Exposing A Scam: V3RDAD

For the record: I don’t like scammers (who does?), but I have encountered many of them, especially on Tor and other darknets. I suppose that’s all par for the course.

My most recent scam encounter has been with a fellow who calls himself (or herself?) V3RDAD.

He has a profile on ask.fm, which is a question and answer site along the lines of Quora or Yahoo! Answers. On this profile, he links to a Tor hidden service at http://dafynex6ytjnpeo4.onion/ Fine – there’s nothing wrong with that, except that I find all of his answers to be sketchy in nature.

Here’s one example:

ask_fm_scam

In the screenshot above, someone asks “Why does taur node open a listening connection? My antivirus blocked it.”

His answer:

“Taur Node creates a listener to handle up-to-date information coming from the network itself. The only purpose of it is to display pop-up information about the network, like network status, node availability, login information, etc. Just disable your antivirus software before starting the node. If you are too paranoid about it, you can simply just kill it’s process after you are done / disconnected from the network and re-enable your antivirus again. Killing the process of the node will disable any incoming activity and kill the listener.. you will basically not be able to receive any information about the network anymore.”

OK – does that sound suspicious to anyone? He’s asking some random person to disable their antivirus program after the program blocked this so-called “taur” software. I realize that on occasion, antivirus programs will block software that isn’t malicious, but why should I trust you, V3RDAD?

The Tor hidden service that he links to is entitled “whoami,” and looks like this:

dafy_node_scam

The links with the purple text have various downloads, all of which (as I said before) look very sketchy. The operator of this site claims that you need the downloads to connect to a so-called “taur node” (in other words, nodes on his “private network”).

Again, this sounds like a scam to me. If you really want to try it (which I don’t recommend), use a virtual machine (e.g. Qubes or Tails) so that the file can’t potentially harm your computer.

If you look at some of his other answers, they also sound like bullshit:

Q. What is vbs0rkxc.dafy?

A. The answer to Level 7.

Um…OK, if you say so. If you’ve read any of my earlier posts (or RationalWiki, for that matter), you should know that there are no “deep web levels,” as intriguing as that might sound.

It’s possible that the same person may also have written this blog post, although I’m not sure: Darkfantasy Network. Why do I say this? It has a list of so-called “dafy links” (where have I heard that before?)

dafy_links

In addition, it has a list of “Nept Links,” “Life Links,” “Taur Links,” and “Elen Links,” accompanied by mysterious descriptions. Here are a few examples:

http://girogahary5arofeideidegivoly.nept/ – Dark Babylon City (hidden marketplace)

G94dkElc.dafy – Conspiration Forum

http://ekkhgiskagfrawahulatriaottyx.nept/ – How the Universe was Created

You get the idea. And to try to lend credence to his links, he throws in a few real ones, including ChaosVPN and Freenet. This isn’t the first time I’ve seen something like this. Remember The Shadow Web? (*cough cough*)

Anyhow, I don’t suggest downloading anything from these sites, as it may potentially harm your computer. And of course, don’t give this person any money. Want some real darknet links, though? Here:

http://rrbm3jiflz3euxhp.onion/wordpress/

http://zfq7tgxed245jpdz.onion/ – The Darknet Project 0ffSecurity

bdtq4shqkbb3yy7b.onion – DARKWEB LEGION (yes, that’s how they wrote it)

ZeroNet Links:

http://127.0.0.1:43110/kaffiene.bit/

127.0.0.1:43110/138R53t3ZW7KDfSfxVpWUsMXgwUnsDNXLP/

http://127.0.0.1:43110/zerochatrooms.bit/

Freenet Links:

http://localhost:8888/freenet:USK@tiYrPDh~fDeH5V7NZjpp~QuubaHwgks88iwlRXXLLWA,yboLMwX1dChz8fWKjmbdtl38HR5uiCOdIUT86ohUyRg,AQACAAE/nerdageddon/247/ – Nerdageddon

http://localhost:8888/USK@XJZAi25dd5y7lrxE3cHMmM-xZ-c-hlPpKLYeLC0YG5I,8XTbR1bd9RBXlX6j-OZNednsJ8Cl6EAeBBebC3jtMFU,AQACAAE/index/711/ – Enzo’s Index

http://localhost:8888/freenet:USK@2u8eFaTHrvLzeHeq9vXFV8wzivgTG1ExY6v1cM8Zblo,eDLofzubExKX5A8TK0SqdQb3jrI0fDlgw-iaxXUEHVQ,AQACAAE/ttipdocs/5/ – Greenpeace TTIP Leaks

http://localhost:8888/USK@1ORdIvjL2H1bZblJcP8hu2LjjKtVB-rVzp8mLty~5N4,8hL85otZBbq0geDsSKkBK4sKESL2SrNVecFZz9NxGVQ,AQACAAE/bluishcoder/21/ – Bluish Coder

I also recently found a site that maps the Hyperboria Network, which uses the cjdns protocol: fc00 – these I really haven’t checked out yet, so maybe you can fill me in!

I guarantee that these are all real links (although I can’t guarantee that the information on them is accurate). Check those out, and let me know if you find anything of interest. If you don’t, keep searching!

 

 

 

 

 

 

Advertisements

There Will Be No Order, Only ChaosVPN

by Ciphas

tinc_vpn_command

I’m always flattered when I get the chance to correspond with my readers and subscribers. One reader asked me recently, regarding my earlier post ChaosVPN: Making Friends with Hackers!, how to connect to it – or at least about one of the steps in doing so.

I must confess that I’m only minimally experienced with it myself, but it seems that using it is somewhat similar to using other private networks. Specifically, the part that he seemed stuck on was this: ChaosVPN:Howto – Mail us your infos [sic].

The wiki has very specific instructions as to what to do next, but the specifics they ask for are:

a. A sponsor – in other words, someone who’s already on ChaosVPN who can vouch for you. If you don’t know someone, I’m sure you can find one with a little digging.

b. gatewayhost=<clienthost> – the external hostname or IP address of the client host. This should not be an address from within the VPN; it’s the name of your machine. So if your machine were named “Ciphas,” for example, then that would be your hostname.

c. network=<ipv4 subnet in the vpn>
network=<ipv6 subnet in the vpn>

What they mean is that they need to know an IP address for a subnet in their VPN which you would like to use. On the wiki, they have a list of IP ranges to choose from: ChaosVPN:IPRanges. Pick an IP from the list and insert it here.

d. owner=

Here you would put the name of the admin of the VPN gateway which you would like to use – it’s so that there’s someone to contact in case of possible issues.

e. port=4712

The port you will use for your connection. According to the wiki, it’s better to use a random port for this, but 4712 is one possible option. TCP/UDP port 655 works as well.

f. hidden=0

Use this only if you cannot accept inbound tunnel connections.

silent=0

Use this only if you cannot connect out.

g. Ed25519PublicKey=<something>

When you first start using tinc, you have to generate a public key via its command line, using the command “init [name],” with [name] being your node name.

For a full list of tinc commands, go here: tinc commands.

So, that being said, you do all that stuff, and then send a contact email with this info to chaosvpn-join@hamburg.ccc.de. The tricky part may be finding a contact person within the network, but you may be able to find that on the wiki too.

You don’t have to use tinc to connect to ChaosVPN, by the way – it’s also accessible via dn42, which is a VPN designed for experimental purposes. Click the link there to find out more about it.

Just remember – these guys won’t help you find The Shadow Web or anything like that – so don’t ask.

Tor Social Networks: Oct. 2017 Update

Who knew that socializing on the “dark web” would be such a popular topic? On my earlier post Fun with Dark Web Social Networking!!, someone mentioned that the beloved site Galaxy2 is no more, which I didn’t realize.

As some of my friends on IRC like to say, “rip” (all-lowercase intended.) Well, it’s Tor – what did you expect? Sites seem to go down and come back up again rather frequently.

In any case, you may be wondering about any alternatives that exist. I’m happy to report that one of the sites that I mentioned in the original post, Blackbook, is back up again. As before, you can find it at http://blkbook3fxhcsn3u.onion. It has a new, slightly more modern look, and seems to be functioning for the most part:

blackbook_homepage_censored

Like Facebook, it has a news feed, polls, forums, pages, etc. Because it’s Tor, though, you may find that the subject matter tends to differ a lot from that of Facebook. As has been my experience on some other Tor sites, a common question is, “How do I hack [insert social media site here]?” In fact, when I checked it today, someone was asking how to hack WhatsApp; maybe that will be the subject of a future post.

Also, as I remember from my previous membership, there are people advertising “hitman for hire” services and other sorts of financial offerings.

However, like before, it requires the use of JavaScript, and depending on whether you trust the site or not, this may be a good or bad thing. You can log into the site without enabling scripts, but some of its basic functions won’t work. For example, you won’t be able to leave comments, check your messages, etc.

I tend to be wary of Tor sites that require JavaScript, because of the potential for JavaScript exploits, such as Cross-Site Scripting (XSS), which I have encountered on other Tor hidden services in the past.

That aside, there’s another troubling aspect to this – Blackbook seems to be affiliated in some way with The Hidden Wiki, which many Tor users think of as their “introduction” to the dark web. The problem with this is that The Hidden Wiki is loaded with scam sites, and that makes sense, given that a lot of noobs visit it when they first venture onto the dark web.

Lo and behold – just like The Hidden Wiki, Blackbook has a number of ads for financial services of sorts on the dark web. While I haven’t tried them personally, they look sketchy to me, so I would avoid them if I were you. Anyhow, if all you really want to do is socialize, and maybe learn some things, you’re fine.

Meet Some Psychos

http://psycnets7z6tvqpa.onion

psycho_social

The other “social network” which I recently joined is called “Psycho Social Network,” and as its name implies, it seems to be geared toward people interested in dark things. Hopefully they’re not real psychos – well, it’s the dark web, so you never know.

It even features a shot of Patrick Bateman from the movie American Psycho, appropriately. (“Do you like Huey Lewis and the News?”) Given that it’s brand new, there don’t seem to be very many people active on it, although this could change.

Like Blackbook, it has at least one group dedicated to hacking and exploits. Some of the more unnerving groups, however, were called things like “Gore and Torture.” Don’t get me wrong – I love some gore as much as the next guy, but there’s LiveLeak for that.

So, if that’s what you’re into, you may want to check this one out. Heck, I’d be honored if I managed to attract a few people with this post!

In the meantime, I’m gonna leave – I have to return some videotapes.

 

 

 

Don’t Use the Hidden Wiki – Use These!

thehiddenwikicrop

I’ve noticed that quite a few people recommend The Hidden Wiki as a “starting point” for using Tor.

While it does have some good general information about Tor (and darknets in general), most of the links that it features are scams – at least the financial ones, or anything that you would have to pay money to use. Though I don’t suggest using it, I’ll link to it anyway, just so you can see what I mean: http://zqktlwi4fecvo6ri.onion

This probably goes without saying for people who have been using Tor for a reasonable amount of time, but for those new to the dark web, it seems like a lure to ensnare people unfamiliar with it.

Granted, some of the links are innocuous – you’ll see things like the search engines, and some of the “library sites” like the Imperial Library of Trantor. On the other hand, there are quite a few sites that promise things like “bitcoin doubling,” “free drugs,” etc. – these are all scams.

So…if you don’t use the Hidden Wiki, what should you use?

Well, as I’d mentioned in several earlier posts, there are a few Tor search engines that are good:

notevil-chat

Besides these search engines, there are other link lists you can find, one of which I also mentioned in my earlier post, Fresh Onions: Best Tor Link List?:

welcometodarkweblinks

Of course, these sites, too, may have scam links on them, but they’re at least mixed in with other things. And for whatever reason, I also find them to be more interesting than the Hidden Wiki – whether that’s because they have better links, or just look creepier,  I can’t say. Nevertheless, I have found a lot of the interesting sites I discuss on these alternate link sites and search engines.

