A Fake Dark Web Search Engine Is Sending People to Fake Dark Websites

The dark web is already hard enough to navigate without somebody deliberately pointing you in the wrong direction. But according to a piece of new research, a fake version of a dark web search engine has been directing users to 255 fake sites designed to steal login credentials and bitcoins.

The fake sites include ripoffs of popular dark web services such as the Agora and Abraxas markets, as well as the privacy focused email service Lelantos, set up to dupe users into thinking they were the real thing.

The cache of scammy sites was discovered when Juha Nurmi, a security researcher and founder of the dark web search engine Ahmia, found that someone had made a copycat of his site. He then discovered that not only did a spoofed version of his search engine exist, but also fake versions of the many of the sites branching off of it.

"I noticed a while ago that there is a clone onion site for Ahmia," he wrote on the tor-talk mailing list on Monday. "Now I realized that someone is [sic] actually generated similar onion domains to all popular onion sites and is re-writing some of the content."

Nurmi made a script to automatically compare the results of his search engine to the fake version, Nurmi told Motherboard. In all, he found 255 scam sites. Some of these sites weren't full-on hidden services of their own, he said, but were instead acting as malicious proxies between a user and the legitimate site.

"The attack works as [a man-in-the-middle] and rewrites some content," he wrote on the tor-talk mailing list.

It appeared the clones were being launched in an automated fashion, all coming up at roughly the same time, Nurmi told Motherboard, meaning it's presumably either an individual or one group of attackers doing all of this. (As he pointed out, it wouldn't make much sense for someone to make a clone of his search engine and to then point victims to scam sites run by other people.)

"Sites that pretend to be another in order to steal a user's credentials—known as phishing sites—are not a new thing," Roger Dingledine, interim executive director and co-founder of the Tor Project, told Motherboard in an email. "The usual fixes, like bookmarking key sites, will work here too."

Dingledine said this was actually the reason Facebook wanted to preemptively get an HTTPS certificate for its own hidden service, which allows users to access Facebook securely through Tor—so that users could be sure that they were visiting the official dark web Facebook.

It shouldn't come as much of a surprise that lots of the sites on the dark web are fake. There are often warnings on dark web marketplaces to check the URL of the site carefully, to make sure that you're on the right one. Various versions of the infamous "Hidden Wiki" exist, meaning that other lists of .onions likely also contain fake links. And after Operation Onymous, a multi-agency effort to tackle the dark web, researchers found that 153 of the addresses seized belonged to either scam, clone, or phishing sites. But this new research shines some more light on the scale of the problem, and highlights that lists of dark web sites are particularly under threat of being targeted.