Delivery-Date: Mon, 29 Jun 2015 15:05:58 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id A8F361E0BD0;
	Mon, 29 Jun 2015 15:05:56 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5DD7935F49;
	Mon, 29 Jun 2015 19:05:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id A2A2536183
 for <tor-talk@lists.torproject.org>; Mon, 29 Jun 2015 19:05:47 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 66CVY4a3kBQm for <tor-talk@lists.torproject.org>;
 Mon, 29 Jun 2015 19:05:47 +0000 (UTC)
Received: from mail-ig0-f173.google.com (mail-ig0-f173.google.com
 [209.85.213.173])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 7C5B735F49
 for <tor-talk@lists.torproject.org>; Mon, 29 Jun 2015 19:05:47 +0000 (UTC)
Received: by igcsj18 with SMTP id sj18so88038694igc.1
 for <tor-talk@lists.torproject.org>; Mon, 29 Jun 2015 12:05:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:date:message-id:subject:from:to
 :content-type;
 bh=FDLliKyPvJ3tLrjjdSLcftFCXzIQFc88m6pR2bx04B0=;
 b=AAozi0dupOVF+k7D7c3+R7NOGo16NTou9S28poiJW7bGdvXLO/EbePjdDbmMuWf35E
 xXa8StIQ2swqG1GO86wFIUA2zrFQWg6NKrFH4jOAHAtMVSSgeb564+bYrJkce3txUUkV
 EdB3mnooDF/dxXGY4YTq91bDf9+3x3MWLIwHvrnJvJFPVmtXSxKfid7zfnrzxCc0+zUP
 UV2Z0h2RSaGhjtj4LtlU8CV8hkselSUtUpiAj5t8Y/OSn1FHNDh7VKqDS2gRfcBEaR6a
 2yX2tolfHgZ1Xm7z/rkqNhqM6XThBB5zyLfBCljyxdLe/eNAteiUNhFYvDCA41tXWTuB
 jf3Q==
X-Gm-Message-State: ALoCoQmzRobj7Bc06A1q+hYIh5dwhgqGLQh1U5k9AxZQhT+8Qcv8Y4q/hh/2H8chLqNH/AiWmOIK
MIME-Version: 1.0
X-Received: by 10.42.113.133 with SMTP id c5mr19632166icq.67.1435604744952;
 Mon, 29 Jun 2015 12:05:44 -0700 (PDT)
Received: by 10.64.41.200 with HTTP; Mon, 29 Jun 2015 12:05:44 -0700 (PDT)
X-Originating-IP: [130.107.6.6]
Date: Mon, 29 Jun 2015 12:05:44 -0700
Message-ID: <CAJ8LpWqVzXccyfvL=S5eGC1sbmuUp-4BOe6zviYFS=2fs5JBzQ@mail.gmail.com>
From: "Nurmi, Juha" <juha.nurmi@ahmia.fi>
To: tor-talk@lists.torproject.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: [tor-talk] Warning: 255 fake and booby trapped onion sites
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hi,

I noticed a while ago that there is a clone onion site for Ahmia. Now I
realized that someone is actually generated similar onion domains to all
popular onion sites and is re-writing some of the content.

For instance,

REAL Ahmia: http://msydqstlz2kzerdg.onion/search/?q=duckduckgo
FAKE Ahmia: http://msydqjihosw2fsu3.onion/search/?q=duckduckgo

Look carefully and notice the difference:

REAL DDG: http://3g2upl4pq6kufc4m.onion/
FAKE DDG: http://3g2up5afx6n5miu4.onion/

It seems that the situation is this: The unknown attacker tries to direct
users to these fake sites. The attacker is running multiple onion addresses
similar to the popular onion addresses. These sites are actually working as
a transparent proxy to real sites. However, the attacker works as MITM and
rewrites some content. It is possible that the attacker is gathering
information, including user names and passwords.

I did some data mining and comparison with Ahmia.fi and seems to be that
there are at least 255 fake mirror sites. See the list
http://pastebin.com/iHPwhCeH

Greetings,
Juha
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

