There's always talk of people getting phished despite getting their market links via the superlist. Everyone, me included, assumes the user was at fault and made an obvious mistake somewhere.
Yesterday I believe I was presented with a phishing link to DHL via the superlist. I believe this was as a result of a naughty tor exit node performing a MITM attack and replacing a URL with a bad one.
Why do I believe this was the case?
Yesterday I was setting up a tails USB, a process I've been through many times. I checked the PGP sig of the file and carried on as normal. Once setup, I went to add some market links as bookmarks so navigated to the superlist.
I added the markets as usual. DHL would not load but there was a post about DHL being down yesterday so I didn't give it too much thought.
Today it would still not load, so I checked dnstats which said it was up... strange... went to look for an alternative link... and noticed the only entry on the superlist was different to the URL I had received yesterday! (Sadly, I deleted the bad URL a few hours ago and only thought to make a public warning later)
I can be certain that:
- The PGP sig of the Tails iso checked out.
- I did not install anything on Tails, it is a plain vanilla install, I haven't even imported my PGP keys yet.
- I got all the links from the superlist.
Is this even possible? Yes! We know MITM attacks on tor just like this are possible and have been observed in the wild (see LBC's FAQ).
I know the full URLs of my most regularly used markets off the top of my head but I rarely login to DHL which is what threw me.
TL;DR: it is possible a malicious exit node is currently replacing superlist URLs so we need to be extra vigilant and double check them. You can no longer assume URLs served from the superlist are 100% legit if checked via tor.
Stay vigilant, folks; and inform the community there seems to be fuckery.