[Tor2web-talk] Fwd: Trojan Detected - Please Shut Down! tor2web.org

Virgil Griffith i at virgil.gr
Thu May 19 16:42:53 CEST 2016 

This needs to be blocked.  Otherwise tucows will take away the tor2web.org
domain.

---------- Forwarded message ----------
From: *Paul Karkas* <pkarkas at tucows.com>
Date: Thursday, 19 May 2016
Subject: Fwd: Trojan Detected - Please Shut Down! tor2web.org



 Hello;


Please note that there is active malware on your site located at


http://eqrvbczir5ua2emd.tor2web.org/


This may be due to an exploit , would you kindly remove the link and let me
know so we can put this issue to rest?


Thank you.


http://en.wikipedia.org/wiki/malware

Since you are using Tucows whois privacy, I would kindly ask that you

let me know how you will respond to this inquiry.


Should you not respond to this email within 48 hours, or provide

Tucows/Contactprivacy indication that you will respond to the inquiring

party, Tucows/Contactprivacy may act to remove or reveal the

proxy/privacy services on your domain, as per the terms and conditions

of the ContactPrivacy service:

see https://www.opensrs.com/docs/contracts/exhibita.htm


Section 33. WHOIS PRIVACY SERVICE


"g. Right to Suspend and Disable. We shall have the right, at our sole

discretion and without liability to you or any of your Contacts, suspend

or cancel your domain name and to reveal Registrant and Contact Whois

Information in certain circumstances"


Thank you.


Paul Karkas

Compliance Officer OpenSRS

Tucows Inc.

paul at opensrs.org <javascript:_e(%7B%7D,'cvml','paul at opensrs.org');>

416-535-0123 ext 1625

Direct line 416-538-5458

1-800-371-6992



Paul Karkas

Compliance Manager OpenSRS

Tucows Inc.

paul at opensrs.org <javascript:_e(%7B%7D,'cvml','paul at opensrs.org');>

416-535-0123 ext 1625

Direct line 416-538-5458

1-800-371-6992

Fax416-531-2516

fax416-531-2516


-------- Forwarded Message --------
Subject: Trojan Detected - Please Shut Down! - [BBVA - E2142429] -
38.229.70.4
Date: 19 May 2016 14:20:02 +0300
From: RSA Anti-fraud Command Center <afcc at rsa.com>
<javascript:_e(%7B%7D,'cvml','afcc at rsa.com');>
To: pkarkas at tucows.com <javascript:_e(%7B%7D,'cvml','pkarkas at tucows.com');>

BBVA - E2142429

To whom it may concern:

RSA, The Security Division of EMC (“RSA”), an information security company,
has detected and verified that a Malware (as defined below) program is
being propagated from a server which is associated with the following URL:

(the “Designated Site”)

>From our review, it is our understanding that you operate the Designated
Site and that it is, therefore, under your control.

For the purposes of this letter, “Malware” means any software applications
or executables that perform actions unanticipated by and without the
consent of the person running the software. Malware is distributed via many
mechanisms including, but not limited to: email attachments; content
injection such as cross site scripting; exploiting security vulnerabilities
in operating systems and other software; and/or insertion into downloadable
software. Malware is designed, among other things, to misappropriate
personal data in order to engage in fraudulent transactions using that
data, and/or to compromise and co-opt an end-user’s networked computer; all
for the purpose of performing illegal or improper acts such as
misappropriating funds; carrying out denial of service attacks; and sending
unsolicited mass emails.

For your information, we have analyzed the specific Malware and enclose a
file, which includes:

   - Malware name: *Ransom*
   - Description:Ransomware is computer malware which holds a computer
   system, or the data it contains, hostage against its user by demanding a
   ransom for its restoration.
   http://www.symantec.com/connect/node/1618951
   - http://eqrvbczir5ua2emd.tor2web.org/

This file also details the method by which it appears that the Malware is
downloaded to a victim’s computer.

In this instance, it is our belief that the specific purpose of the Malware
is to misappropriate account credentials and identity information from the
customers of one or more financial institutions in order to access their
bank accounts fraudulently.

*Therefore, we request that you immediately take all actions necessary to
disable and remove this Malware from the Designated Site.*

We specifically would ask that you also take the following actions: *Please
provide us with a tar/zip file of all the content located under the
Malware's path (including hidden files)*, so that we may analyze it to help
prevent further attacks. If any customer data has been captured that is
stored on your systems or equipment, please send us that data so that the
customers to whom that data relates can be notified and take steps to
protect their credit. Please provide a copy of any records you maintain
that indicate the name, contact information, method of payment or similar
information that may be useful in helping learn about the identity and
location of the customer for whom the website has been operated.

We would appreciate your email confirmation that the source of the Malware
infection has been disabled.

We understand that you may not be aware of the above described improper use
of the Designated Site and we thank you for your cooperation in the
prevention of fraudulent online activity. The foregoing is without
prejudice to any and all rights and remedies of any financial institution
impacted by the improper use of the Designated Site, which rights and
remedies are hereby expressly reserved.
If you need further information, please do not hesitate to contact RSA at
the numbers below.

Sincerely,
RSA SECURITY INC.

*RSA Anti-Fraud Command Center*
Tel: +44 (0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
E-mail: afcc at rsa.com <javascript:_e(%7B%7D,'cvml','afcc at rsa.com');>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/tor2web-talk/attachments/20160519/95182f4e/attachment.html>

More information about the Tor2web-talk mailing list