The TOR network, known home of cybercrooks and freedom fighters alike, is seeing a wave of copied websites set up to scam users of the so-called dark web.
Cloned websites, which attempt to steal login credentials and bitcoin e-currency from users, are a known problem on the service and commonly appear after major law enforcement takedowns of illegal sites on the network. During Operation Ononymous, which took down the Silk Road 2.0 drug marketplace in November of 2014, it emerged that most of the websites taken down by law enforcement were actually clones of bigger, well known sites.
The sites were created with Onion Cloner, an easy to use tool that makes it simple to impersonate TOR sites and harvest passwords and Bitcoins.
Rapid7, the security firm that discovered the latest batch of cloned websites, said the potential for cloning is greater on the dark web for network architecture reasons.
Criminals robbing criminals is about as old as crime itself, and it's an endemic problem with the dark web,” spokesman Tod Beardsley explained. “Unlike the case with robbing criminals in person, there is no immediate risk of violence, and the methods by which one can rob Dark Web criminals are both well established and scale easily.
While TOR hidden services offer a means for strong anonymity for both users and content providers, actually finding anonymous commerce sites can be tricky
Many don't want to be found by casual users. Of those that do, they need to be listed on a registry or findable by a TOR-based search engine. There are only than the regular internet a handful of these indexers, so compromising or cloning just one can permanently poison a user's experience of the rest of the dark web.
The dark net is also vulnerable because there are far fewer sites than the regular internet. Ahmia.fi, a popular indexer of the underground network, has less than five thousand sites in its index, compared to millions of websites indexed by Google. “The job of impersonating a sizeable fraction of the entire ‘semi-public’ dark web commerce space looks positively easy," said Beardsley.
Cloned sites on the TOR network are a well-known attack method because the target space is small and the penalty of getting caught is little. Victims aren't likely to pursue legal action because the original sites are illegal and would result in their owners going to jail if they were shown to law enforcement.