PSA: Some Vendors MAY have been compromised on Agora

Here is the post that got my attention: http://lacbzxobeprssrfx.onion/index.php/topic,32421.msg269164.html#msg269164

In case you are reading this and are not viewing via tor; here is the original message and my response:

ORIGINAL POST: I received this PM from PureHeaven (vendor account). Apparently he's locked out of ALL of his market accounts (Agora & Pandora, and SR2).

see important note at end


"Very Important!!" « Sent to: SuperMario on: August 16, 2014, 08:53:22 PM »

Im am PureHeaven a vendor here, agora, and pandora....all my accounts have been hacked!!! I received a message on sr from customer support or i thought so that stated my torbrowser is out of date and gave me a link to download a new one....normally i would not trust that but my torbrowser actually was out of date....anyways like an idiot i downloaded it and it gave me them access to my computer. They stole all my info, and pgp keys, they changed all my account passwords.

They also have my real ip address and stated if i mentioned this or tried to regain access to my accounts they would report my true identity to the police........this is not a joke and i can prove anything you want. Please please advise me on how to handle this......i do however have access to all my forums accounts pandora, sr, and here!


End of message.

MY RESPONSE: I'm guessing vendors got a message like the one I pasted below, except that when it originally came through; it showed as "Agora Support" or some shit like that (rather than "NIGERIAN SCAMMER"). I read the message and immediately checked whether I had remembered to remove the i2p library from my indeed out of date copy of Tails. Once I confirmed that i2p and java were disabled; I re-read the message and I know to NEVER click an update link that is not from the official Tails website.

Have I been lazy about doing a manual upgrade from a new iso image? Yes. Do I patch my own version appropriately per the tails website? Yes.

I can't say for certain whether or not PureHeaven has been compromised, but I can tell you that this vendor got a message resembling what has been described to the OP. I just didn't go clicking clearnet links while I'm logged in to the marketplace. I'm sure it has been mentioned, but OPSEC is very important. I'm guessing at least one vendor could improve his or hers.

I hope this information helps add some insight to clarify the OP. This is the message in my inbox on August 9, 2014:

NIGERIAN_SCAMMER (Message was marked originally from "AGORA SUPPORT"): Our records indicate that you are using a VULNERABLE and OUTDATED version of Tor Browser to access Agora

http://www.REDACTEDFORPUBLICSAFETY.com/news/Tor-Working-To-Fix-Security-Exploit/story.xhtml?story_id=1220047IGUNC

As of July 24th a massive "de-masking exploit" in The Tor Bundle Browser has been revealed exposing and revealing hundeds of thousands of users actual IP locations and other sensitive data such as browsing habits.

The de-masking exploit is said to be able to reveal the identities of hundreds of thousands of users, and was discovered by Alexander Volynkin and Michael McCord of Carnegie Mellon University.

In response to this recent exploit Developers for the Tor privacy browser have released an updated version of Tor Browser to prevent this flaw from being exploited.

Please make sure to upgrade to the latest version of the Tor Browser or Tails at

http://torbundleEDITED-FOR-PUBLIC-SAFTEYbrowser.org/

We are also in the process of upgrading our servers. You may notice some minor delays when loading pages. This is expected to be resolved by August 10th as long as everything goes as planned.

-Agora

END COPY/PASTE

I want this posted on /r/darknetmarkets to serve as a PSA to everyone that it is not always the adversary you perceive as your adversary that is your adversary. PLEASE use Tails. If your copy of Tails is outdated; either upgrade or patch per the official tails website. If vendors are falling for this shit; I imagine that some customers are falling for it. This could be total FUD, but the take home message remains the same.


Comments


[19 Points] durgsrbad:

Torn a bit on this one. It's a worthwhile reminder to be wary and vigilant, but I can't help but feel that to fall for this shit and break one of the fundamental aspects of opsec - downloading from unknown sources - then dnm's are not for you. For a vendor to get sucked into this? I'm glad the idiot doesn't have my details.


[8 Points] christopherw:

derp.

Just the other day, /r/netsec had an interesting decompilation of ANOTHER fake Tor Browser Bundle on a similar domain - completely duplicate of the official web site (packed with a botnet agent which the guy decompiled, and eventually had a live conversation with the herder). Worth a read.


[7 Points] datdropdoe:

Best not to deal with vendors who are stupid enough to click on obvious phishing links.


[2 Points] plurblur:

I've read tails implementation of tor is less secure than using the tor browser bundle.


[2 Points] FedoraWearingAlien:

This is pretty fucking retarded, I'm not going to trust that vendor anymore if he falls for a fucking phishing campaign.


[1 Points] None:

All OPSEC is for naught if a user is going to just click a link like that ... my goodness.


[1 Points] None:

RemindMe! 65 Hours


[1 Points] huzibizi:

This is a really, really old trick. I'm disappointed.

How the hell can a vendor fall for a scam like this? Probably high or something


[-1 Points] 1percentof1:

So they backdoor'd his computer? Did he keep his private pgp in plain text? I guess they could have key logged him too..