Cybercriminals are increasingly targeting the Tor network. Recently, two fresh waves of attacks have been observed, which include SSL-stripping attacks and a new fingerprinting technique, dubbed scheme flooding. The SSL-stripping attacks are being performed on Tor users visiting cryptocurrency-related websites, while the new scheme flooding technique affects the Tor browser.

On SSL-stripping attacks

According to a report, the SSL-stripping attacks started in January 2020, and attackers controlled 400 malicious Tor exit nodes. 
  • The first wave of attacks had targeted 27% of malicious Tor exit nodes until February. The second wave of attacks stopped soon, however, malicious infrastructure remained active for several weeks.
  • The main reason behind the success of this operation is that the threat actors added malicious nodes in small numbers and quietly developed the attack infrastructure.
  • Since May 2020, a researcher is reporting the malicious exit relays to the admins of the Tor network and the capabilities of the attackers have decreased after the takedown attempt made on June 21, 2020.

Another technique based on a privacy vulnerability named scheme flooding targets the Tor users.

Scheme flooding technique

A browser-fingerprinting library for fraud prevention, FingerprintJS, has discovered a new fingerprinting technique that generates a consistent identifier on different desktop browsers, including Tor.
  • According to researchers, there is a possibility that someone could link any user’s browser histories on all the sessions with an identifier that can potentially de-anonymize or track users on the web.
  • The technique is based on a scheme flooding vulnerability that allows an attacker to find out which applications have been installed by the users. 
  • The scheme flooding name is referred to exploiting custom URL schemes that make web links such as slack:// or skype:// prompt the web browser to open any associated application.

Ending notes

Recent fingerprinting techniques and ongoing SSL-stripping attacks show that attackers are continuously putting in efforts to target the Tor network. Therefore, researchers suggest implementing non-spoofable ContactInfo on Tor relay. In addition, users are recommended to always update the web browser to fix any exploitable vulnerability.

Cyware Publisher