Your Sensitive Data is Being Stolen By LofyGang!

Discord News Oct 13, 2022

A report published by Checkmarx found over 200 malicious Node Package Managers (NPMs) with hundreds of installations being linked to a cyberattack group know as 'LofyGang'.

LofyGang is a group of cyber-criminals who created a credential theft outfit by distributing there malicious packages and fake hacking tools on code hosting platforms such as GitHub.

Many people believe that LofyGang are based in Brazil, as many pieces of evidence surrounding the case contains sentences written in the Brazilian Portugese language. Furthermore, users found a file in their malicious packages that contained malware, and was named brazil.js - is this just a coincidence, or do the group have more sinister motives?

Thumbnail by Messyhunk

What are LofyGang up to?

The group is really good at misleading users into installing these malicious packages. Unfortunately, those who installed such NPM packages were subjected to the theft of their account credentials including credit card information.

An example of their page, where they distribute their stolen accounts.

Checkmarx deduced that this attack group has been operating for over a year with multiple hacking objectives:

  • Credit card information
  • Discord “Nitro” (premium) upgrades
  • Streaming services accounts (e.g. Disney+), Minecraft accounts, and more
A new report from Checkmarx attempts to map LofyGang's operations and provide a clear and comprehensive view of the threat actors' targeting, scale, and actual impact.

The End?

Several numbers of these packages have been successfully removed now. But this is not the end. There are still some malicious files that still available to download.
There's now a dedicated project to search for and track malicious LofyGang packages on GitHub.

How Do They Promote Malware?

LofyGang manages to promote its malicious products on miscellaneous platforms such as YouTube, where the group uploads tutorials for these tools.

LofyGang's YouTube channel | (Checkmarx)

In October 2021, LofyGang started operating its own Discord server. From this server, users can receive "support" from the scammers themselves who do nothing but show users how to use the malicious tools that grant the scammers full access to their accounts.
Also, this server features a Discord bot called "Lofy Boost," which can grant users a "free" subscription to Discord Nitro, paid for with the credit card information from previous fallen victims of this scam.

To gain access to this "free" Nitro subscription, you are required to hand over the credentials to your account - see a problem here? Furthermore, the bot will steal your user token, which can grant the scammers access to your account, leaving you in a bit of a pickle.

LofyGang's Discord Server | Source: Checkmarx

LofyGang is not only providing malicious NPM packages but there are also share-out malicious hacking tools, on GitHub. As regular NPM packages, these hacking tools are all Discord-related.

In most circumstances, malicious files aren't contained in the main package. It's fetched as a dependency, so the operators of their hacking tools/NPM files are less likely to realise they got scammed. The hosting platforms as also very unlikely to remove these files from their sites.

Furthermore, these cybercriminals use 50+ accounts to upload NPM packages, fragmenting their malicious process as much as possible to evade large-scale takedowns.

We at Netcord would like to reiterate: if a link looks suspicious, or a deal seems too good to be true, it probably is. Don't click it, block the scammers and report them to Discord.
If you have fallen for a scam before, change your password to force a reset of your user token, and consider enabling 2 Factor Authentication (2FA) 

For further reading on how to stay safe on Discord, check out one of our past articles by Messyhunk.

Best Practices to Stay Safe on Discord
Technical Privacy and Security in Discord are simple, all you do is stay aware and know the ongoing scams.

That's all for today, hope you enjoyed today's article. Make sure to join our official Discord server to discuss further on this topic or suggest new articles!

Like what you're reading?

We do this every day. Unlock exclusive benefits, 4K wallpapers, and more. Become a member for the price of a coffee.

What are your thoughts on this latest scam?

Join the Netcord HQ Discord server today, where you can freely share your opinions on this topic with like-minded people!




Along with EpicOverlord

🌱 Howdy - I'm Divmith. I run the community @unity4creators and write articles for the websites @netcordHQ and @WhopIO.