Internet privacy and security course
Aa font
AA font size
About translation

Chapter 89

Deanonymization of Tor users through bait files

No matter how trivial and obvious this attack seemed to you, it was possible to identify a huge number of cybercriminals with its help. The features of this attack are simplicity and effectiveness against users of Tor browsers.

We will be covering in terms of our course how to create documents that can deanonymize the one who opened them, this does not require special skills.

Tor gives you maximum anonymity among all the tools to hide your real IP address. If a VPN or proxy user can be detected using requests, connection mapping, through third-party sites and other methods, then in the case of Tor this does not work.

Usually, a cybercriminal installs a Tor browser and immediately gets the highest level of anonymity “in the package”. Only their stupidity, an admitted error, a very difficult in implementation attack (like Cross-device tracking) or a vulnerability in the Tor network or Tor browser can lead to their deanonymization.

Vulnerabilities are rare, but they should not be excluded. Thus, thanks to one of the vulnerabilities, more than 900 visitors to the PlayPen child pornography site were deanonymized and arrested. They all used Tor, but it did not save pedophiles from the FBI and justice.

PlayPen is rather an exception to the rule, and cybercriminals, using Tor, feel safe. But the cybercriminal faces the Word document (or PDF), which they were sent and they are interested in opening it.

They download it, check on Virustotal and run on a virtual machine. The document does not show any malicious activity, it only connects to the server and thereby sends the IP address of the cybercriminal to it. By default the virtual machine does not block connections, and the anonymity of the Tor browser applies only to sites opened in it.

Even if the cybercriminal uses a VPN and set it up so that connections bypassing it are impossible, law enforcement services will have the IP address of a commercial VPN service. It remains just to send a request and obtain genuine data, which is not the most difficult task. Thus, many well-known hackers were detected, including Cody Kretsinger from the LulzSec hacker group.

To connect to the server it is necessary to open the bait file on the victim's computer; simple downloading will not lead to a result. Once again I draw your attention to the fact that with high probability all kinds of file checks will find the bait safe, in general this is what it is, as connecting to the server doesn’t include malicious functionality.

You can protect yourself from this method of deanonymization by opening such documents in the virtual operating system Whonix. Whonix eliminates connections that bypass the Tor network. If the file is opened in a sandbox, you need to make sure that the sandbox prevents all external connections of the objects it opens; or you can completely refuse to open any files on your computer.