BlockSafe News https://www.bankinfosecurity.com
Post# of 82686
(Total Views: 443)
Posted On: 10/21/2019 11:33:50 AM
BlockSafe News
Malicious Tor Browser Fleeces Darknet Users of Bitcoins
Cybercriminals Have Stolen About $40,000 So Far, Researchers Say
Cybercrime , Fraud Management & Cybercrime
A newly uncovered criminal scheme is using a trojanized version of the anonymized Tor browser to fleece darknet users of their bitcoins, according to research released Friday from security firm ESET.
Between 2017 and 2018, the unknown criminal gang advertised the webpages of this trojanized Tor browser using spam messages on various Russian-language forums. Over several months, these webpages received about 500,000 page views, with the gang able to collect about $40,000 in stolen bitcoins through the scheme, the ESET researchers say.
Using the anonymizing Tor browser is essential for those users that want to reach these various darknet and dark market websites. These sites typically only accept payment in pseudonymizing cryptocurrency such as bitcoin.
In the case that ESET researchers uncovered, the cybercriminals advertised their malicious Tor browser on various Russian-language forums as well as Pastebin. As part of the ruse, the gang advertised their offering as the "official Russian language version of the Tor Browser," according to ESET.
As part of the scam, the criminal gang used two domains, "tor-browser[.]org" and "torproect[.]org," which were similar to the official Tor project domain, the report notes. In the one case, the "j" was missing, ESET researcher found.
"For Russian-speaking victims, the missing letter might raise no suspicion due to the fact that 'torproect' looks like a transliteration from the Cyrillic," according to the research note.
Spamming Tor Users
This particular scam starts with spam messages sent to Tor browser users who are mainly Russian speaking, according to ESET. These messages contain various topics related to darknet and other underground forums, including information about cryptocurrencies, internet privacy and censorship, ESET found.
In some cases, these messages mention Roskomnadzor, a Russian government entity that is known for censorship, according to ESET.
These spam messages also contain links back to the phony webpages that resemble official Toj project, but are actually controlled by the criminal gag, ESET finds. It's there that the users are encouraged to download an updated version of Tor, which is actually the trojanized version of the application created by the gang.
Spoofed page advertising the trojanized Tor browser (Source: ESET)
The malicious browser is actually based on Tor Browser 7.5 - a version of the app released in January 2018. "Thus, non-technically-savvy people probably won't notice any difference between the original version and the trojanized one," the ESET researchers say.
Trojan Browser
The trojanized Tor browser works much like the real version of the browser. The difference, however, is that the cybercriminals changed some default browser settings and extensions, ESET researcher say.
The changes prevent the user from updating the trojanized version of Tor to the legitimate one. In addition, the malicious version has changes to the xpinstall.signatures.required setting, which then allows the gang make additional add-on.
Finally, the HTTPS Everywhere add-on has been tampered with, which then allows the trojanized browser to connect to a command-and-control server hosted on the darknet, ESET finds.
If the users attempts to make purchases on one of three Russian-language darknet forums, the command-and-control server will send out JavaScriptbased payload that alters settings on the target's digital currency wallet, and the transfers bitcoins to the attackers, ESET found.
This same transfer process also happens if the target attempts to use QIWI, a Russian money transfer service.
While ESET researchers believe that the malicious pages that host the trojanized Tor bowser have been visited about a half million times over the last several years, it's not clear if this all the activity associated with this particular criminal scheme, and the amount of cryptocurrency stolen could be much higher.
Malicious Tor Browser Fleeces Darknet Users of Bitcoins
Cybercriminals Have Stolen About $40,000 So Far, Researchers Say
Cybercrime , Fraud Management & Cybercrime
A newly uncovered criminal scheme is using a trojanized version of the anonymized Tor browser to fleece darknet users of their bitcoins, according to research released Friday from security firm ESET.
Between 2017 and 2018, the unknown criminal gang advertised the webpages of this trojanized Tor browser using spam messages on various Russian-language forums. Over several months, these webpages received about 500,000 page views, with the gang able to collect about $40,000 in stolen bitcoins through the scheme, the ESET researchers say.
Using the anonymizing Tor browser is essential for those users that want to reach these various darknet and dark market websites. These sites typically only accept payment in pseudonymizing cryptocurrency such as bitcoin.
In the case that ESET researchers uncovered, the cybercriminals advertised their malicious Tor browser on various Russian-language forums as well as Pastebin. As part of the ruse, the gang advertised their offering as the "official Russian language version of the Tor Browser," according to ESET.
As part of the scam, the criminal gang used two domains, "tor-browser[.]org" and "torproect[.]org," which were similar to the official Tor project domain, the report notes. In the one case, the "j" was missing, ESET researcher found.
"For Russian-speaking victims, the missing letter might raise no suspicion due to the fact that 'torproect' looks like a transliteration from the Cyrillic," according to the research note.
Spamming Tor Users
This particular scam starts with spam messages sent to Tor browser users who are mainly Russian speaking, according to ESET. These messages contain various topics related to darknet and other underground forums, including information about cryptocurrencies, internet privacy and censorship, ESET found.
In some cases, these messages mention Roskomnadzor, a Russian government entity that is known for censorship, according to ESET.
These spam messages also contain links back to the phony webpages that resemble official Toj project, but are actually controlled by the criminal gag, ESET finds. It's there that the users are encouraged to download an updated version of Tor, which is actually the trojanized version of the application created by the gang.
Spoofed page advertising the trojanized Tor browser (Source: ESET)
The malicious browser is actually based on Tor Browser 7.5 - a version of the app released in January 2018. "Thus, non-technically-savvy people probably won't notice any difference between the original version and the trojanized one," the ESET researchers say.
Trojan Browser
The trojanized Tor browser works much like the real version of the browser. The difference, however, is that the cybercriminals changed some default browser settings and extensions, ESET researcher say.
The changes prevent the user from updating the trojanized version of Tor to the legitimate one. In addition, the malicious version has changes to the xpinstall.signatures.required setting, which then allows the gang make additional add-on.
Finally, the HTTPS Everywhere add-on has been tampered with, which then allows the trojanized browser to connect to a command-and-control server hosted on the darknet, ESET finds.
If the users attempts to make purchases on one of three Russian-language darknet forums, the command-and-control server will send out JavaScriptbased payload that alters settings on the target's digital currency wallet, and the transfers bitcoins to the attackers, ESET found.
This same transfer process also happens if the target attempts to use QIWI, a Russian money transfer service.
While ESET researchers believe that the malicious pages that host the trojanized Tor bowser have been visited about a half million times over the last several years, it's not clear if this all the activity associated with this particular criminal scheme, and the amount of cryptocurrency stolen could be much higher.
(2)
(2)Zerify Inc (ZRFY) Stock Research Links
WORDS TO LIVE BY:
Never argue with stupid people, they will drag you down to their level and then beat you with experience.
Get .... PrivacyLok https://cyberidguard.com/
Try SafeVchat: https://cyberidguard.com/
My comments are only my opinion and are not to be used for investment advice.
Please conduct your own due diligence before choosing to buy or sell any stock.
Never argue with stupid people, they will drag you down to their level and then beat you with experience.
Get .... PrivacyLok https://cyberidguard.com/
Try SafeVchat: https://cyberidguard.com/
My comments are only my opinion and are not to be used for investment advice.
Please conduct your own due diligence before choosing to buy or sell any stock.