Tor-to-Web Proxy Caught Replacing Bitcoin AddressesFrom:
Sun, 19 Aug 2018 12:31 UTC
View all headers
Never trust a proxy to i2p or tor. It's too easy to modify content and you're not in any way anonymous. You're no more anonymous than on the plain old internet.
The article talks about stealing from criminals, but the idea is the same. Why trust a mitm with your data at all?
Tor-to-Web Proxy Caught Replacing Bitcoin Addresses on Ransomware Payment Sites
By Catalin Cimpanu
The operators of at least one Tor proxy service was recently caught replacing Bitcoin addresses on ransomware ransom payment sites, diverting funds meant to pay for ransomware decrypters to the site's operators.
A "Tor proxy service" is a website that allows users to access .onion domains hosted on the Tor network without needing to install the Tor Browser.
Users can append a domain extension like .top, .cab, .to at the end of any Tor URL and access it inside their regular browsers such as Firefox, Chrome, Vivaldi, Edge, and others.
For example, users can type in nytimes3xbfgragh.onion.to and access the New York Times' Dark Web portal without installing the Tor Browser.
During the past two years, such services have become extremely popular, and especially popular with ransomware authors.
Ransomware often includes ransom notes that list the payment portal's Tor URL, but also alternative URLs for various Tor-to-web proxies, in case non-technical users found it hard to install the Tor Browser.
Onion.top proxy service caught replacing wallet addresses
But researchers from US cyber-security firm Proofpoint say that they've caught one of these Tor proxies stealing from both ransomware authors and ransomware victims alike.
According to researchers, the operators of the Onion.top Tor-to-web proxy service are secretly parsing Dark Web pages loaded via their portal for strings that look like Bitcoin wallet addresses and replacing them with one of their own.
Proofpoint says it noticed the Bitcoin address swap behavior on the ransom payment portals for three ransomware families —LockeR, Sigma, and GlobeImposter.
In fact, researchers say they've noticed the behavior because of a warning message posted on the LockeR payment site by the LockeR authors.
"Do NOT use onion.top, they are replacing the bitcoin address with their own and stealing bitcoins," the message reads. "To be sure you're paying to the correct address, use Tor Browser."
LockeR ransom payment site warning against Onion.top URLs
An older image of the ransom payment portal from October 2017 does not include this message, meaning even the LockeR crew only recently became aware of the issue.
Onion.top stole $22K from ransomware authors & victims
During experiments carried out by Proofpoint, researchers spotted different Bitcoin wallet address "replacement rules" based on the page the user was accessing, suggesting Onion.top operators are configuring these swaps manually, on a per-site basis.
Proofpoint identified two Bitcoin wallet addresses operated by the Onion.top team, both holding no more than 2 Bitcoin ($22,000), suggesting proxy operators weren't that successful in their attacks, the replacement rules aren't always active, or the service isn't that popular to begin with.
Ransomware authors are fighting back
Either way, Proofpoint says ransomware operators took notice of Onion.to's actions and have started taking precautionary measures against all Tor-to-web proxy services.
The most obvious change is that many have stopped providing Tor proxy links and are now listing only the pure Tor .onion URL in their ransom notes, recommending that users access the payment site only via the Tor Browser alone.
Other ransomware authors have altered their Dark Web-hosted ransom payment sites. For example, the operators of the MagniBer ransomware now split the Bitcoin address shown to each victim on their payment site across different HTML tags.
Magnibear splitting Bitcoin wallet addresses
This makes it harder malicious Tor proxies to detect the Bitcoin address pattern, but it's not a reliable protection measure. In case users reach the desperate conclusion that they need to pay the ransom, to avoid losing their funds to malicious Tor-to-web proxies, it is recommended they access the link directly in the Tor Browser.
But the best way to avoid ransomware infections is to avoid opening suspicious files received from unknown persons, or keeping regular backups of important (or all) files.
An earlier version of this article referenced Onion.to instead of Onion.top (in three sentences) as the Tor proxy that is replacing Bitcoin addresses. Bleeping Computer regrets the error and confusion it caused among some readers.
Posted on Rocksolid Light.
Re: Tor-to-Web Proxy Caught Replacing Bitcoin AddressesFrom: trwNewsgroups:
Sun, 19 Aug 2018 13:10 UTC
View all headers
i like that approach, has real potential...
but seriously, it is a clear warning against any proxy to the darknets. who knows what other information they grab
and/or alter in between ?
thanks for posting this.
Posted on: def3.i2p