The digital security firm ESET has reported that, in 2017 and 2018, an unknown group of criminals used a trojanized version of the anonymous Tor browser to steal $40,000 worth of bitcoins from Dark Web users. They advertised the web pages that carried the malicious Tor browser on Russian-language forums, garnering them 500,000 page views in a series of months and giving them access to users’ private stores of digital currency.
Overview of the Ruse
The anonymous Tor browser — which does not record users’ locations to any party analyzing web traffic — is essential for those seeking to use hidden websites and dark market exchanges. These exchanges, in turn, typically take place in cryptocurrencies such as bitcoin, which use clever mathematical mechanisms to conceal users’ identities while (hopefully) making record of the transactions.
The attackers cleverly disguised their phony browser as “the official Russian language version of the Tor Browser,” and gave it names like “tor-browser[.]org” and “torproect[.]org,” which are very similar to that of the real Tor project’s site. Language and culture barriers probably helped facilitate the ruse, ESET explained, as the phony site names would have looked like transliterations of Cyrillic names for the sites.
The attack began with spam emails being sent to Russian-speaking Tor users on topics such as the darknet, cryptocurrency, and government repression. Sometimes they mentioned Roskomnadzor, the Russian government agency charged with controlling and censoring the media.
The messages contained links to the fake websites mentioned above, which were styled to resemble those of the actual Tor project. The sites enjoined visitors to download an updated version of the Tor browser, which was actually, of course, the malicious version created by the cybercriminals. The phony browser was modeled after Tor Browser 7.5, a recent version of the real thing.
“Thus,” ESET officials said, “non-technically-savvy people probably won’t notice any difference between the original version and the trojanized one.”
Anatomy of a Fraud
The trojanized Tor browser doesn’t just look like the real thing, it operates much like the real thing too. But the fake browser has different default settings and extensions, with the following results:
Finding Culprits Behind Attacks
Unfortunately, the exact number of victims and the amount stolen remains unclear. When there are unanswered questions relating to data breaches or instances of fraud, Secure Forensics can help. Our team of experienced engineers can examine your device to find out how a breach or attack occurred, pinpoint the attacker, and find what information was compromised. After stopping a breach, we can create a court-admissible report of the cybercrime to use in a court of law. Call us at 1-800-288-1407 to learn more.