Delivery-Date: Wed, 01 Jul 2015 16:21:06 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 51F6B1E0A9D;
	Wed,  1 Jul 2015 16:21:04 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 2B2A535C30;
	Wed,  1 Jul 2015 20:20:56 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8F4F635C2A
 for <tor-talk@lists.torproject.org>; Wed,  1 Jul 2015 20:20:52 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id rg5jLA7E_hBT for <tor-talk@lists.torproject.org>;
 Wed,  1 Jul 2015 20:20:52 +0000 (UTC)
Received: from mail-ig0-f171.google.com (mail-ig0-f171.google.com
 [209.85.213.171])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 6AEB635BFE
 for <tor-talk@lists.torproject.org>; Wed,  1 Jul 2015 20:20:52 +0000 (UTC)
Received: by igrv9 with SMTP id v9so82392479igr.1
 for <tor-talk@lists.torproject.org>; Wed, 01 Jul 2015 13:20:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:content-type;
 bh=On+X0oRwDma5/MlKm91u16NI35eOnhqG3dp25iVIqzU=;
 b=Jk/wBsaD1NrZk+pQOFgTfKsoHpawvkrOpjMlOepSyFxVV0/JHiMtodB9DWO2WE0OMw
 VLjQMNUi4wcEzYSY7FnnsyQqpQ6P0Eqih6y/3Lbl/OwXSe6YkdAjJFByLm2RyN0QWugd
 22u7TPCnrwG2kPwjRs0ublGEZZbG27avtxUl1V7sGIznPp7XfWiYjBZC8C3N/7pJ1Ovt
 U8OL4yKLFyP7BoSVwVqJphMvV55bzPg8cUoqpKF9LxjTRyEkchYMfe8Ptiob50d0TToq
 VPQEiPUlSA1ad9HgkmTlqOL2dbzKR/xcOgyxdn+MiktELmb091Zly7VSE4+QhMmJqRXJ
 kXYw==
X-Gm-Message-State: ALoCoQlfFjZEiehCdqa5J1YsDKgrzm2D8k+URnYI2aw6bxXgkQs5wuz+30bzKKk3m2tHC0ppq5Sq
MIME-Version: 1.0
X-Received: by 10.107.38.139 with SMTP id m133mr40616374iom.51.1435782050166; 
 Wed, 01 Jul 2015 13:20:50 -0700 (PDT)
Received: by 10.64.41.200 with HTTP; Wed, 1 Jul 2015 13:20:50 -0700 (PDT)
X-Originating-IP: [130.107.6.6]
In-Reply-To: <CAD2Ti28sxApMDXNGeaZ9CnoHd_Hj0xmwCSPnDEcb_xO7Xdb6FQ@mail.gmail.com>
References: <CAJ8LpWqVzXccyfvL=S5eGC1sbmuUp-4BOe6zviYFS=2fs5JBzQ@mail.gmail.com>
 <CAD2Ti286w-DfD_7DJsJA4kEiLVOGXy5NgR073H=V4wDLc24+WQ@mail.gmail.com>
 <CAD2Ti2-d8OOdo_xP-Yko3jq0GC17kY29JY8PtbCvCjCayrf_6g@mail.gmail.com>
 <1435621252.1648828.311026425.7D52FCAF@webmail.messagingengine.com>
 <20150630125928.GN7957@moria.seul.org>
 <CAJ8LpWo60-80Z_Hxinfu-tGui6GOe3hV88QwCaPVhK60dh6a-g@mail.gmail.com>
 <CAD2Ti28sxApMDXNGeaZ9CnoHd_Hj0xmwCSPnDEcb_xO7Xdb6FQ@mail.gmail.com>
Date: Wed, 1 Jul 2015 13:20:50 -0700
Message-ID: <CAJ8LpWpnEuymnorSYCwvPaR9RKp7OAviwuaW9eSgH3et=nBX+A@mail.gmail.com>
From: "Nurmi, Juha" <juha.nurmi@ahmia.fi>
To: tor-talk@lists.torproject.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Warning: 255 fake and booby trapped onion sites
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Short update about the fake onion address attack:

- Again, this is not a new phenomenon but larger scale: there is one
attacker or a group of attackers who run about 300 fake onion sites.

- The attacker has automated the fake site production. These sites came
online about simultaneously.

- Comparison can be done easily at the moment: because the attacker is
re-writing links on multiple onion directory sites we can compare the real
directory site and the fake directory site. The changed links point to fake
sites.

- The first 5 letters are same between fake onion and real onion addresses.
So, if the real site is ABCDEfg123456789.onion the fake on is
ABCDEsomething12.onion. It is easy get an onion addresses where the first 5
letters are just as you want them to be.

- The fake site acts as a transparent proxy for the real site: it is
downloading the content from the real site and after some re-write showing
it to the user who is visiting the site. We can sometimes see the Polipo
HTTP proxy error on fake sites.

- The attacker is re-writing some content, including bitcoin addresses and
links to point fake sites

- The attacker is gathering bitcoin money by spoofing those bitcoin
addresses.

- It is possible and even very likely that the attacker is gathering login
credentials if you use the fake site instead of the real one.

Greetings,
Juha
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

