Delivery-Date: Tue, 26 Jan 2016 07:10:22 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id E403F1E0312;
	Tue, 26 Jan 2016 07:10:20 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 6E7F338D10;
	Tue, 26 Jan 2016 12:10:16 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 0B3B138D0F
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 12:10:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 5J0f3hJxSIsc for <tor-talk@lists.torproject.org>;
 Tue, 26 Jan 2016 12:10:12 +0000 (UTC)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com
 [IPv6:2a00:1450:400c:c09::22a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 9478038D04
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 12:10:12 +0000 (UTC)
Received: by mail-wm0-x22a.google.com with SMTP id r129so101446698wmr.0
 for <tor-talk@lists.torproject.org>; Tue, 26 Jan 2016 04:10:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ahmia-fi.20150623.gappssmtp.com; s=20150623;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=6cAHAb0iDCLOcIbcZsmAQvUf4J3KJZxnkDyfWZ6oMWI=;
 b=DqtvPmdJUD8RbJ5pIhlpdg8c5lTDZON6v19TJXgAe1OD2vBvJlYHFi3/42sqJcRNyp
 M2Rc0MoHsjZ2EXKDv98Mk9Yh8LKqjuWFpqG7CZ6L17UcTYpgofiEnP54XOIWSxJNGxgz
 EZh8tmOULopisLeNW20D9c8TuIwZnWnZTuJSA5SHd9mtfXeQ5nKn65FdrUqvRbiAjhO4
 kzo5AE3sCLLq1Jaa9pQa8P0k3aRIDrqkAaX+a4oZW64izAimiffZdrcRIxqAASGWZ8/J
 9208VF1uTfVYeamX9lpRgw++u6Urf1JfGtFcEFW4EJY+ssrF/jSIoZX1g2st+m2NUKMc
 y86A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:date:message-id:subject:from:to
 :content-type;
 bh=6cAHAb0iDCLOcIbcZsmAQvUf4J3KJZxnkDyfWZ6oMWI=;
 b=m/s21tYklHIvk7bdPQVfbv/Mq2DDy1h6SG/on6XLROGIrgsuMdnIsf2xpmiTiR5BjH
 Xg2t62/pOZ6Sl/BIiyHdXx94uz6woBNCpEch+2ZV0HzU1iveYxrgSG1FkLlSwzFEaqed
 Eeo5T0HQmoh0lrR6m/Nlv2L+XBI4InbWsP3AY+J3Cwt1uiM4p+wqh0uS+uzgOv5239Qc
 saUW735diLeywWl/ybdWp8TvHB0ahM9qsj/fCP9F7yx5t17VQFnLOnnKcaViGQ7BN7YC
 3QjiQyMp3ro925siww7mu2swS3LOp/JpILtAyKvxqeEzA+oKPZCh55Ribg+kf1REnV+y
 OQxQ==
X-Gm-Message-State: AG10YOS3IQElnSAHcQBDQaktT1Thoj+f6FSg7pMtSeaaWurULtgkVj9MlzNz2pj0qrVEax2J4KGAySULl/guww==
MIME-Version: 1.0
X-Received: by 10.194.176.74 with SMTP id cg10mr26787372wjc.169.1453810209717; 
 Tue, 26 Jan 2016 04:10:09 -0800 (PST)
Received: by 10.28.90.11 with HTTP; Tue, 26 Jan 2016 04:10:09 -0800 (PST)
X-Originating-IP: [184.75.214.163]
Date: Tue, 26 Jan 2016 14:10:09 +0200
Message-ID: <CAJ8LpWoo0nQ+KJT22xqDgKhk72jD-P43vAA17_sWz6idbTw2FQ@mail.gmail.com>
From: "Nurmi, Juha" <juha.nurmi@ahmia.fi>
To: tor-talk@lists.torproject.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: [tor-talk] Warning: 37 new booby trapped onion sites
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hello Tor community,

In June I warned Tor users about the presence of hundreds of fake and booby
trapped .onion websites [1].

Someone runs a fake site on a similar address to the original one and tries
to fool people with that. The sites look like the original ones.

These sites are actually working as a transparent proxy to real sites. In
addition, the attacker works as MITM and rewrites some content. It is
possible that the attacker is gathering information, including user names
and passwords.

My search engine Ahmia.fi filtered these fake sites. As a response,
eventually, the attacker deleted old fake sites and started to generate new
ones.

See, for instance, my own search engine Ahmia and a fake new version of it:

https://ahmia.fi/static/fake_ahmia.png

I filtered them again. This way I am protecting the Tor users.