Besides these, if you’re just looking for a group of people on the clearnet who hunt down onion links like you do, I’d suggest the subreddit /r/onions: Things That Make You Cry. They’re a pretty cool group of folks.

As for me, I’ll make an effort to include more onion sites in some of my future posts. Have fun checking out some of the ones I’ve shared here, in the meantime!

 

 

Can You Access .Onion Sites Without Tor Browser?

by Ciphas

(Note: Thanks to Ben Tasker’s Security Blog and traudt.xyz for being references.)

Can you access .onion sites without the Tor Browser? Short answer? Yes, you can – but I don’t recommend it…I cannot stress this enough.

I’ve mentioned Tor2web proxies in a few previous posts, but didn’t elaborate on it much. onionto

In their own words, “Tor2web is a project to let Internet users access Tor Onion Services without using Tor Browser.” Tor2web and Web2Tor are reverse proxies which allow clearnet users (such as someone using Chrome, Firefox, etc.) to access Tor hidden services.

reverse_proxy

The proxy listens on port 80 (or sometimes 443) on a clearnet server, and then proxies requests to the Tor hidden service.

If you’re unfamiliar with proxy servers, Indiana University gives a great definition of one: What is a proxy server?  (Psst…I talked about this a little in my earlier post ‘Anonymous’ Proxy List?)

The example they use to illustrate on Tor2web.org is that when you see an onion URL, for example, http://pbfcec3cneb4c422.onion/, if you add “.to,” “.link,” “.cab,” etc. to the end of the URL (e.g. http://pbfcec3cneb4c422.onion.to), and that proxy will connect you to the onion service. Great, right?

Well, no – not great. In spite of its convenience, the problem with using these proxies is that whomever is operating the Tor2web proxy can spy on your web traffic. While this may not sound like a bad thing, if said proxy operator has malicious intent, then you (the user) are basically a sitting duck. Plus, if the point of Tor is being anonymous, and someone can detect your web traffic that defeats the whole purpose!

In fact, even onion.cab themselves – the proxy service, that is – warns users when they first try to access a site this way:

onion

If this doesn’t sound bad, then it should be noted that not only can the operator see your web traffic, but they can also modify it and inject code if they so desire.

Ben Tasker Security Blog has an excellent post about this called Don’t Use Web2Tor/Tor2web (especially Onion.cab) – the example he gives is that some Web2Tor services “have some pretty bad habits, including playing fast and loose with your privacy.”

If you visit  https://6zdgh5a5e6zpchdz.onion, but do so through onion.cab instead of through Tor, the proxy service injects piwik analytics code into the page, which looks something like this:

piwik_tracking

So why should you care? Well, the proxy service who injected the code now knows that your IP address accessed said onion service at a specific time. In addition, they’re also executing code on your browser that the operator of the original site is unaware of.

Within the code, some of the information that it can discover about you is:

  • The title of the page you’re viewing
  • An ID for the site
  • The time that you made the request
  • The exact URL you were looking at
  • The page that sent you to that URL
  • Details of which plugins you have installed
  • Whether cookies are enabled
  • Your screen resolution
  • A unique ID for you

Alternately, this third party operator can inject code into the site that may track you across hidden services – that is, if you’re using the onion.cab proxy.

You can even contract malware via some Tor2web proxies – read this article by Virus Bulletin – Vawtrak uses Tor2web to connect to Tor hidden C&C servers. Granted, this article is over two years old, but it can still give you an idea of what might happen if you rely on these proxies.

Thus, if your concern is privacy, it should be obvious why you don’t want to give this information away. The same goes for any proxy, really, but again, if you’re using Tor for anonymity, then accessing so-called “hidden services” via the clearnet is pointless.

I know that a lot of people who explore the “dark web” for fun just say, “Give me links!” But if you want to explore those links, do so in the right way – use the Tor Browser (from https://www.torproject.org/), and don’t try to do so via the clearnet.

