[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor Phishing in the Wild // Old Sigs

Thanks for the further details Rich.

Not sure if others have contacted them yet so Access' helpline staff
reached out to PIR's abuse team about the fake domain -- phishing &
willful distribution of malware are clear violations of PIR anti-abuse
policy. We'll update when we hear anything concrete back.

I don't know if folks will have any luck with the DNS operator & host,
but they are IT Itch (https://ititch.com). I think PIR will likely be
more responsive.


Rich Jones:
> I'm just posting this stuff here for analysis and discussion, not because I
> need the tech support. But good advice if there were those out there who
> fell for this scam.
> More technical details from reddit:
> "As we all could probably already guess, the exe on this site is
> backdoored. It makes a bunch of requests to (
> cp-14.webhostbox.net) from port 3841 on your machine. After that, I am
> seeing messages sent to (nordns.com). Finally, I'm also
> seeing communication to
> It looks like the exe may have been packed with the legitimate version of
> the installer as well as the malware, so the enduser isn't supposed to
> suspect anything."
> Figures. Anyway, thought y'all would be interested. Maybe Tor Project folks
> could contact the registrar or DNS operator?
> R
> On Tue, Jun 24, 2014 at 12:28 PM, grarpamp <grarpamp@xxxxxxxxx> wrote:
>> On Tue, Jun 24, 2014 at 1:54 PM, Rich Jones <rich@xxxxxxxxxxxxx> wrote:
>>> There's (what looks like) an active Tor phishing operation located at
>>> http://torbundleproject (dot) org . I believe this is related to black
>>> market scammer.
>>> diff the files 'torbrowser-install-3.6.1_en-US.exe' to see what's going
>> on
>> It's called a trojan.
>>> list of the old signatures on the Tor website to compare with. Can
>> anybody
>> https://archive.torproject.org/
>> Wipe your windows box and start over.
>> http://www.dban.org/
>> http://www.andybev.com/index.php/Nwipe
>> https://www.archlinux.org/
>> https://www.freebsd.org/
>> https://www.debian.org/

Michael Carbone
Tech & Policy Manager
Access | https://www.accessnow.org

GPG: 0x81B7A13E
Fingerprint: 25EC 1D0F 2D44 C4F4 5BEF EF83 C471 AD94 81B7 A13E

Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to