Short update about the fake onion address attack:
- Again, this is not a new phenomenon but larger scale: there is one
attacker or a group of attackers who run about 300 fake onion sites.
- The attacker has automated the fake site production. These sites came
online about simultaneously.
-
On Tue, Jun 30, 2015 at 6:32 PM, Nurmi, Juha juha.nu...@ahmia.fi wrote:
headers looks fine.
Ahmia's are still slightly different, a flaw of sorts, they'll fix
that too. There have been different generations of the attack
and a number of different actors across different sectors. It's
primarily a
On Tue, Jun 30, 2015 at 12:40:52AM +0100, Geoff Down wrote:
Good catch.
They are definitely rewriting specific onion addresses wherever they
find them e.g.
http://tor.stackexchange.com/questions/4619/how-do-i-find-onion-sites
also. They're not actually exiting from 185.77.129.189, but from
On Tue, Jun 30, 2015 at 5:59 AM, Roger Dingledine a...@mit.edu wrote:
If somebody could investigate how the fake onion services differ from
the real ones, that would be neat.
I made a comparison and noticed that the attacker is replacing all the
Bitcoin addresses. Obviously the attacker is
Hi,
I noticed a while ago that there is a clone onion site for Ahmia. Now I
realized that someone is actually generated similar onion domains to all
popular onion sites and is re-writing some of the content.
For instance,
REAL Ahmia: http://msydqstlz2kzerdg.onion/search/?q=duckduckgo
FAKE
Rather than detectable (when alone), I meant differentiable (when compared).
I've also seen exits [1] rewriting onion addresses found on clearnet.
[1] Like the retard behind this piece of shit is doing to that pastebin url...
Arag0n 185.77.129.189 dc914d754b27e1a0f196330bec599bc9d640f30c
--
On Mon, Jun 29, 2015 at 3:05 PM, Nurmi, Juha juha.nu...@ahmia.fi wrote:
It seems that the situation is this:
...
http://pastebin.com/iHPwhCeH
This has been going on for years. Though they've raised their game
in the last year or so, they'll always be detectable and real operators
can easily
On Mon, Jun 29, 2015, at 11:38 PM, grarpamp wrote:
Rather than detectable (when alone), I meant differentiable (when
compared).
I've also seen exits [1] rewriting onion addresses found on clearnet.
[1] Like the retard behind this piece of shit is doing to that pastebin
url...
Arag0n
On Mon, Jun 29, 2015 at 7:40 PM, Geoff Down geoffd...@fastmail.net wrote:
also. They're not actually exiting from 185.77.129.189, but from
46.166.137.219 .
Now 46.166.190.216.
What I want to know is why they're burning double cash
routing their OR traffic back out over a VPN in a different AS.
