Phishing With A Darknet: Imitation of Onion Services Frederick Barr-Smith Joss Wright Department of Computer Science Oxford Internet Institute University of Oxford University of Oxford Oxford, England Alan Turing Institute
[email protected] Oxford, England
[email protected] Abstract—In this work we analyse the use of malicious ferred amongst mutually untrusting users, and is thus mimicry and cloning of darknet marketplaces and other an attractive target for a variety of scams, theft, and ‘onion services’ as means for phishing, akin to tradi- fraudulent behaviour. Phishing taking place on such sites tional ‘typosquatting’ on the web. This phenomenon occurs due to the complex trust relationships in Tor’s is unlikely to be reported to law enforcement, although onion services, and particularly the complex webs of this is not to say that anonymous reports on forums do trust enabled by darknet markets and similar services. not occur on occasion. Winter et al. [67], theorised about To do so, we built a modular scraper tool to identify the potential existence of phishing onion domains based networks of maliciously cloned darknet marketplaces; on data from their experiments. in addition to other characteristics of onion services, in aggregate. The networks of phishing sites identified by Phishing on the clearnet is a well established threat [15], this scraper are then subject to clustering and analysis [29]. A particularly effective variant being that of imitating to identify the method of phishing and the networks of ownership across these sites. We present a novel sites [52] to obtain credentials or financial details from discovery mechanism for sites, means for clustering and victims.