses an ongoing risk to global security, with reports from multiple cybersecurity companies outlining its use in attacks against critical infrastructure, such as the manufacturing, telecommunications, logistics, finance, and healthcare sectors,” Masada said. ®

Original Source