Re: [tor-talk] Tor Phishing in the Wild // Old Sigs

[Rich Jones <rich@xxxxxxxxxxxxx>]

I'm just posting this stuff here for analysis and discussion, not because I
need the tech support. But good advice if there were those out there who
fell for this scam.

More technical details from reddit:

"As we all could probably already guess, the exe on this site is
backdoored. It makes a bunch of requests to 162.251.80.25 (
cp-14.webhostbox.net) from port 3841 on your machine. After that, I am
seeing messages sent to 185.15.246.132 (nordns.com). Finally, I'm also
seeing communication to 192.240.104.151.

It looks like the exe may have been packed with the legitimate version of
the installer as well as the malware, so the enduser isn't supposed to
suspect anything."


Figures. Anyway, thought y'all would be interested. Maybe Tor Project folks
could contact the registrar or DNS operator?

R


On Tue, Jun 24, 2014 at 12:28 PM, grarpamp <grarpamp@xxxxxxxxx> wrote:

> On Tue, Jun 24, 2014 at 1:54 PM, Rich Jones <rich@xxxxxxxxxxxxx> wrote:
> > There's (what looks like) an active Tor phishing operation located at
> > http://torbundleproject (dot) org . I believe this is related to black
> > market scammer.
> > diff the files 'torbrowser-install-3.6.1_en-US.exe' to see what's going
> on
>
> It's called a trojan.
>
> > list of the old signatures on the Tor website to compare with. Can
> anybody
>
> https://archive.torproject.org/
>
> Wipe your windows box and start over.
>
> http://www.dban.org/
> http://www.andybev.com/index.php/Nwipe
> https://www.archlinux.org/
> https://www.freebsd.org/
> https://www.debian.org/
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk