While I'm doing obits... So you may also have noticed that a recently-launched black-market named Black Goblin Market has been down for the past 3-4 days after its launch 5 days ago.
Goblin was not so much hacked as de-anonymized. You can see some information on its IP in the comments: http://www.reddit.com/r/DarkNetMarkets/comments/1wwjg3/black_goblin_market_is_now_open/cf64uhk
Naturally, for any black-market, being de-anonymized is about as bad
as being hacked, since it means that any future law enforcement
investigation knows exactly where to start: subpoena the host
or ISP to get everything they know, like what's on the server, what IPs
connect to it, who was paying for it, etc. And this means such a market
can never get very big or last very long.
So while he left the landing page up for a day, he seems to have called it quits for good.
I'm afraid I have to claim credit for this one: about 3 hours after
the Reddit post was submitted, I signed up for an account on BGM, gave
it my real e-mail address when its signup form asked (I am aboveboard
about the mirroring stuff and have nothing to hide), and a little while
later, noticed in my inbox an email from... Black Goblin Market.
A little background here: Tor exit nodes generally forbid email
because allowing email would result in a tsunami of spammers. If you
ever read the Tor documentation (or read your /etc/tor/torrc
and noticed the discussion of blocking ports) about exit policies,
you'd know that SMTP/email/port-25 is blocked by default; as the Tor Abuse FAQ explains in "What about spammers?":
First of all, the default Tor exit policy rejects all outgoing port
25 (SMTP) traffic. So sending spam mail through Tor isn't going to work
by default. It's possible that some relay operators will enable port 25
on their particular exit node, in which case that computer will allow
outgoing mails; but that individual could just set up an open mail relay
too, independent of Tor. In short, Tor isn't useful for spamming,
because nearly all Tor relays refuse to deliver the mail.
So it is unusual, to say the least, to ever get email from a hidden service. How did BGM pull it off‽,
I instantly wondered. I opened up my email and looked at its headers
('Show Original' in the dropdown menu in Gmail, if you don't know what
I'm talking about):
...
Received: from ua4aptglh45m5p6b.onion (p549469F8.dip0.t-ipconnect.de [84.148.105.248])
by mx-fwd-1.nearlyfreespeech.net (Postfix) with ESMTP
for <gwern@gwern.net>; Mon, 3 Feb 2014 19:28:16 +0000 (UTC)
Received: by ua4aptglh45m5p6b.onion (Postfix, from userid 33)
id 8A3BD2180319; Mon, 3 Feb 2014 20:28:10 +0100 (CET)
To: gwern@gwern.net
Subject: Account details for 1391455689 at Black Goblin
X-PHP-Originating-Script: 1001:system.mail.inc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes
Content-Transfer-Encoding: 8Bit
X-Mailer: Drupal
Sender: goblinking@noemail.com
From: goblinking@noemail.com
Message-Id: <20140203192810.8A3BD2180319@ua4aptglh45m5p6b.onion>
Date: Mon, 3 Feb 2014 20:28:10 +0100 (CET)
Answer: he didn't. The email was sent straight from his server and the IP (84.148.105.248
)
was right there for anyone in the world to look at, and would have been
for anyone who ever signed up with a working email (like, say, a Riseup
or Safe-mail email address), and making the emails anonymous would be
quite difficult (have to somehow proxy over HTTP to someone willing to
do clearnet emails for you). The IP is easily checked against a master list of Tor exit nodes & found to not be an exit node.
Actually, the hilarious thing is that he may not have even realized his 'hidden service' was doing this: the X-Mailer
is "Drupal" and the return address is "noemail.com", and apparently
this is some sort of Drupal default functionality. (Not an issue for
most servers where it doesn't matter if the IP is being leaked...)
I mentioned it to some other people, they did some nmap
probing and a simple correlation attack by DoSing the IP to see if the
hidden service goes down simultaneously, and that was that. Black Goblin
was toast.
The self-signed HTTPS nonsense and all the well-meaning security
advice and elaborate precautions aside, the site never stood a chance.
Really, all these new black-markets are so incredibly bad - I'm not a
web dev, much less a pen tester, and I managed to de-anonymize a market? (And there's more in the offing...)
RIP Black Goblin Market (3-4 February 2014).
[–]nsgiad 3 points4 points5 points (0 children)
[–][deleted] 1 point2 points3 points (6 children)
[–]gwern[S] 1 point2 points3 points (1 child)
[–]RosyPalm 0 points1 point2 points (0 children)
[+][deleted] (3 children)
[deleted]
[–]RosyPalm 0 points1 point2 points (2 children)
[+][deleted] (1 child)
[deleted]
[–]RosyPalm 0 points1 point2 points (0 children)
[–]hotrodcamaro 0 points1 point2 points (0 children)
[–][deleted] 0 points1 point2 points (0 children)
reddit gold
In Summation
Want to say thanks to %(recipient)s for this comment? Give them a month of reddit gold.
Please select a payment method.
Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.
Would you like to learn more about giving gold?
reddit gold
In Summation
Want to say thanks to %(recipient)s for this submission? Give them a month of reddit gold.
Please select a payment method.
Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.
Would you like to learn more about giving gold?