[2019-10-18] ‘Trojanized’ Tor Browser steals Bitcoin from Darknet users

[Bitcoin_Mafia_Me]

The malware also targeted wallets of Russian QIWI users - I wonder how much money was stolen from them
over the years...



A new report has revealed that a trojanized fake Tor Browser has been quietly spying on and stealing Bitcoin
from unwary Darknet users for years.

Aimed at Russian Darknet users, the malware is being spread through two separate websites claiming to be
distributors of the “official” Russian-language version of the popular anonymous web browser.

According to malware researchers at cybersecurity firm ESET, the trojanized Tor Browser appears to be
specifically targeting users of three of the largest Russian-speaking Darknet markets.

Once installed, the browser allows the hackers to spy on users’ web activity, scrape form data, and – as it
turns out – steal their bitcoins.

Read more: https://micky.com.au/trojanized-tor-browser-steals-bitcoin-from-darknet-users/
 

[SaShiRaJaVu]

A new report has revealed that a trojanized fake Tor Browser has been quietly spying on and stealing Bitcoin
from unwary Darknet users for years.

If you are not careful with what you download then you will end up giving your entire access to the hacker.

Aimed at Russian Darknet users, the malware is being spread through two separate websites claiming to be
distributors of the “official” Russian-language version of the popular anonymous web browser.

Scammers come up with original looking Phishing sites. If you are careful then you do not need to worry later.

Once installed, the browser allows the hackers to spy on users’ web activity, scrape form data, and – as it
turns out – steal their bitcoins.

If the software you use has a backdoor then it can monitor all your activities.

[target]

How in the world he users got into the webpage like  torproect[.]org (note the missing ‘j’)?

When I visit a webpage I often google it first, unless it outranked the oroginal and legit ones you'll end up to the misspelled and malicious website but its highly unlikely to outrank the real old ones. I can describe how stupid the person could be if he still landed to that website so whoever got to the website and download the TOR must have been the most messedup of all.

[hatshepsut93]

It's hard to believe people who have concern about anonymity/privacy to the point considering Tor Browser would fall to such trick.
Besides, people should be suspicious if the website only show Windows version.

The phishing website is still online though

If someone is using Tor, it doesn't mean that they are some l33t cypherpunks, it's likely just people who want to buy drugs online, and use that browser because that's the only way to access .onion sites. They might even have some false sense of security, thinking that they have already achieved full anonymity and there's nothing to worry about. This is a lot like people who install fake Bitcoin wallets - the reason why it happens is because most of the population doesn't know that you can and should verify digital signatures of developers, and when Windows warns them that they are about to install a software with unverified publisher, they mindlessly click ok, because they are used to pirate software or installing some junk.

[Kemarit]

What a twist of event, criminals being played out by their fellow cyber-criminals. I guess those who used that trojanized Tor browser is safe from the prying eyes of the authorities, however, another set of criminals thought about setting up this website, very smart moved, LOL.

@target - I guess it was spread through other social media sites and not just on Google. That's one way those cyber criminals trick everyone, they don't rely on out ranking the real websites in Google because they will be obvious to the eyes.

[stomachgrowls]

How in the world he users got into the webpage like  torproect[.]org (note the missing ‘j’)?

When I visit a webpage I often google it first, unless it outranked the oroginal and legit ones you'll end up to the misspelled and malicious website but its highly unlikely to outrank the real old ones. I can describe how stupid the person could be if he still landed to that website so whoever got to the website and download the TOR must have been the most messedup of all.

Sometimes you can really ask if these people or users do really able to read up carefully or just simply clicking up links without reading up or verification about on sites true link.

You can easily spot it out if you do know on what you are doing.Torproect.org site? People are just too lazy on verifying anything.They would only realize their mistakes
if they already lost up some coins.They do never learn and wondering how these privacy-concerned users arent aware this basic malware hacking attempts.

[malevolent]

If someone is using Tor, it doesn't mean that they are some l33t cypherpunks, it's likely just people who want to buy drugs online, and use that browser because that's the only way to access .onion sites.

True. Back when reddit still hosted various DNM subreddits, you could read people confessing what, when, and how they buy with bitcoins bought on Coinbase and sent straight to a DNM. Or thinking just adding a single hop with no mixer/coinjoin/whatever is enough.

Almost every time a DNM (or sometimes a DNM vendor) is taken down by some government's authorities, they can get many customers' personal information. Given the risks they're subjecting themselves to, a hell of a lot of people are as dumb as a sack of bricks.

