Researchers at the Imperva Defense Center analyzed traffic from a single Tor exit node and have created a series of blogs that describes what this analysis has yielded. This first blog focuses on the luring attack campaigns originating from Tor using hundreds of Tor IPs. Extrapolating from a few hundred IPs, each issuing 105 requests per month, creating nearly 40,000 HTTP requests per month for the Luring attack, each potentially resulting in the victim’s site loss from customers switching to one of the competitor’s sites.
What is a Luring attack?
Before we get into the details of how attackers use the Tor networks to mount Luring attacks, here’s a brief explanation of what luring attacks are. Picture a guy, we’ll call him Phil, signing into his online dating account and finding a new message from an attractive woman (no guy ever pauses and wonders how they got so lucky!). Linda, the woman, messages Phil flirtatiously claiming that she is attracted to him and that she would like to know him better (serendipity right?). Then, Linda says—just one small thing, since this is my sister’s account, please contact me under the same name in another dating site here, linking to another dating site (seems innocuous, what could go wrong?). At the same time, Annika and Michaela are also messaging in an identical fashion to other users on the same site (alarm bells going off yet?).
Figure 1 – Promoted site
As you probably guessed, “Linda,” “Annika” or “Michaela,” are all part of a Luring attack campaign, mounted by a competing dating site to lure users from the victim site to the attacker site. Most Luring attacks target multiple dating services and send spam messages to a large number of users, inviting them to different dating sites, probably all controlled by the same hacker. The motivation for the attacker is clear—to divert customers away from the competitor’s site and lure them to the attacker’s site.
The Tor factor
Luring attacks from the Tor network are characterized by messages arriving from Tor clients at a relatively low (but steady) request rate of 1-3 requests every day, probably to sneak under the radar of rate-limit mechanisms to avoid automatic browser detection checks. Despite the very low rate of the requests we have seen, it is likely that the actual total number of requests was much higher, with only a few requests exposed in our glimpse of the Tor user traffic.
As shown in Figure below, the attackers obfuscate URLs to avoid URL detectors in mechanisms aimed to prevent exactly this kind of attack.
Figure 2 – Comment spam
Without a doubt, there is the collateral damage from the attack fronted by the hundreds of luring-oriented highly attractive fake profiles. Also, the attack also confuses the few users remaining in the victim website, harassing them and lowering the overall credibility of the site.
To conclude, this Luring campaign is an example of a sophisticated business logic attack which is devastating for the victim’s site. The attackers mask their real location and their identities with the use of Tor and use different methods to sneak under the security mechanisms designed to detect and block these attacks.
Web Application Firewalls today have the ability to detect such advanced business logic attacks irrespective of the use of Tor networks. WAFs that have threat intelligence integrated can use the IP reputation data, and correlate attacks are the right solution for such threats.