Warning: More Onion Cloner Phishing Scams

2 minute read

Posted by: DeepDotWeb

April 22, 2015

No, its not new, but another round of “onion cloner” phishing scam is going around that will not only log your user and password but you cookies as well when you are logged into markets, this is the recent info as it was provided to us by Alphabay admin “DS”:

Original warning link on the forum: http://pwoah7foa6au2pul.onion/forum/index.php?threads/warning-phishing-links.4414/

Thanks to DS for taking the time and contacting us on Jabber so we could issue this warning / reminder.

I want to make a warning that there are phishing links posted (or attempts to post) on our forums, marketplace, personal messages (pms) & other places like reddit. The user responsible for the phishing links is the banned few days ago was ex-vendor “Logs” aka “TinKode” (user registered with this name on our forums) aka dev.null (with whom I talked on jabber). The user will surely be using this to create clone of other dark net marketplaces (as he has said in our conversation).

After visiting his phished link, I put a message to him (telling him to fuck off) in the password field. When he saw it in his logs, he found from the forums here one of my contacts and started talking me into buying his onion cloner script* – which I knew was free. The scammer asked 10 BTC and since I wanted more information (if it is something modified version of onion cloner etc.), I agreed. No deal took place of course. But we now know how he script works (we injected specific URLs which we now see in server logs) & we are working on blocking phishing links on both marketplace and forum. You can read the details of the conversation with the scammer in the Screenshots below:

The solution is dead simple – Please make sure to memorize the real market links or keep them locally in some text file, if you can’t do that than make sure that you are using links only from legit sources – such as our list , /r/darknetmarkets list or dnstats.net sidebar – No other source should be trusted and anyway, a manual check should be made to make sure you are not using a malicious exit node who might replace the links with phishing links.

* The onion cloner script enables to mirror any .onion website on the fly and only catching specified fields like username and password ones. The user browsing the phished website sees no difference between that one and the real website – except the URL. Be very careful when visiting links because it SNIFF your COOKIES if you are logged into the real marketplace.

Updated: 2015-04-22