Skip to content
Traps
Naked Security Naked Security

Hundreds of Dark Web sites cloned and “booby trapped”

Juha Nurmi, founder of the Ahmia search project, first noticed a fake version of his own site before discovering that there are multiple clones of hundreds of other Dark Web sites. The sites could be used for surveillance or for conducting man-in-the-middle attacks and include a clone of the popular DuckDuckGo search engine.

Traps The founder of one of the Dark Web’s fledgling search engines is warning Tor users about the presence of hundreds of fake and booby trapped .onion websites.

Sites with addresses that end in .onion are anonymous, Dark Web websites (properly called hidden services) that can only be accessed using the Tor browser.

The fake sites were discovered by Juha Nurmi, a founding member of the ahmia.fi project, an open source search engine that aims to search, index and catalogue all the content present on the Tor network.

Nurmi first noticed a fake of his own site before discovering that there are multiple clones of hundreds of other Dark Web sites, including a fake of the .onion version of the popular DuckDuckGo search engine.

Nurmi raised his concerns on Monday, on the Tor-Talk mailing list and published a full list of fake or booby trapped sites to Pastebin.

I noticed a while ago that there is a clone onion site for Ahmia. Now I realized that someone is actually generated similar onion domains to all popular onion sites and is re-writing some of the content.

In his post to the mailing list he claims that there are multiple copies of each target site with similar-looking addresses.

Tor sites are often found through directories rather than search engines and they have addresses that are quite difficult to read, which probably makes it easier to plant fakes than on the regular World Wide Web.

For example, the real and fake addresses for DuckDuckGo are the equally immemorable:

http://3g2upl4pq6kufc4m.onion/ (real)
http://3g2up5afx6n5miu4.onion/ (fake)

Nurmi also claims that the fake sites aren’t just duplicates of the real sites but proxies for them (he could presumably verify this for his own site but he doesn’t state how or if he tested it for the others).

If he’s correct then the proxies would allow the attacker to launch so-called Man-in-the-Middle attacks, stealing or modifying data as it passes through the fake site.

These sites are actually working as a transparent proxy to real sites. However, the attacker works as MITM [Man-in-the-Middle] and rewrites some content. It is possible that the attacker is gathering information, including user names and passwords.

In another sinister twist user ‘garpamp’, who claims that such activity has been “going on for years”, states that he’s seen pages that list .onion addresses being modified by malicious Tor exit nodes.

This is a completely different attack from the one identified by Nurmi and it occurs on the regular web, not the Dark Web, but it’s aimed at achieving the same thing – getting you to visit a fake Dark Web service instead of a real one.

It works like this:

The Tor browser can be used to browse hidden services on the so-called Dark Web, where both the browser and the site are completely anonymous, or the regular World Wide Web, where only the user with a Tor browser is anonymous.

When it’s used on the regular web, Tor encrypts your traffic and sends it on an eccentric journey between a number of Tor nodes before it’s decrypted again before making the final hop to its destination like any other internet traffic.

This decryption (and the encryption of responses) is performed by a special Tor node called an exit node. Anyone can set up an exit node and because they deal with unencrypted information they are an excellent place to spy on traffic, or even to modify it on-the-wire (you can read more about exit nodes in my recent article Can you trust Tor’s exit nodes?).

What garpamp claims to have seen is malicious exit nodes being used to rewrite regular web pages.

In other words, if you looked at this page through Tor and you happened to get a malicious exit node in your circuit you might not see the legitimate DuckDuckGo address at the top of this page, you might see two fake ones instead.

During the course of the discussion, garpamp noticed that a bad exit node was actually rewriting the addresses on the pastebin page posted by Nurmi!

...I've also seen exits [1] rewriting onion addresses found on clearnet.

[1] Like the ****** behind this piece of **** is doing to that pastebin url... Arag0n 185.77.129.189 dc914d754b27e1a0f196330bec599bc9d640f30c

The thread closed with Roger Dingledine, one of the original Tor developers, reporting that the bad exit node discovered by garpamp has now been given the BadExit flag which should prevent it from acting as an exit node.

The battle to shut down bad exit nodes is ongoing.

We don’t know who is behind the fake sites, who is behind the exit nodes rewriting real addresses for fake ones or why they’re doing it, but there are no shortage of suspects.

The Dark Web is an online safe haven for dissidents, journalists and champions of free speech but it is also a small and highly concentrated den of the very worst criminality.

So, not only is there is an abundance of thieves on the Dark Web, and no honour amongst them, there is no shortage of government hackers or undercover agents either.

16 Comments

it’s a shame (of the state of the world governments) that journalists and free speech’ers have to hide with the worst of the criminals to keep alive.

At least they have a place to hide now. Granted, there’s plenty of room for improvement but I don’t think there has ever been a time of completely benign governments and there are fewer kings and despots just making up the law as they go along and killing and terrorising peasants these days.

And don’t forget that it was a government, the one elected by the people of the USA, that invented both the internet and Tor. Without them there wouldn’t be a place to hide.

The USA is far from the government it was 50 years ago, It is just a puppet for corporate interest, and has been since the ’70’s. Yes they do just make up laws as they go along and kill and terrorize people, all over the world. People don’t get to elect, we are givin a choice of two puppets and told it’s a choice, while both are working for the same scum – koke, serois ect. Not like it’s a secret.

I understand the point you’re making but I think it’s too easy to see a golden age that’s never existed.

50 years ago the US government was ramping up its forces to support a Vietnamese military dictatorship (following the highly dubious, possibly entirely faked, gulf of Tonkin incident).

It wasn’t long before then that it had failed in its attempt to invade Cuba. Just prior to that it had overthrown democratically elected governments in Iran and Guatemala.

The US government didn’t invent the internet (not bright enough, now and then). The US military did, contracting some bright guys at Stanford and UCLA to develop Arpanet for military communications. Then this insignificant Brit invented the web.

If we’re defining the US government that narrowly then ‘the government’ aren’t conducting dragnet spying either.

US tax payer dollars, collected and doled out by parts of the US government apparatus, asked and paid for PRISM, XKeyscore, Arpanet and and Tor amongst many other things.

It’s neither a saint nor a one eyed monster, it’s a much, much more complex beast than that.

I think that “government” in Mark’s context is an unexceptionable synonym for “the public service” (i.e not the private sector), and that the armed forces are indisuptably part of the public service. Wouldn’t you say?

I spent about 10 minutes trying to get into the CAPTCHA-protected Pastebin site (from TOR). NOTE TO DEVELOPERS: don’t make CAPTCHA so unreadable that, well, it can’t be read by a real human.

Old news. The Not Evil Hidden Service search engine solved this by having sites tagged with “Official Site” if they are known to be the original site.

Based on the linked Pastebin, I made an HTTPS Everywhere User Ruleset that redirects known-fake onions to the corresponding known-real ones: http://pastebin.com/Dmeqpun5

Between this and the exit nodes, I think it can be said that TOR is now totally unsafe for whistleblowers and political dissidents or anyone who expects security and privacy. It has been undermined by the same people who created it — US spy agencies — and criminals. Sometimes one and the same.

Exit nodes have been untrustworthy from day one because they can be operated by anyone. There is an on-going effort to keep them clean and you can lessen your exposure considerably by using Tor and HTTPS but it is a fact of life.

Similarly, if you follow the linked thread to the Tor-Talk archive, you’ll see that these kind of “boobytrap” sites are not considered new either, just recently a little more sophisticated than in the past perhaps.

All of which is to say that Tor is a piece of software like any other and that it should only ever be one layer in a strategy of defence in depth.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?