[tor-talk] Warning: 255 fake and booby trapped onion sites
Nurmi, Juha
juha.nurmi at ahmia.fi
Mon Jun 29 19:05:44 UTC 2015
Hi,
I noticed a while ago that there is a clone onion site for Ahmia. Now I
realized that someone is actually generated similar onion domains to all
popular onion sites and is re-writing some of the content.
For instance,
REAL Ahmia: http://msydqstlz2kzerdg.onion/search/?q=duckduckgo
FAKE Ahmia: http://msydqjihosw2fsu3.onion/search/?q=duckduckgo
Look carefully and notice the difference:
REAL DDG: http://3g2upl4pq6kufc4m.onion/
FAKE DDG: http://3g2up5afx6n5miu4.onion/
It seems that the situation is this: The unknown attacker tries to direct
users to these fake sites. The attacker is running multiple onion addresses
similar to the popular onion addresses. These sites are actually working as
a transparent proxy to real sites. However, the attacker works as MITM and
rewrites some content. It is possible that the attacker is gathering
information, including user names and passwords.
I did some data mining and comparison with Ahmia.fi and seems to be that
there are at least 255 fake mirror sites. See the list
http://pastebin.com/iHPwhCeH
Greetings,
Juha
More information about the tor-talk
mailing list