Heart of Darkness: Mass of clone scam sites appear

TOR’s anonymity is just what crims who want to rob crims need

Security watchers are warning about a fresh wave of cloned sites on the TOR network, evidence that cybercrooks are setting themselves up to fleece other ne'er-do-well on the so-called dark web.

The latest attack of the clones marks the reappearance of an issue that cropped up before. For example, during Operation Ononymous, the exercise that took down Silk Road 2.0 in November of 2014, it emerged that most of the sites affected by this international law enforcement effort were, themselves, cloned sites.

Most of these cloned sites were created with Onion Cloner, a tool that makes it easy to impersonate TOR sites and redirect passwords and Bitcoin.

Rapid7’s security engineering manager, Tod Beardsley, said the potential for cloning is greater on the dark web than the regular internet for architectural reasons.

"Criminals robbing criminals is about as old as crime itself, and it's an endemic problem with the dark web,” Beardsley explained. “Unlike the case with robbing criminals in person, there is no immediate risk of violence, and the methods by which one can rob Dark Web criminals are both well established and scale easily.”

“While TOR hidden services offer a means for strong anonymity for both users and content providers, actually finding anonymous commerce sites can be tricky," he added.

"Many don't want to be found by casual users. Of those that do, they need to be listed on a registry or findable by a TOR-based search engine. There are only a handful of these indexers, so compromising or cloning just one can permanently poison a user's experience of the rest of the dark web,” he said.

There are fewer dark web sites in any case. Ahmia.fi, one of the more popular indexers, has less than five thousand sites indexed, a figure that compares to millions of online storefronts on the regular web. “The job of impersonating a sizeable fraction of the entire ‘semi-public’ dark web commerce space looks positively easy," according to Beardsley.

The problem is exacerbated because cloned sites are also difficult to detect from the “real thing” not least because of a lack of a dark equivalent to digital certificates for websites.

“While many TOR hidden services offer the same level of cryptography as their clear web counterparts, there is not yet a reasonable mechanism for validating certificates,” Beardsley said.

“There is no dark web-centric central certificate authority, since the whole point of TOR is an anonymous, decentralised infrastructure. As a result, the common use case for certificates is a self-signed certificate. Self-signed certs raise all kinds of warnings in normal browsing, but not so on the dark web, since it's the way things just are over there,” he concluded.

Cloned sites on the TOR network represent a well-known attack technique. The target space is small and the risk of getting caught is “negligible” – because victims are unlikely to pursue legal action – so it’s a wonder that the online equivalents of The Wire’s Omar Little are not more commonplace.

The latest wave of scams was discovered by Juha Nurmi, a founding member of the ahmia.fi project.

More commentary on the latest wave of TOR fraud can be found in a post by Mark Stockley on the Sophos Naked Security blog here. ®

Biting the hand that feeds IT © 1998–2020