Malicious Browser Pilfers Bitcoins

Laura BednarData Breaches, Fraud

Trojanized To Browser Steals Crpytocurrency

The digital security firm ESET has reported that, in 2017 and 2018, an unknown group of criminals used a trojanized version of the anonymous Tor browser to steal $40,000 worth of bitcoins from Dark Web users. They advertised the web pages that carried the malicious Tor browser on Russian-language forums, garnering them 500,000 page views in a series of months and giving them access to users’ private stores of digital currency.

Contact Us Now

Overview of the Ruse

The anonymous Tor browser — which does not record users’ locations to any party analyzing web traffic — is essential for those seeking to use hidden websites and dark market exchanges. These exchanges, in turn, typically take place in cryptocurrencies such as bitcoin, which use clever mathematical mechanisms to conceal users’ identities while (hopefully) making record of the transactions.

The attackers cleverly disguised their phony browser as “the official Russian language version of the Tor Browser,” and gave it names like “tor-browser[.]org” and “torproect[.]org,” which are very similar to that of the real Tor project’s site. Language and culture barriers probably helped facilitate the ruse, ESET explained, as the phony site names would have looked like transliterations of Cyrillic names for the sites.

Modus Operandi

The attack began with spam emails being sent to Russian-speaking Tor users on topics such as the darknet, cryptocurrency, and government repression. Sometimes they mentioned Roskomnadzor, the Russian government agency charged with controlling and censoring the media.

The messages contained links to the fake websites mentioned above, which were styled to resemble those of the actual Tor project. The sites enjoined visitors to download an updated version of the Tor browser, which was actually, of course, the malicious version created by the cybercriminals. The phony browser was modeled after Tor Browser 7.5, a recent version of the real thing.

“Thus,” ESET officials said, “non-technically-savvy people probably won’t notice any difference between the original version and the trojanized one.”

Anatomy of a Fraud

The trojanized Tor browser doesn’t just look like the real thing, it operates much like the real thing too. But the fake browser has different default settings and extensions, with the following results:

  • Users could not update the fake browser with the real one
  • The xpinstall.signatures.required had malicious code changes, allowing the criminals to add unauthorized extensions
  • HTTPS Everywhere add-on was tampered with, allowing the browser to connect to a darknet command-and-control server

Whenever a malicious browser user made a purchase on one of the three major Russian underground forums or the Russian money transfer service QIWI, the malware would strike. The darknet server would then send out a JavaScript-based payload that altered settings in the users’ digital currency wallet, transferring the bitcoins to the attackers.

Finding Culprits Behind Attacks

Unfortunately, the exact number of victims and the amount stolen remains unclear. When there are unanswered questions relating to data breaches or instances of fraud, Secure Forensics can help. Our team of experienced engineers can examine your device to find out how a breach or attack occurred, pinpoint the attacker, and find what information was compromised. After stopping a breach, we can create a court-admissible report of the cybercrime to use in a court of law. Call us at 1-800-288-1407 to learn more.