[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Warning: 255 fake and booby trapped onion sites

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Warning: 255 fake and booby trapped onion sites
From: "Nurmi, Juha" <juha.nurmi@xxxxxxxx>
Date: Mon, 29 Jun 2015 12:05:44 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 29 Jun 2015 15:05:58 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi,

I noticed a while ago that there is a clone onion site for Ahmia. Now I
realized that someone is actually generated similar onion domains to all
popular onion sites and is re-writing some of the content.

For instance,

REAL Ahmia: http://msydqstlz2kzerdg.onion/search/?q=duckduckgo
FAKE Ahmia: http://msydqjihosw2fsu3.onion/search/?q=duckduckgo

Look carefully and notice the difference:

REAL DDG: http://3g2upl4pq6kufc4m.onion/
FAKE DDG: http://3g2up5afx6n5miu4.onion/

It seems that the situation is this: The unknown attacker tries to direct
users to these fake sites. The attacker is running multiple onion addresses
similar to the popular onion addresses. These sites are actually working as
a transparent proxy to real sites. However, the attacker works as MITM and
rewrites some content. It is possible that the attacker is gathering
information, including user names and passwords.

I did some data mining and comparison with Ahmia.fi and seems to be that
there are at least 255 fake mirror sites. See the list
http://pastebin.com/iHPwhCeH

Greetings,
Juha
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Warning: 255 fake and booby trapped onion sites
  - From: grarpamp

Prev by Author: Re: [tor-talk] TorBirdy and Gmail (continuation)
Next by Author: Re: [tor-talk] Warning: 255 fake and booby trapped onion sites
Previous by thread: Re: [tor-talk] Tor shirt
Next by thread: Re: [tor-talk] Warning: 255 fake and booby trapped onion sites
Index(es):
- Author
- Thread