Fake Tor

  1. Fake Tornado Warning Text
  2. Fake Tornado Warning Maker

She will be speaking about ' Phony HTTPS Everywhere Extension Used in Fake Tor Browser ', as well as her research on the history of coded communications in Black communities, dating back from the Trans-Atlantic Slave Trade to the present. Alexis works to encrypt the web by managing the Certbot and HTTPS Everywhere projects. TOR websites REAL or FAKE? Legit Financial vendors on DW.LINK ccplaza6m5qq2fgd.onion(Must type.onion after the. With a fake IP address, it becomes difficult if not impossible for your real identity to be discovered – and as such, the government, your ISP, and website won’t be able to track activities online. The Tor network makes it difficult to trace one’s Internet activities. Tor is open-source software and requires you to make use of the Tor. One of the most widely used tools for protecting online anonymity is the Tor Browser. It’s loathed by government spies and corporate data collectors, and this week became the most secure way to.

Fake identities and Tor-network

Tracking the person by using the computer’s IP-address that the person uses is the common way to uncover the hidden identity of the user of social media. Even if the person uses the social media account from public libraries or some other places there is a possibility that surveillance cameras are targeted to the working point and then the officials can make the image compilation that allows to track the persons who are using the social media in a certain time.

Hiding identity in the network is quite easy. One of the most common ways to make this thing is just to use invented identity. In that case, the thing is not the stolen identity. The user must only create a social media account by using the fake identity, and that thing can hide the identity from the normal users, and the thing that can break this thing is that somebody knows the person, who is in the image of the user profile.

The image can load from the network, but maybe somebody knows who the person in the image is. And then make the report of that thing. And maybe artificial intelligence is compiling the face images from multiple social networks and user accounts. And the purpose is to find if there are many accounts made by different users where is used the same face image. The system can also find if similar messages are coming from different social media accounts. And in this process, the system tracks the beginning of the message line.

The system is trying to find so-called prime messages. If nobody publishes a similar message before, that means that the owner of the account is invented the text. But if similar texts are published by using multiple social media accounts, and always the text is copy-pasted from the E-mails or some text editors, that tells that publisher might be the same person. So identical messages at the beginning of the multiple series of the shares tell that the message is written by the person who uses the different accounts or it is shared with multiple persons by E-mail or some kind of similar program.

But the Tor network allows full anonymity or does it?

Even if the Tor-network is fully safe, there is the possibility that somebody makes a trap by suggesting the meeting. Before we are starting to use Tor-network and troll thing in there, we must ask one question. Why Tor-network is possible to reach? Why this network is not closed by the state?

And at meeting point is waiting for the nasty surprise with baseball-bat or silenced automatic pistol. Many people are believing that Tor-network is somehow safe. Maybe it’s safe for tracking the IP-addresses. But there is always the possibility that the network is a so-called “honey pot” which is operated by the NSA or GCHQ. In that case, the user is routed to the “honey pot” or trap server, which might seem anonymous. But it is operated by military intelligence.

But if some people want to buy drugs, there is always a place, where drugs are delivered. So police or some robberies can lure the drug dealer into the trap. The same way people who are using Tor-network for sending illegal messages can suggest the meeting for each other, and at that meeting point are waiting for police or competitor gang.

ESET researchers recently discovered a false “trojanized” version of Tor Browser that collectively stole $40,000 USD in Bitcoin.

This does not mean that Tor or Tor Browser itself is compromised in any way. It only means that attackers found a new, insidious way to create and distribute a fake version of the Tor Browser. In this case, attackers also faked EFF’s own HTTPS Everywhere extension using a modified manifest.json file with a few settings changes. The attackers used a fake HTTPS Everywhere extension in their campaign because Tor does in fact package the HTTPS Everywhere and No Script extensions into its browser. Including details like normal extensions in the trojanized version of Tor could prevent eagle-eyed users from catching red flags that indicate they’re using a fake browser.

Nefarious HTTPS Everywhere Code

The manifest.json file in web extensions states explicit permissions and scope of activity the web extension will commit. In this attack, this modified file widened the scope by adding content scripts. This allows the extension to load scripts into the browser and potentially modify what the user sees and interacts with on various web pages.

Photo Credit: https://www.welivesecurity.com/2019/10/18/fleecing-onion-trojanized-tor-browser/

Left: Real manifest.json Right: Fake manifest.json

In this case, this content script notified the attacker's C&C (Command and Control) server and in return loaded further scripts that modify the user's experience: in this case, changing wallet addresses on the commonly used Russian money transfer service QIWI, or on Bitcoin wallets located on various Darknet markets.

Trojanized Tor Browser

This malicious download of Tor is older (version 7.5) with its xpinstall.signatures.required settings set to false, which disables a digital signature check for installed Tor Browser add-ons and bypasses the HTTPS Everywhere signature check.

This modified version of the Tor Browser targeted Russian-speaking users and presented them with “out of date” warnings. This prompted some to click a button to “update” to the trojanized Tor browser at the fake domains tor-browser[.]org and torproect[.]org. (The authentic domain is torproject.org.)

Researchers discovered advertisements promoting the fake Tor Browser in spam messages on Russian forums, covering topics such as darknet markets, cryptocurrencies, internet privacy and censorship circumvention. The advertisements falsely promised to help users bypass CAPTCHA and Roskomnadzor, a Russian censorship body in media and telecommunications.

Photo Credit: https://www.welivesecurity.com/2019/10/18/fleecing-onion-trojanized-tor-browser/

Spam message promoted in Russian Forums

Fake Tor

The most insidious part of these advertisements was tricking people into believing that the trojanized Tor Browser would guarantee anonymity. In fact, the attackers behind this trojanized Tor Browser set a unique identifier in the modifications: a custom user-agent, a text-based identifier that allows other hosts to see what software and operating system the user has. So even though the real Tor proxy was still present in this browser, ultimately anonymizing user’s I.P. addresses, this custom user-agent allowed the attackers to create and track a very specific fingerprint on their victims. That also means that any victims using this malicious browser could still be fingerprinted and tracked by a myriad of other observers.


This campaign relied on the user not catching a few red flags that indicate a potentially fake or malicious Tor Browser but are easy to miss. Some of these red flags include:

  • Fake domains for downloading Tor browser
  • Unverified signature for the download
  • Outdated Tor Browser version
  • Non-AMO (Mozilla Add-ons Store), unverified HTTPS Everywhere extension
  • Modified scope of HTTPS Everywhere permissions and activity
  • Likely no NoScript extension present to block Javascript (Assumed from report)

Even though this was a targeted, atypical attack, it may still concern some users. With these red flags in mind, here are some tips and helpful links to ensure you are using the proper Tor Browser:

Fake Tornado Warning Text

Fake tortillaFake Tor
  • What is the current version of Tor?
    • At the time of this post, 9.0.
    • The official, up-to-date Tor Browser is available at this address: https://www.torproject.org/download/
    • Distribution directory: https://dist.torproject.org/torbrowser/
    • To verify Tor downloads: https://support.torproject.org/tbb/how-to-verify-signature/
  • What is the proper way to update Tor?
    • Please reference this page: https://tb-manual.torproject.org/updating/

Fake Tornado Warning Maker

  • Tor also normally announces updates via their blog: https://blog.torproject.org/new-release-tor-browser-90
  • Which add-ons are allowed in Tor currently?
    • At the time of this post, the only add-ons bundled with Tor are the HTTPS Everywhere and No Script extensions. Installing any other add-on could de-anonymize you.