A trojanized version of the Tor Browser, has been identified stealing bitcoins from darknet market buyers.
ESET researchers discovered that the trojanized Tor Browser has been using two websites that claim to distribute the official Russian language version of the Tor Browser.
The websites display a message claiming that the user has an outdated Tor Browser, even if the user has the most-up-to-date version. Subsequently, the user clicks on the “Update Tor Browser” button, which redirects them to a second website.
The two domains “tor-browser[.]org and torproect[.]org” was created back in 2014, and are promoted on various Russian forums using spam messages. The messages discuss various topics including cryptocurrencies, internet privacy, censorship bypass and darknet markets.
In March and April 2018, the cyber-criminals behind the sites even started to use Pastebin to promote both their fake domains.
“The idea behind this is that a potential victim would perform an online search for specific keywords and at some point visit a generated paste. Each such paste has a header that promotes the fake website,” said ESET senior malware researcher, Anton Cherepanov.
The cyber-criminals even claimed that the Tor Browser had anti-captcha capabilities, which of course is false. Researchers also found that the criminals had modified the HTTPS Everywhere add-on.
“Once a victim visits their profile page in order to add funds to the account directly using bitcoin payment, the Trojanized Tor Browser automatically swaps the original address to the address controlled by criminals.”
ESET has discovered at least 500,000 downloads of the Trojanized Tor Browser and three bitcoin wallets with around 4.8 bitcoins, equating to over $40,000. However, it should be noted that the true amount of stolen money is higher as the trojanized Tor Browser alters QIWI wallets.
“This trojanized Tor Browser is a non-typical form of malware, designed to steal digital currency from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This has allowed them to steal digital money, unnoticed, for years,” said Cherepanov.
The post #Privacy: Trojanized Tor Browser allows attackers to steal from users’ e-wallets appeared first on PrivSec Report.