Using TOR browser to investigate geofenced phishing sites

Geofenced, country-specific phishing websites are becoming more common which makes investigating those websites harder, especially when the investigator has no direct access to files or the server where the website is located.

However, going around at least the geofencing part is achieved easily with the TOR browser, which eliminates the need to set up, find, and test open proxies.

Simply put, TOR browser bundle contains a torrc file which is the configuration file for TOR, where it’s possible to use the not-so-well documented ExitNodes -setting with ISO 3166 ALPHA 2 (2 character country code), which specifies the exit node country.

To use it, simply append e.g. this

ExitNodes {br} StrictNodes 1

at the end of the file, where ‘br’ stands for Brazil. The torrc file is usually located in:


Where ‘tor-browser_en-US’ is the root directory for the downloaded TOR browser. Remember to restart the browser/daemon completely when changing countries.

Simple? Hello, Brazil.

Leave a Comment