Evident to the fact that criminals out there are working around the clock to ensure that they can take advantage of any situation for personal financial gain, the same is no different for darknet users who happen to be targets of online cybercriminals.
Through phishing links, hackers can steal the login information of the user and access their accounts without their knowledge.
How Darknet Phishing Sites Work
In the darknet markets scenario, scammers create a website with a striking resemblance to the actual marketplace. One can say that the only difference is with a few characters (or maybe even one) which is very difficult for the average user to detect.
Given the fact that the links to the marketplace are a combination of alphanumeric characters, the possibility of a market user taking time to observe and identify that each letter/number in the URL is correct is very low.
Because of this, a person who intends to visit a particular darknet market for one reason or the other may end up falling victim to a phishing scheme.
If they happen to visit the spoofed URL, and they enter the login details thinking that they are on the correct page, then the masterminds will be able to get their actual login credentials and use it to access their victims account on the right site.
Since they are darknet markets and the attackers assume that the accounts have funds in the form of digital currencies, then it becomes easier for them to log in to the site and further try to withdraw funds from the person’s account.
How to Tell You’re on a Phishing Site
The darknet and clearnet operate under the same underlying principles as they are both parts of the web as a whole. For this reason, it is important to note that the same tactics used to identify phishing links on the clearnet may also be used in Tor-based markets.
Among the most important items to look at is the URL because it is what’s used to trick the user into believing they are on the correct webpage. If one has used a specific site on the dark web, they should have the legitimate address stored somewhere. For those with a sharp memory, they tend to memorize each character.
However, it is possible to make a typo from time to time, and it is such blunders that direct someone to a phishing site which may turn out as consequential.
The other thing to look for is if the website visited creates popups upon accessing the URL. It is very typical for phishing sites to do so and then redirect a person to their URL. When this occurs, then the individual is definitely on a spoofed site.
Also, if one has accessed a URL of a darknet market and they highly doubt the authenticity, then they can intentionally enter a wrong password. If they determine that it is a fake site, the next cause of action is to close tab or window.
One thing to note is that the method of entering a wrong password may give an error irrespective of whether the password is correct or incorrect. When this happens, the attackers have already gotten the information stored in their database and will try access the actual site.
Another tactic, though not commonly used, is checking the link over time to make sure it’s still in existence. Since scammers are aware that AI-enabled crawlers often monitor for phishing links, they tend to develop websites that have a very short lifespan so as to avoid detection.
And last but not least is to take note of the image resolutions and choice of words. Generally, sites that have undergone spoofing tend to have poor quality images as well as several grammar/spelling errors because the owners never took time to develop it.
And if a person is observant, they will notice a few minor issues with the spoofed website that don’t add up.
Scenarios Where Users Have Been Affected
One of the most recent instances in which darknet users were affected by phishing sites was last fall when the top darknet markets went offline because of a DDoS attack.
During this time, the sheer volume of fake sites was incredibly high.
Because all markets were affected simultaneously, desperate users were left confused and ended up giving the attackers their actual logins which would then be used to access the marketplaces once they were back online.
In yet another instance that happened last month, a Dream Market user lost access to his account and had this to say (refer to screenshot below):
In a somewhat interesting but real response from a market user named Gowron, he acknowledged the fact that phishing sites are indeed a significant problem for darknet users and said that the person with the issue is indeed a victim of the same. (Screenshot below.)
Gowron goes a step further to explain the process that the attacker uses to syphon funds from the wallet of the victim. Upon gaining access to the account of their victim, they will go to the account settings and take note of the wallet address.
Using the address, they will enable notifications that alert them when the victim has deposited funds into the wallet. When this happens, they then proceed to login to the account and insert their PGP and change the login requirements to “PGP only.”
From this point, the person has lost complete access to their account and, as such, the marketplace cannot help them out because the damage has already been done.