Dark web crooks wage an easy and profitable phishing scheme on Wikipedia

Phishing is a hacker’s most effective weapon — just ask the U.S. politicians whose world turned upside as a result of spearphishing during the 2016 campaign. But phishing has multiple faces, and the threat extends far beyond emails.

Persistent and profit-driven crooks have spent the last half-decade unexpectedly popping up to vandalize Wikipedia by inserting and re-inserting phishing links that send victims to imitations of popular dark web markets where they unwittingly enter their credentials and then lose control of their accounts, bitcoins and even their dark web identities. The victims don’t elicit much sympathy, as it’s the equivalent of getting robbed while trying to buy drugs in a secluded city park, but the situation does illustrate the persistent power of phishing.

Like pestilent little swarms of locusts, instances of the scheme are unpredictable and relatively quickly deleted. But the phishing on Wikipedia is effective enough — and lucrative enough — to retain the interest of the dark web’s richest dwellers.

The practice has been documented and battled for years by researchers and even the owners of dark web markets. (Clicking on a dark web link — which has a .onion address — requires the Tor browser.) Although Wikipedia’s editors work to root out the false links, it’s a slow and never-ending fight.  Here’s a phishing link from Tuesday directing users to a fake version of AlphaBay, the largest dark web market in existence. Here’s a March 2016 phish, showing this local link war goes back months. Here’s the same ploy in 2015. The phenomenon extends back to the original Silk Road market in 2011 to 2013.

The fake URL from Tuesday’s attack on the Wikipedia’s AlphaBay article is pwoah7p6o5e67qul.onion. The page looked exactly like the real AlphaBay but lasted only a few hours. The edit was soon deleted and the page permanently taken down. The real URL is pwoah7foa6au2pul.onion — it’s not easy to quickly spot the fake. The real URL is so close to the fake because the phishers took a little extra time and computing power to hash out a customized spitting image of the real URL with a tool like scallion. Because Onion addresses are randomized and at least part gobbledygook, it’s easy to fool users unless they verify the URL from trusted sources.

Hooked, victims arrive at the phishing site and are fooled into entering usernames and passwords. They’re then often forwarded on to the real site so they might not even know what’s happened. The crooks then steal the accounts and funds of the victims, who maybe just wanted to buy or sell some weed or acquire some malware.

Customers have had their account access stolen with this method of phishing, along with all the money, which is typically held in bitcoins. So too have vendors, the folks selling the drugs and malware, whose accounts contain even more money as well as sensitive data on themselves and their customers — a fact made clear every time vendor and customer accounts are exposed by bugs and breaches to the wider world.

It’s impossible to tally the total take, but it’s easily tens of thousands of dollars for almost no effort. Sometimes the crooks even hold accounts and their related data ransom after stealing the bitcoins inside. For dark web vendors whose reputation is the cornerstone of their business, it’s hard not to pay.

This particular brand of phisher was the target audience for tools like “Onion Cloner” and ‘‘Rotten Onions,” scripts that took advantage of the fact that virtually no one is able to memorize the complicated addresses of the real markets. The author of Rotten Onions, which was in action as late as 2016, aggrandized his work with this description:

Rotten Onions is an extension for mitmproxy made to launch MITM-like phishing attacks on darknet markets and bitcoin anonymizers for the purpose of stealing money from users who are too stupid to check that they’re on the right URL. It’s a bit of a spiritual successor to the infamous Onion Cloner, but unlike Onion Cloner, it doesn’t suck.

With one script, the Rotton Onions tool executes a man-in-the-middle attack, steals account data as soon as a victim gives it up, checks account balances and drains the bitcoins to the attacker’s own wallet. The author, Crimewave, claimed to net 8.5 bitcoins in short order, worth about $8,000 at today’s exchange rates, on this software alone. Social media, reddit, dark web wikis and Wikipedia are prime real estate for casting a phishing lure.

Wikipedia editors like Chris Monteiro, who has been dedicated to dark web topics on the encyclopedia for years, considers Wikipedia, “if used properly, the most reliable source of links on the internet.” It’s true — but it’s not always used properly.

Victims don’t get much sympathy from the owners of AlphaBay.

“It might sound harsh, but people who get phished get phished because of their own stupidity,” an AlphaBay administrator wrote on reddit. The administrator added:

People who get phished do not have the skills to cross-check links on “official sources” because their official sources are repositories of phishing links, and they even less know the rules of the auto-mod. They will therefore google for “alphabay official link” and find “official” places such as Wikipedia (which constantly gets defaced), “List of official marketplace links” on Wikipedia which still contains phishing links and ignores our requests for change, and so on. The best course of action is therefore to put any warning you need, but leave the link up.

Dark web markets have been rising in popularity since 2011, when Silk Road exploded into the mainstream. Although it’s been a turbulent ride since, a succession of markets, characters and customers have built an illicit economy where anyone can anonymously buy and sell drugs, data, jewels, weapons, knowledge and nearly whatever else crosses your mind. AlphaBay has been among the most popular markets around for much of the last two years, meaning many new dark net denizens make the rounds.

AlphaBay recently made headlines when a vulnerability exposed over 218,000 private messages on the site including the names, addresses and other private information of users. That earned AlphaBay’s emphatic removal from an official list of dark web markets on reddit. The lack of that list, long the trusted leading source where people found the real URLs to markets, likely means phishing is about to rise.

Despite repeated warnings, many dark web market users send personal information without encrypting it first, meaning that any faulty or malicious activity from the market itself will expose them.

These two episodes illustrate the fact that, despite a reputation of shadowy and capable hackers, dark web market users can be just as mindbogglingly bad as the rest of us when it comes to cybersecurity.