The Onion Router (TOR) is best known for its ability to anonymize internet web surfing using the specialized open-source software located at torproject.org. It does this for free via encrypting the communication and randomly passing it through a network of volunteers who operate and maintain relay servers (circuits). An exit node is the last server in the chain which performs the final decryption step and sends the original data to its destination.
Email administrators may not realize that TOR is heavily abused for a variety of attacks. In July alone, for example, Zix/AppRiver Advanced Email Threat Protection filters caught over 350,000 messages destined for customers originating from TOR exit node IP addresses. A vast amount of this traffic was comprised of comment form and dating spam. However, more serious threats such as malware, phishing, and COVID-19 themed scams also persist from the TOR exit nodes.
Email Threat Examples Delivered from TOR Exit Nodes
Malware – DHL Theme / AgentTesla Remote Access Trojan
AgentTesla is a remote access trojan under active development that is popular among threat actors because of its price point and ease of deployment. The recent addition of a wifi profile stealing module suggests it may soon become more ambitious by gaining the ability to proliferate by compromising other systems on the same wifi network.
The advertisement for AgentTesla below displays its different license options along with a chatbot to answer questions from those seeking to purchase the software.
Phishing – Adobe Themed Email
This phishing message is an example of an attack delivered from a TOR exit node. The threat actor has chosen to utilize an Adobe Cloud shared document theme with a payload link that adds visual legitimacy by appearing to direct the user to intuit.com. However, upon clicking, this link redirects the recipient to a credential harvesting site hosted on Amazon AWS.
Phishing – Adobe Themed Email Leads to Credential Harvesting Site
COVID-19 Loan Scam Example
This last TOR exit node scam example purports to be from the United Nations COVID-19 Pandemic Trust Fund, offering applicants a low interest rate loan. The goal is to gather sensitive information that would enable the scammer to conduct financial fraud or identity theft. Fortunately, the intended recipient was never exposed to the message because they were protected by Zix/AppRiver.
Our Email Threat Protection caught these TOR exit node scam attacks along with many more. Contact us today for a trial!