The fake version was targeting users for years.
Cryptocurrencies like Bitcoin, anonymity-retaining browsers like Tor and underground platforms like the Dark Web have offered users a great opportunity to carry out their nefarious deeds online without getting caught. However, tables have turned now as hackers and spammers aren’t sparing Dark Web users.
Reportedly, a malicious version of the widely used Tor browser is spying on Dark Web users and stealing bitcoin from their wallets. It is worth noting that the privacy ensuring Tor browser is the main program used by many to access the Dark Web.
Researchers at ESET claim that so far hackers have managed to steal over $40,000 worth of Bitcoin (4.8 BTC) through a trojanized version of the original Tor browser package. The fake version redirects users to two websites, which inform the user that the version of Tor is outdated even if the user has the latest version of the browser.
When the user clicks on the link provided on the page for downloading the updated version of Tor, another website appears containing the download link. When the infected Tor is downloaded and used, it starts spying on the user. When the user adds funds to the Bitcoin wallet or pays for any service on the Dark Web, the malicious Tor diverts the funds to the wallet controlled by the scammers by changing the target address.
ESET senior malware researcher Anton Cherepanov stated in a blog post that whatever the user does on the Dark Web is being tracked by the malicious Tor operators.
“This malware lets the criminals behind this campaign see what website the victim is currently visiting. In theory, they can change the content of the visited page, grab the data the victim fills into forms and display fake messages, among other activities. However, we have seen only one particular functionality–changing the bitcoin and cryptocurrency wallets,” says Cherepanov.
According to ESET, the fake Tor browser version was promoted back in 2017 and 2018 quite fiercely on many Russian forums and Pastebin accounts as the Russian language version of Tor. Interestingly, the Pastebin accounts so far have over 500,000 views.
Screenshot of the malicious website pushing fake download for Tor browser
The header of a paste that promotes fake Tor Browser websites:
BRO, download Tor Browser so the cops won’t watch you. Regular browsers show what you are watching, even through proxies and VPN plug-ins. Tor encrypts all traffic and passes it through random servers from around the world. It is more reliable than VPN or proxy and bypasses all Roskomnadzor censorship. Here is official Tor Browser website: torproect[.]org Tor Browser with anti-captcha: tor-browser[.]org Save the link
Moreover, ESET researchers have discovered three bitcoin wallets that are used in this campaign. What’s alarming is the fact that this campaign has remained active for many years and the stolen amount may actually be higher than the reported one.
“It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets,” added Cherepanov.
Tor browser is mostly used for accessing illegal goods/services on the Dark Web and most of the trading is carried out in virtual currency. The fake Tor is designed so genuinely that non-tech savvy users may not even notice any difference between the fake and original browser.
Piece of advice- Always download software from legit sources.