[Coin-1]

If someone is using Tor, it doesn't mean that they are some l33t cypherpunks, it's likely just people who want to buy drugs online, and use that browser because that's the only way to access .onion sites. They might even have some false sense of security, thinking that they have already achieved full anonymity and there's nothing to worry about. This is a lot like people who install fake Bitcoin wallets - the reason why it happens is because most of the population doesn't know that you can and should verify digital signatures of developers, and when Windows warns them that they are about to install a software with unverified publisher, they mindlessly click ok, because they are used to pirate software or installing some junk.

As far as I know, TOR is used not only for illegal purpose such as purchasing drugs, guns, etc. There are many interesting forums in the Darknet, so people can communicate with each other without censorship. Moreover, Satoshi Nakamoto who created Bitcoin has always posted messages here using the TOR network.

TorBrowser must be downloaded only from the official site. The EXE file is signed by an organization called "The Tor Project, Inc.". In this case, no one will be able to steal bitcoins through the installed "trojanized" TOR.

[hatshepsut93]

As far as I know, TOR is used not only for illegal purpose such as purchasing drugs, guns, etc. There are many interesting forums in the Darknet, so people can communicate with each other without censorship. Moreover, Satoshi Nakamoto who created Bitcoin has always posted messages here using the TOR network.

Yes, but that's not the point, this malware was targeting users of Darknet markets specifically:

According to malware researchers at cybersecurity firm ESET, the trojanized Tor Browser appears to be
specifically targeting users of three of the largest Russian-speaking Darknet markets.

TorBrowser must be downloaded only from the official site. The EXE file is signed by an organization called "The Tor Project, Inc.". In this case, no one will be able to steal bitcoins through the installed "trojanized" TOR.

Regular people don't know anything about digital signatures and verification of software, they just google "download X" and click the top result, or install something because they saw it on their forum or news feed. You either learn from mistakes of others or eventually repeat them yourself.

[electronicash]

facebook users just click the advertised links and when prompt to them they just download and install without knowing its not the file from TOR project. but from the malicious user. things like this only happen to users who don't check where the file is from so they got compromised.  its a clever trick actually that even a tech savvy may just be victimized too. when it says your TOR is outdated, a user may just want to update with it without checking.

[Immakillya]

Not new to me.

If someone is using Tor, it doesn't mean that they are some l33t cypherpunks, it's likely just people who want to buy drugs online, and use that browser because that's the only way to access .onion sites. They might even have some false sense of security, thinking that they have already achieved full anonymity and there's nothing to worry about. This is a lot like people who install fake Bitcoin wallets - the reason why it happens is because most of the population doesn't know that you can and should verify digital signatures of developers, and when Windows warns them that they are about to install a software with unverified publisher, they mindlessly click ok, because they are used to pirate software or installing some junk.

As far as I know, TOR is used not only for illegal purpose such as purchasing drugs, guns, etc. There are many interesting forums in the Darknet, so people can communicate with each other without censorship. Moreover, Satoshi Nakamoto who created Bitcoin has always posted messages here using the TOR network.

TorBrowser must be downloaded only from the official site. The EXE file is signed by an organization called "The Tor Project, Inc.". In this case, no one will be able to steal bitcoins through the installed "trojanized" TOR.

We are not sure about that. TOR is been there for many years. Hackers will be able to crack the software and inject virus. Hackers are good at it. Injecting virus which steal Bitcoin. Even on clearnet we often face this kind of threat. How much more on Darkweb?

[InvoKing]

Fake programs are always a big problem for users and fake-TOR or any other website wouldn't be immune from it.
Users especially those surfing the dark web should verify every step done twice...

[mindrust]

If you are running that shit on the same PC where you store your bitcoins, that means you are way too careless with your funds and need to wake up asap. TOR either should be running on a separate PC or under a virtual machine. That applies to almost any other program though. You don't use the same PC for everything.

[adeandro]

Any specific version of Tor or any?

[WatchMaker]

Not new to me.

If someone is using Tor, it doesn't mean that they are some l33t cypherpunks, it's likely just people who want to buy drugs online, and use that browser because that's the only way to access .onion sites. They might even have some false sense of security, thinking that they have already achieved full anonymity and there's nothing to worry about. This is a lot like people who install fake Bitcoin wallets - the reason why it happens is because most of the population doesn't know that you can and should verify digital signatures of developers, and when Windows warns them that they are about to install a software with unverified publisher, they mindlessly click ok, because they are used to pirate software or installing some junk.

