[tor-talk] Warning: 255 fake and booby trapped onion sites

[Nurmi, Juha]

Short update about the fake onion address attack:

- Again, this is not a new phenomenon but larger scale: there is one
attacker or a group of attackers who run about 300 fake onion sites.

- The attacker has automated the fake site production. These sites came
online about simultaneously.

- Comparison can be done easily at the moment: because the attacker is
re-writing links on multiple onion directory sites we can compare the real
directory site and the fake directory site. The changed links point to fake
sites.

- The first 5 letters are same between fake onion and real onion addresses.
So, if the real site is ABCDEfg123456789.onion the fake on is
ABCDEsomething12.onion. It is easy get an onion addresses where the first 5
letters are just as you want them to be.

- The fake site acts as a transparent proxy for the real site: it is
downloading the content from the real site and after some re-write showing
it to the user who is visiting the site. We can sometimes see the Polipo
HTTP proxy error on fake sites.

- The attacker is re-writing some content, including bitcoin addresses and
links to point fake sites

- The attacker is gathering bitcoin money by spoofing those bitcoin
addresses.

- It is possible and even very likely that the attacker is gathering login
credentials if you use the fake site instead of the real one.

Greetings,
Juha