TOR sites being cloned, insight by Rapid7
After another wave of cloned sites on the TOR network, Rapid7’s security engineering manager, Tod Beardsley has provided the following insight on what was really going on. He stated:
“Criminals robbing criminals is about as old as crime itself, and it’s an endemic
problem with the Dark Web. Unlike the case with robbing criminals in person, there
is no immediate risk of violence, and the methods by which one can rob Dark Web
criminals are both well established and scale easily.
While TOR hidden services offer a means for strong anonymity for both users and
content providers, actually finding anonymous commerce sites can be tricky. Many
don’t want to be found by casual users. Of those that do, they need to be listed on
a registry or findable by a TOR-based search engine. There are only a handful of
these indexers, so compromising or cloning just one can permanently poison a user’s
experience of the rest of the Dark Web.
In addition, there aren’t all that many Dark Web sites to target to begin with.
Ahmia.fi, one of the more popular indexers, has less than five thousand sites
indexed. Compare that to the millions of online storefronts on the regular World
Wide Web, and the job of impersonating a sizable fraction of the entire
“semi-public” Dark Web commerce space looks positively easy.
The problem of cloning sites isn’t new. During Operation Ononymous* which took down
Silk Road 2.0 in November of 2014, it came to light that most of the sites affected
by this international law enforcement effort were, themselves, cloned sites. Most of
these cloned sites were created with Onion Cloner, a tool that makes it easy to
impersonate TOR sites and redirect passwords and Bitcoin.
Cloned sites are also difficult to detect. While many TOR hidden services offer the
same level of cryptography as their clear web counterparts, there is not yet a
reasonable mechanism for validating certificates. There is no Dark Web-centric
central certificate authority, since the whole point of TOR is an anonymous,
decentralised infrastructure. As a result, the common use case for certificates is a
self-signed certificate. Self-signed certs raise all kinds of warnings in normal
browsing, but not so on the Dark Web, since it’s the way things just are over there.
Given all this, it’s not surprising in the slightest that we’re seeing another wave
of cloned sites on the TOR network. It’s a well-known attack technique, the target
space is small, the risk of getting caught is negligible, and the victims are
unlikely to pursue legal action.”
Image source: TOR