As far as I know, TOR is used not only for illegal purpose such as purchasing drugs, guns, etc. There are many interesting forums in the Darknet, so people can communicate with each other without censorship. Moreover, Satoshi Nakamoto who created Bitcoin has always posted messages here using the TOR network.

TorBrowser must be downloaded only from the official site. The EXE file is signed by an organization called "The Tor Project, Inc.". In this case, no one will be able to steal bitcoins through the installed "trojanized" TOR.

We are not sure about that. TOR is been there for many years. Hackers will be able to crack the software and inject virus. Hackers are good at it. Injecting virus which steal Bitcoin. Even on clearnet we often face this kind of threat. How much more on Darkweb?

People are supposed to download the TOR Browser from the Tor official website. Before using the TOR browser people should know what they are going to be dealing with - which is the darknet. Darknet is not a place where you can mess around like Facebook, Twitter, and YouTube. Now, this is a lesson for many people to learn when dealing with darknet to have to be extra-smart and be very careful.    

[InvoKing]

Any specific version of Tor or any?

A fake russian version of Tor browser.
I wonder know why someone would download a known app from other places other than the legit official one...

[Kyraishi]

Not sure why this is such huge to be honest.. I might be oblivious, but I've only ever downloaded software from the offical sites and never from 3rd party resellers, especially if it's free software, why wouldn't you go from the main site? Just seems like people trying to find problems.

If you are running that shit on the same PC where you store your bitcoins, that means you are way too careless with your funds and need to wake up asap. TOR either should be running on a separate PC or under a virtual machine. That applies to almost any other program though. You don't use the same PC for everything.

It depends, if these are the same people downloading Tor off a fake reseller/file hoster, I don't think they would have the insight to set up a virtual machine and a VPN. I've always always had the mindset that if you have over 500 dollars of crypto-currencies, spend 100 and get a ledger wallet so even if your desktop or laptop was infected with malware, it would still need second factor authentication from the physical ledger.

[Carlton Banks]

If someone is using Tor, it doesn't mean that they are some l33t cypherpunks, it's likely just people who want to buy drugs online, and use that browser because that's the only way to access .onion sites.

but not always

I run my own .onion domain, you know why? Nothing nefarious, it's just easier to set up an addressable IP that way. I can login to my Raspberry Pi remotely using the .onion address, then check my lightning node, manage it, or (only in rare cases for now) use it to pay for something.

asking your ISP to give you a static IP to use and configuring it through a router is not such a great option; if you change to a new ISP (or just move to a new place), it all has to be set up again. A .onion domain you can setup in about 5 minutes (less really), and you can take it anywhere without having to go through a whole load of bs. Bitcoin's gonna be supporting I2P and CJDNS sometime soon (and so hopefully Lightning will too). Those 2 are better tech than Tor in many ways, and you can use them just as easily to set up a reachable IP.

so using Tor can easily have nothing at all to do with anonymity (Lightning is designed to be anonymized whether you use it over Tor or not), it's simply a case of practicality for me.

[hatshepsut93]

but not always

I too use Tor for only legal purposes - visiting clearnet sites that are blocked for my country or my ISP, or when I simply want extra privacy for my searches. I can't even remember the last time I visited a .onion domain. And I know there's a ton of other legal/moral uses, like when dissidents use it to not get caught and imprisoned.

But still reports put illegal uses at a very high level, and even if it's not the majority of all uses, it's very likely the biggest group of uses. But regardless of it all, my original point can still be applied - usage of Tor is not a sign of a privacy expert, so it's natural that even Tor users can fall victims to fake clients.

[Carlton Banks]

I can't even remember the last time I visited a .onion domain.

there's a very simple reason.

I use Tor for most websites, because it adds noise to the signal, and that helps people who need Tor (including sometimes me). So if you're using Tor anyway for regular websites (loads of normal websites have a .onion version now, e.g. DuckDuckGo) that have a .onion url, guess what? The .onion site is faster to load, because the extra latency of sending it back out of Tor through an exit (and then back into Tor and only then on to your browser) is avoided, .onion traffic goes into Tor once and then straight back out to you.

I can't even remember the last time I visited a .onion domain.But still reports put illegal uses at a very high level

I dunno, it's usually the same media sources that are full of "darkweb" ghost stories that say things like that.

Thought experiment: if Tor really works, and if newspapers aren't lying when they say they don't have intimate connections to intelligence agencies, then how could they possibly know what people are using Tor for?