Be careful, it's hard to distinguish between the real and the fake site.
Make sure you are using the real ones!

So far I have found 37 new domains of the attacker. See the list below.

Peace,
Juha

[1] https://lists.torproject.org/pipermail/tor-talk/2015-June/038295.html

REAL: http://25cs4ammearqrw4e.onion/
FAKE: http://pythonmkwmxhozin.onion/
REAL: http://2kka4f23pcxgqkpv.onion/
FAKE: http://euroguns4c7rswkh.onion/
REAL: http://54ogum7gwxhtgiya.onion/
FAKE: http://technodowmx53kwg.onion/
REAL: http://abbujjh5vqtq77wg.onion/
FAKE: http://identityw72gv5j6.onion/
REAL: http://acropol4ti6ytzeh.onion/
FAKE: http://acropolzxeerrvsp.onion/
REAL: http://answerstedhctbek.onion/
FAKE: http://answershuhpdxtab.onion/
REAL: http://auutwvpt2zktxwng.onion/
FAKE: http://oniondirw6dno3tb.onion/
REAL: http://bm26rwk32m7u7rec.onion/
FAKE: http://majesticdbvbzbv5.onion/
REAL: http://cryptomktgxdn2zd.onion/
FAKE: http://cryptonwmifsy3ws.onion/
REAL: http://deepdot35wvmeyd5.onion/
FAKE: http://deepdot53faojvzi.onion/
REAL: http://directdal7bourmy.onion/
FAKE: http://linkdirzabianoxp.onion/
REAL: http://dirnxxdraygbifgc.onion/
FAKE: http://dirnxxdemauthipe.onion/
REAL: http://easycoinsayj7p5l.onion/
FAKE: http://easycoincdttveyq.onion/
REAL: http://en35tuzqmn4lofbk.onion/
FAKE: http://fakeidsannnxrk3h.onion/
REAL: http://escobarkz55dlmo3.onion/
FAKE: http://escobarsxo7w6huz.onion/
REAL: http://gerpla4igmngtpgw.onion/
FAKE: http://gerpla4raarp2jwe.onion/
REAL: http://grams7enufi7jmdl.onion/
FAKE: http://grams7qs7lnmmidl.onion/
REAL: http://gunsjf3dxsaf6mwg.onion/
REAL: http://gunsnbmobn7evasc.onion/
FAKE: http://gunsj3xe6iaugsgg.onion/
FAKE: http://gunsnsdlbts2jhdu.onion/
REAL: http://gunsp2oe4irjxwog.onion/
FAKE: http://guns2pqyxlcd7ge5.onion/
REAL: http://hansamkt2rr6nfg3.onion/
FAKE: http://hansamktso6yaelv.onion/
REAL: http://hwikis25cffertqe.onion/
FAKE: http://hwikis27hjxsfpho.onion/
REAL: http://lchudifyeqm4ldjj.onion/
FAKE: http://lchudispi47ay5jj.onion/
REAL: http://mobil7rab6nuf7vx.onion/
FAKE: http://mobileshpc3xcw2u.onion/
REAL: http://msydqstlz2kzerdg.onion/
FAKE: http://ahmiafibdbbagojp.onion/
REAL: http://nucleuspf3izq7o6.onion/
FAKE: http://nucleuseeiya3532.onion/
REAL: http://outfor6jwcztwbpd.onion/
FAKE: http://outfor6nwtntdgpj.onion/
REAL: http://ow24et3tetp6tvmk.onion/
FAKE: http://onionwltue7vuznr.onion/
REAL: http://pfoxkj3p65uyc5pe.onion/
FAKE: http://pfoxkj2sjkqvxgpe.onion/
REAL: http://pwoah7foa6au2pul.onion/
FAKE: http://alphabayy72eux2w.onion/
REAL: http://reloadedudjtjvxr.onion/
FAKE: http://reloadedflayygcf.onion/
REAL: http://shopsat2dotfotbs.onion/
FAKE: http://shopsat4otwvudzl.onion/
REAL: http://tfwdi3izigxllure.onion/
FAKE: http://applestr7kcsyvuf.onion/
REAL: http://tochka3evlj3sxdv.onion/
FAKE: http://tochka3doxdirurf.onion/
REAL: http://torlinkbgs6aabns.onion/
FAKE: http://torlinksb7apugxr.onion/
REAL: http://valhallaxmn3fydu.onion/
FAKE: http://valhalla4qb6qccm.onion/
REAL: http://vendor7zqdpty4oo.onion/
FAKE: http://vendor7eewu66mcc.onion/
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

