Cloned, booby-trapped Dark Web sites steal bitcoins, login credentials

Someone is cloning .onion sites, and using the clones to intercept user traffic and offer modified content.

“I noticed a while ago that there is a clone onion site for Ahmia,” Juha Nurmi, founder of the Dark Web search engine Ahmia, shared on the Tot-Talk mailing list. “Now I realized that someone is actually generated similar onion domains to all popular onion sites and is re-writing some of the content.”

He dug out 255 fake mirror sites (and provided the list in a paste), but there are possibly more.

“It seems that the situation is this: The unknown attacker tries to direct users to these fake sites,” he explained. “These sites are actually working as a transparent proxy to real sites. However, the attacker works as MITM and rewrites some content. It is possible that the attacker is gathering information, including user names and passwords.”

According to another user, “this has been going on for years.” He (she?) also noticed exits nodes rewriting onion addresses found on clearnet.

Tor Project director Roger Dingledine entered the discussion and added that the bad exit node has now been marked with the BadExit flag, which means that it will no longer be able to act as such.

In the meantime, Nurmi has compared the cloned sites with the legitimate ones, and noticed that the attacker is replacing all the Bitcoin addresses and links. “I don’t see any other difference in any level than this: The transparent proxy is just slightly slower but hard to detect from the real service and the HTTP server headers looks fine,” he says.

Apart from being a way for dissidents and journalists to do their business without being spotted and identified by “the powers that be”, the Dark Web is also a place where criminals sell and buy illegal wares and services and, apparently, where they also get robbed by scammers.

Share this