Redditors might want to pay extra close attention when visiting their favorite website: There is a malicious Reddit copycat that looks precisely like the real thing – but has been designed to quietly steal your username and password.
What makes the fake Reddit especially intriguing is that it seems to produce an almost identical live replica of the actual site. Here are two screenshots to compare; the former shows the real thing, and the latter – the knock-off:
As you will notice, the fake instance of “the front page of the internet” uses the Colombian top-level domain .co instead of the official .com version. In addition to this, the fake version skips the cookie warning which is shown at the bottom of Reddit when users visit the legitimate page.
While the copycat appears to pull the top threads from the original page accurately (and with the correct number of upvotes), it seems the fake instance has been set to automatically generate some other details, including the author of the post and the subreddit where it was published.
From the looks of it, the phony Reddit was designed to scrape the credentials of naive visitors who fail to realize they ended up on the wrong page.
According to network security expert Alec Muffet, who was among the first to spot this irregularity, the domain was registered by an individual based in London. However, the IP address associated with the malicious page suggests the attacker is based in Ukraine. It is worth noting that such information should be taken with a grain of salt as it could be easily manipulated.
HEADSUP: Looking for infosec people at @Reddit. Website at (phishing?) domain reddit(.)co — using the Colombian TLD — was acting a pitch-perfect apparent MITM of the actual Reddit. Now returning 500 before I could screenshot it. Domain ownership is as-follows: pic.twitter.com/hpucMroumd
— Alec Muffett (@AlecMuffett) February 5, 2018
What makes this case particularly unusual is that it seems the malicious knock-off has managed to trick the responsible certificate authorities into issuing a legitimate certificate for the domain.
For the record, the certificate for the fraudulent Reddit[.]co domain was issued by certificate titan Comodo, which has struggled with hacked certificates in the past. It remains unclear how the company missed this one though.
“How on earth the .co registry permitted [the malicious Reddit[.]co copycat] to be registered is beyond me,” Muffet commented on Twitter.
We have contacted Reddit and Comodo and will update this piece accordingly if we hear back.
In the meantime, watch out which Reddit you end up browsing – you don’t wanna fall for the fake one.