[tor-talk] Tor Phishing in the Wild // Old Sigs
Michael Carbone
michael at accessnow.org
Tue Jun 24 21:16:10 UTC 2014
Thanks for the further details Rich.
Not sure if others have contacted them yet so Access' helpline staff
reached out to PIR's abuse team about the fake domain -- phishing &
willful distribution of malware are clear violations of PIR anti-abuse
policy. We'll update when we hear anything concrete back.
I don't know if folks will have any luck with the DNS operator & host,
but they are IT Itch (https://ititch.com). I think PIR will likely be
more responsive.
Michael
Rich Jones:
> I'm just posting this stuff here for analysis and discussion, not because I
> need the tech support. But good advice if there were those out there who
> fell for this scam.
>
> More technical details from reddit:
>
> "As we all could probably already guess, the exe on this site is
> backdoored. It makes a bunch of requests to 162.251.80.25 (
> cp-14.webhostbox.net) from port 3841 on your machine. After that, I am
> seeing messages sent to 185.15.246.132 (nordns.com). Finally, I'm also
> seeing communication to 192.240.104.151.
>
> It looks like the exe may have been packed with the legitimate version of
> the installer as well as the malware, so the enduser isn't supposed to
> suspect anything."
>
>
> Figures. Anyway, thought y'all would be interested. Maybe Tor Project folks
> could contact the registrar or DNS operator?
>
> R
>
>
> On Tue, Jun 24, 2014 at 12:28 PM, grarpamp <grarpamp at gmail.com> wrote:
>
>> On Tue, Jun 24, 2014 at 1:54 PM, Rich Jones <rich at openwatch.net> wrote:
>>> There's (what looks like) an active Tor phishing operation located at
>>> http://torbundleproject (dot) org . I believe this is related to black
>>> market scammer.
>>> diff the files 'torbrowser-install-3.6.1_en-US.exe' to see what's going
>> on
>>
>> It's called a trojan.
>>
>>> list of the old signatures on the Tor website to compare with. Can
>> anybody
>>
>> https://archive.torproject.org/
>>
>> Wipe your windows box and start over.
>>
>> http://www.dban.org/
>> http://www.andybev.com/index.php/Nwipe
>> https://www.archlinux.org/
>> https://www.freebsd.org/
>> https://www.debian.org/
--
Michael Carbone
Tech & Policy Manager
Access | https://www.accessnow.org
GPG: 0x81B7A13E
Fingerprint: 25EC 1D0F 2D44 C4F4 5BEF EF83 C471 AD94 81B7 A13E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140624/7313aee0/attachment.sig>
More information about the tor-talk
mailing list