Criminals have been discovered distributing fake Tor browsers that are designed to steal cryptocurrency, and so far, have been quite successful, raking in roughly $400,000 in various tokens from unsuspecting victims, experts have warned
Cybersecurity researchers from Kaspersky are warning users to watch out for Tor browser installers from third-party stores.
They’ve spotted one such executable sitting in a password-protected RAR archive which, when extracted and installed, monitors the Windows clipboard for cryptocurrency wallets. If it spots one, it will replace it with one controlled by the attacker.
When a person tries to send funds from one address to another, they would usually copy and paste the recipient’s address, as these are a long string of seemingly random characters which are almost impossible to remember.
If the malware replaces the copied address with a different one, chances are the victim won’t see the difference and will just send the funds to the wrong address.
The method actually works quite well, as these attackers stole some $400,000 from roughly 16,000 users, just this year. Most of the stolen cash is in Bitcoin ($380,000), Litecoin ($10,000), Ethereum ($4,800), and Dogecoin ($517). Due to the way the malware is designed, the researchers can’t be absolutely certain about the amount of money stolen, and speculate that the final figure is probably even bigger.
While the victims are scattered all over the world (52 countries) the bulk of them reside in Russia, followed by Ukraine, and the US. The researchers believe Russians were the biggest targets as Tor was first banned, and later censored, in the country. That made Russians look for alternative places to grab the famed browser from.
“The Tor Project called to help keep Russian users connected to Tor to circumvent censorship,” said Vitaly Kamluk, head of Kaspersky’s Global Research and Analysis Team for APAC. “Malware authors heard the call and responded by creating trojanized Tor browser bundles and distributing them among Russian-speaking users.”
Via: The Register (opens in new tab)