Beware of Phishing Scams On Clearnet Sites! (darknetmarkets.org)

Posted by: DeepDotWeb

July 3, 2015

AVOID  – The Most recent scam list responsible for spreading phishing url to unsuspecting visitors has been located on this site:

• darknetmarkets.o r g/mark ets (added spaces in the url)

Do not visit that site or use any of the links on that list as they are redirecting to phishing urls that will steal your market login credentials and quite possibly your session in case you are logged into the market – with the goal of stealing your BTC. this was first reported on Reddit and confirmed by multiple users:

Comment from discussion https://darknetmarkets.org/markets << Scammer link.

Comment from discussion https://darknetmarkets.org/markets << Scammer link.

Screenshot of the phishing links:

Clicking one of the shortlinks on that list:

GET /Agora HTTP/1.1 Host: drk.li User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36 Referer: http://www.google.com Connection: close</textarea></div>

Returns this response with the phishing link:

HTTP/1.1·307·Temporary·Redirect(CR)(LF) Date:·Thu,·02·Jul·2015·23:34:01·GMT(CR)(LF) Server:·Apache/2.2.29·(Unix)·mod_ssl/2.2.29·OpenSSL/1.0.1e-fips·mod_bwlimited/1.4(CR)(LF) X-Powered-By:·PHP/5.4.36(CR)(LF) Expires:·Wed,·11·Jan·1984·05:00:00·GMT(CR)(LF) Cache-Control:·no-cache,·must-revalidate,·max-age=0(CR)(LF) Pragma:·no-cache(CR)(LF) X-Robots-Tag:·noindex,·nofollow(CR)(LF) Set-Cookie:·PHPSESSID=c1ba8a0afc408bc79b4b2cd6e217ce1b;·path=/(CR)(LF) Set-Cookie:·prli_click_4=agora;·expires=Sat,·01-Aug-2015·23:34:01·GMT;·path=/(CR)(LF) Set-Cookie:·prli_visitor=5595ca698f40b;·expires=Fri,·01-Jul-2016·23:34:01·GMT;·path=/(CR)(LF) Location:·<strong>http://agorahoob6wgtbre.onion</strong>(CR)(LF) Content-Length:·0(CR)(LF) Connection:·close(CR)(LF) Content-Type:·text/html;·charset=UTF-8(CR)(LF) (CR)(LF)</textarea></div>

Generally its better to have your links saved in an encrypted text file if you use them on a regular basis, but if you must – get your links ONLY from:

• Our list (Can use our Onion address: http://deepdot35wvmeyd5.onion)
• Dnstats
• DarkNetmarkets Superlist

* Need to note:  That list was not displaying phishing links until today, so its only fair that we will publish the site’s owner response once (and if) we will have it. Until than – avoid like the plague.

Updated: 2015-07-03