[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Tor Phishing in the Wild // Old Sigs
I'm just posting this stuff here for analysis and discussion, not because I
need the tech support. But good advice if there were those out there who
fell for this scam.
More technical details from reddit:
"As we all could probably already guess, the exe on this site is
backdoored. It makes a bunch of requests to 184.108.40.206 (
cp-14.webhostbox.net) from port 3841 on your machine. After that, I am
seeing messages sent to 220.127.116.11 (nordns.com). Finally, I'm also
seeing communication to 18.104.22.168.
It looks like the exe may have been packed with the legitimate version of
the installer as well as the malware, so the enduser isn't supposed to
Figures. Anyway, thought y'all would be interested. Maybe Tor Project folks
could contact the registrar or DNS operator?
On Tue, Jun 24, 2014 at 12:28 PM, grarpamp <grarpamp@xxxxxxxxx> wrote:
> On Tue, Jun 24, 2014 at 1:54 PM, Rich Jones <rich@xxxxxxxxxxxxx> wrote:
> > There's (what looks like) an active Tor phishing operation located at
> > http://torbundleproject (dot) org . I believe this is related to black
> > market scammer.
> > diff the files 'torbrowser-install-3.6.1_en-US.exe' to see what's going
> It's called a trojan.
> > list of the old signatures on the Tor website to compare with. Can
> Wipe your windows box and start over.
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to