[tor-talk] Tor Phishing in the Wild // Old Sigs
Rich Jones
rich at openwatch.net
Tue Jun 24 20:25:42 UTC 2014
I'm just posting this stuff here for analysis and discussion, not because I
need the tech support. But good advice if there were those out there who
fell for this scam.
More technical details from reddit:
"As we all could probably already guess, the exe on this site is
backdoored. It makes a bunch of requests to 162.251.80.25 (
cp-14.webhostbox.net) from port 3841 on your machine. After that, I am
seeing messages sent to 185.15.246.132 (nordns.com). Finally, I'm also
seeing communication to 192.240.104.151.
It looks like the exe may have been packed with the legitimate version of
the installer as well as the malware, so the enduser isn't supposed to
suspect anything."
Figures. Anyway, thought y'all would be interested. Maybe Tor Project folks
could contact the registrar or DNS operator?
R
On Tue, Jun 24, 2014 at 12:28 PM, grarpamp <grarpamp at gmail.com> wrote:
> On Tue, Jun 24, 2014 at 1:54 PM, Rich Jones <rich at openwatch.net> wrote:
> > There's (what looks like) an active Tor phishing operation located at
> > http://torbundleproject (dot) org . I believe this is related to black
> > market scammer.
> > diff the files 'torbrowser-install-3.6.1_en-US.exe' to see what's going
> on
>
> It's called a trojan.
>
> > list of the old signatures on the Tor website to compare with. Can
> anybody
>
> https://archive.torproject.org/
>
> Wipe your windows box and start over.
>
> http://www.dban.org/
> http://www.andybev.com/index.php/Nwipe
> https://www.archlinux.org/
> https://www.freebsd.org/
> https://www.debian.org/
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
More information about the tor-talk
mailing list