There’s a reason it’s called the “dark web,” after all.

creepy_eyes

Should You Use a VPN with Tor? (Well, No.)

vpn-graphic-100022486-orig

This seems to be a very frequently asked question, and on many sites, people will tell you that you should use a VPN with Tor, for “extra protection.”

Based on my research, however, I disagree – and this seems to be an unpopular opinion. One reference I’d like to cite is a blog post by Matt Traudt, a.k.a. system33-, who is someone I respect with regard to Tor. The post in question is VPN + Tor: Not Necessarily a Net Gain.

One of the points he brings up here is the following:

Tor is trustless, a VPN is trusted. Users don’t have to trust every Tor relay that they use in order to stay safe with Tor. As long as the right ones aren’t compromised, working together, or otherwise malicious, the user stays protected.

This is the main problem with insisting on combining Tor and a VPN. VPNs can keep logs of your activity online (though some claim not to), whereas Tor does not.

However, using a VPN can hide your Tor usage from your ISP, especially if said ISP is suspicious of Tor.

The Tin Hat, on their post Tor And VPN – Using Both for Added Security, also makes the point that “Where this setup fails is at hiding your traffic from a malicious Tor exit node. Because the traffic goes through the VPN, and then to the Tor network, exit nodes can still watch your traffic unencrypted.”

My preference, personally, is to use a Linux distribution with Tor, like Tails or Qubes, or for the more advanced, Arch Linux or Manjaro Linux. These, of course, take time to learn and won’t do everything for you, but they are designed for security. While this doesn’t mean they are vulnerability-free, they can improve your protection, particularly if you understand their ins and outs.

Don’t get me wrong – Unix-like OS’s are not invincible – see Sophos: Don’t believe these four myths about Linux security, but depending on the situation, it’s preferable to using an OS like Windows.

Oddly enough, I haven’t “contracted” any malware via the dark web – at least not to my knowledge. This has happened more often on the clearnet, ironically. Maybe it’s because I don’t download mysterious files or install programs that I find randomly on networks like Tor.

I’m paranoid that way.

What about you, readers? What OS’s do you prefer to use (specifically in combination with Tor, I2P, Freenet, etc.)?

In the meantime, enjoy your dark web adventures, my friends – and please research any VPN or other “privacy” software before trusting it blindly.

16199cffb76fff8c74ad6dd8eac6afab

 

What are Some AlphaBay Alternatives?

For those of you who were regular customers on AlphaBay Market, if everything is as it appears, AlphaBay is indeed gone for good.

So, if you’re curious as to where to turn next, there are some great articles (and other sites) you can look to for alternatives.

DeepDotWeb, which is one of my favorite news outlets for the dark web, featured an article today entitled Alphabay Death: Wondering which market is headed to the top? Here is some insider info!

The author gathered data from the site’s “Dark Net Markets Comparison Chart”, which, in real time, lists the up/down statuses of all the major markets:

darknet_market_chart

Besides just listing their online statuses, the chart also has the URLs of each market, whether or not they allow open registration, whether or not they allow multisig, and other factors, such as whether or not they have 2FA (two-factor authentication).

DeepDotWeb also predicted, via some analytics, which market may be the next big one – and the answer may surprise you. Based on their table, it appears to be RAMP (Russian Anonymous Marketplace)!

Ramp-Homepage-after-login.jpg

While RAMP is not an English-language marketplace (and doesn’t have that option), they do have an excellent reputation, and some anti-scam methods in place. Good work, RAMP!!

If you want an alternative site to use as a comparison, I’ve mentioned DNStats in an earlier post. Like DeepDotWeb’s chart, they list the online statuses of the major markets, as well as some vendor shops (independent shops set up by successful vendors) and forums.

DNStats_alphabay

Just bear in mind – any business you do on the dark web carries a risk factor, so protect your identity, and keep yourself informed! Happy tripping.

tumblr_orr2vafC5m1voa7nlo1_500.gif