70 Malicious Tor Exit Nodes Exposed By Siganit.org

4 minute read

Posted by: DeepDotWeb

April 26, 2015

If you are a Sigaint email user you probably received this email last week:

Hash: SHA1

Hello SIGAINT user,

We have recently found out that over 70 Tor exit nodes have been rewriting
cleartext page on sigaint.org.

We have reported the bad exit nodes to the Tor Project and they have been
removed. We are actively coordinating with them to keep bad exit nodes off of
the Tor network.

If you have ever browsed to sigaint.org to find our onion address, your
may be at risk.

We ask that our users change their password as a precaution if you feel you
might have done the above.

You can change your password by following this link:

This message is PGP signed so you can verify that it is authentic.

Thank you,
The Cats at SIGAINT
Version: GnuPG


 And this is the story behind it as it was shared with us by the owner of sigaint darknet email service:

We started noticing some strange circumstances. We usually get a few complaints from law enforcement per week regarding abusive users of the service.

After the month of March had passed and we hadn’t had a single complaint we figured something strange was going on.

About a week ago someone started trying to break into the servers that warehouse user data. The attacks were relentless. After a full audit we realized that the attacker didn’t get in. (We employ extensive exploit mitigations that deflect even worst 0day exploits.)

Around the same time we received a complaint from a user that noticed that he had logged into an onion address that just didn’t look right after clicking the link from our clearnet abuse page on sigaint.org.

This got our attention so we started scanning our abuse page from every single Tor exit node. We found 58 of them and reported them to the Tor Project privately using PGP. (We didn’t want to alert the attacker, and we wanted the results we were seeing to be reproducible on their end.)

A member of the Tor Project wrote a plugin for the scanner they use and found even more exits. Some of them had literally just started the attack hours after we reported the first 58. We ended up with a total count of 71 bad Tor exit nodes. They have all since been blocked. The search for more of them continues.

Our users were alerted as soon as we had confirmation that the nodes were on the BadExit list. Any one who had been using our abuse page to find the darknet onion URL was advised to change their password immediately.

We think it could be a government that one or more of our users have angered in the past. The time line above could suggest this. Of course, there is no way for us to be sure and this is just speculation.

In hindsight, we figure because they couldn’t just break in and spy they resorted to running 71 bad Tor exit nodes to alter the abuse page on sigaint.org.

Explanation of the attack:

SIGAINT lives inside of the darknet. This means that the entire service is hosted on “sigaintevyh2rzvw.onion“.

We do operate a custom mail exit so our users can email people who have a regular clearnet email address. Sometimes users generate complaints. In order to ensure that the SIGAINT admins handle the clearnet complaints in a timely fashion we have an abuse page on sigaint.org. The sigaint.org abuse page has a link to the onion address.

Initially sigaint.org was behind Cloudflare and had SSL capability, but as the months went by Cloudflare started loading captchas to those who were viewing the sigaint.org page from Tor. We started to get complaints mostly from people who use TAILS. We realized that people using TAILS without persistent storage (they can’t save bookmarks between reboots) were using the abuse page as a bootstrapping point to get at their email.

In response to the captcha complaints, we turned Cloudflare off. (We still use them for DNS, but that’s all.) This happened months ago. The attack we witnessed followed.

The attackers were altering the onion address on our clearnet abuse page. They were changing it to an onion address that they control. Initially, we thought it was to steal user credentials. Our support email history statistics told us that this simply wasn’t the case.

After more investigation we realized that it was a sophisticated Man-In-The-Middle (MITM) attack. The bad onion address would sit in the middle between the user and the real site. It would read their email as they typed it and harvest any new emails that came in.

Why would they do this? A lot of darknet email doesn’t even leave the darknet anymore. Lots of users of SIGAINT email each other and other Tor-enabled mail services. There is no way to spy on email that doesn’t leave the darknet without spying on the mail service itself.

For now, we are still using the clearnet abuse page for testing so we have not changed it yet. We are debating either putting TLS on the page or removing the onion link all together. We will probably do the latter, and routinely patrol the page from each exit node looking for rewrite attacks.

We still advocate that users keep browser bookmarks, or simply write the correct onion address on a piece of paper.


Updated: 2015-04-26