Something weird is going on in the hidden area of the internet referred to as the dark web, and no one knows who is behind the odd occurrence.
Earlier this week, on a tor email list, security researcher and founder of the onion search engine Ahmia, Juha Nurmi, wrote that he noticed some weird websites surfacing on onion sites. Nurmi discovered that fake websites were showing up masquerading as well-known dark web sites.
For some context: onion sites are websites that use the prefix “.onion” and are what designate a ‘dark web website.’ These hidden websites are only accessible through online services like Tor that anonymize web traffic. Nurmi’s service Ahmia is an open-source search engine for people using Tor browsers.
Nurmi first noticed that there was a cloned version of Ahmia out there on the dark web, so he decided to do some digging. In total, he’s found more than 250 “fake mirror sites.”
The people behind this attack are likely trying to scam people who unknowingly click the fake link. Nurmi explained the attack in an email to Business Insider: “Someone runs a fake site on a similar address to the original one and tries to fool people with that.”
The sites look like the original ones, although some content is re-written including bitcoin addresses and internal links to the fake website. Nurmi added “The attacker is gathering bitcoin money by spoofing those bitcoin addresses.”
Also, given that onion sites are usually a garble of letters and numbers, it’s hard to distinguish between the real and the fake site.
The researcher went on to say that it’s very likely the attacker is using these fake websites to gather the login info of people accessing the sites.
These sorts of attacks aren’t novel — in fact, many hackers do just this to normal websites. What’s interesting in this particular case is that the attacker is targeting the dark web specifically and has figured out a way to automate the fake site production. “These sites came on about simultaneously,” Nurmi wrote.
Now Nurmi and others are making sure other Tor users are aware of this new up-crop of fake sites.