Thanks for the further details Rich. Not sure if others have contacted them yet so Access' helpline staff reached out to PIR's abuse team about the fake domain -- phishing & willful distribution of malware are clear violations of PIR anti-abuse policy. We'll update when we hear anything concrete back. I don't know if folks will have any luck with the DNS operator & host, but they are IT Itch (https://ititch.com). I think PIR will likely be more responsive. Michael Rich Jones: > I'm just posting this stuff here for analysis and discussion, not because I > need the tech support. But good advice if there were those out there who > fell for this scam. > > More technical details from reddit: > > "As we all could probably already guess, the exe on this site is > backdoored. It makes a bunch of requests to 162.251.80.25 ( > cp-14.webhostbox.net) from port 3841 on your machine. After that, I am > seeing messages sent to 185.15.246.132 (nordns.com). Finally, I'm also > seeing communication to 192.240.104.151. > > It looks like the exe may have been packed with the legitimate version of > the installer as well as the malware, so the enduser isn't supposed to > suspect anything." > > > Figures. Anyway, thought y'all would be interested. Maybe Tor Project folks > could contact the registrar or DNS operator? > > R > > > On Tue, Jun 24, 2014 at 12:28 PM, grarpamp <grarpamp@xxxxxxxxx> wrote: > >> On Tue, Jun 24, 2014 at 1:54 PM, Rich Jones <rich@xxxxxxxxxxxxx> wrote: >>> There's (what looks like) an active Tor phishing operation located at >>> http://torbundleproject (dot) org . I believe this is related to black >>> market scammer. >>> diff the files 'torbrowser-install-3.6.1_en-US.exe' to see what's going >> on >> >> It's called a trojan. >> >>> list of the old signatures on the Tor website to compare with. Can >> anybody >> >> https://archive.torproject.org/ >> >> Wipe your windows box and start over. >> >> http://www.dban.org/ >> http://www.andybev.com/index.php/Nwipe >> https://www.archlinux.org/ >> https://www.freebsd.org/ >> https://www.debian.org/ -- Michael Carbone Tech & Policy Manager Access | https://www.accessnow.org GPG: 0x81B7A13E Fingerprint: 25EC 1D0F 2D44 C4F4 5BEF EF83 C471 AD94 81B7 A13E
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk