TradeRoute Market phishing protection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



Welcome fellow redditors!

We are here today to ask the community for some help. Our 
login page at TradeRoute is undergoing a complete rework 
to make it more secure and one of our bigger concerns is 
phishing. Although our market is growing quickly it is still 
not big enough to catch the attention of phishers so luckily 
no user has been phished yet on TradeRoute, but we know 
that this is not a matter of if, it is a matter of when. 
We are sure that we will face this problem soon and we want 
to prepare beforehand.

Yes I know that some of you argue that people should be 
wary about any links they see out there and if someone gets 
phished it is his/her fault. I am not of this opinion
Although it is obvious that everyone should be as careful 
as posible during his activities at the dark web there is 
nothing inherently bad about the markets being more secure. 
If we can keep users safe even when they make mistakes then 
we are definitely succeeding at our business. I do not know 
whether this is the best thing to do but it is our philosophy 
and we are going to stick to it until someone proves us wrong.

In short, we have sorted out the most basic and evident phishing 
schemes. I am talking about those that make up a fake login page 
and request your login info. Those are easy, we have already 
figured out how to protect people from that. The problem are the 
more sophisticated phishing sites that work just like a proxy to 
the real TradeRoute page, performing a man in the middle attack. 
The issue is that we haven't been able to find any examples of them 
to study how they work. We can just make conjetures and this is not 
ideal.

That is why we want to ask you for any phishing links you may have 
or at least tell us where to find them. The only links that I 
could find were very simple and lame, we would ideally study those 
that act as a proxy to the real market. We do not care about which 
market they are focused on.

Best regards!
The TradeRoute team
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJYnFNRAAoJEG1uaxOEo4CAcc8H/05QASWzeCImw2SZSQZEkOic
D7dwxbtgj76m6c4JPi/t+FAgoKs596+McRaEkict+lkDjxL268OYnHnz1ydNzG4K
y7maQRl/DjNcx4ZNW3wSrjomOwt9hnxp07X2wZROSTXPCr97MVjqVBesyV3Iz8rc
jbF4EOgvap/Ogks6RaFIP36p9fQNOAOJTEgYfftGlP2lptOeMhNJIfJV5cosfuJ+
qUWFgMTUs1gGIhVAepLmfytqM/L5aUwmjQ6qvyqSx757HcwEdRoLHF6mptojePVd
YYPBqgG0utBYNqz1B7R6zzNGMApteAb6mUQpeAAaQVoiBfo0YTyqAc37Gh2b1d4=
=a5/p
-----END PGP SIGNATURE-----


Comments


[3 Points] shillface:

Why do you send people PMs on other markets (reports on Dream and Alphabay) asking them to sign up to TradeRoute?

Do you think that's ok?

Do you think that might make it easier for phishers to start sending out PMs including their phishing links in the future? "oh, I know TradeRoute sends out invites via PM, so this must be legit"


[1 Points] TheNodManOut:

if they wasn't phishing there, they are now.


[1 Points] al_eberia:

Solve proxy type phishing using your PGP 2FA. Rather than just having users copy a code, give them a new link to visit in the browser such as example . onion/verify/randomstring. Even if they were initially visiting from a proxy, they will only ever successfully login on the real site. Everything you send in the 2FA PGP ecrypted message can't be touched by the proxy so make use of it. Make PGP 2FA mandatory for vendors and find a way to encourage it for buyers.