[tor-talk] Warning: 255 fake and booby trapped onion sites

Nurmi, Juha juha.nurmi at ahmia.fi
Mon Jun 29 19:05:44 UTC 2015


Hi,

I noticed a while ago that there is a clone onion site for Ahmia. Now I
realized that someone is actually generated similar onion domains to all
popular onion sites and is re-writing some of the content.

For instance,

REAL Ahmia: http://msydqstlz2kzerdg.onion/search/?q=duckduckgo
FAKE Ahmia: http://msydqjihosw2fsu3.onion/search/?q=duckduckgo

Look carefully and notice the difference:

REAL DDG: http://3g2upl4pq6kufc4m.onion/
FAKE DDG: http://3g2up5afx6n5miu4.onion/

It seems that the situation is this: The unknown attacker tries to direct
users to these fake sites. The attacker is running multiple onion addresses
similar to the popular onion addresses. These sites are actually working as
a transparent proxy to real sites. However, the attacker works as MITM and
rewrites some content. It is possible that the attacker is gathering
information, including user names and passwords.

I did some data mining and comparison with Ahmia.fi and seems to be that
there are at least 255 fake mirror sites. See the list
http://pastebin.com/iHPwhCeH

Greetings,
Juha


More information about the tor-talk mailing list