30% of Tor Web Browser Transactions Found to Be Fraudulent

A new report shows that almost a third of Tor's traffic is fraudulent
A new report shows that almost a third of Tor's traffic is fraudulent

According to security firm iovation, a full 30.2% of transactions conducted from Tor in August were fraudulent. This compared with an overall fraud rate of 1% for all online transactions during the same period.

“Cybercriminals are always looking for ways to fly under the radar,” said Scott Waddell, chief technology officer at iovation, in a statement. “While Tor on its surface appears to be for the greater good, it is disproportionately used for fraudulent and abusive transactions.”

Tor essentially redirects web traffic along hard-to-follow routes and assigns web users a random IP address that can change at any time. This helps to mask users’ true geo-locations and the IP addresses of their internet-connected devices. According to Tor metrics, it typically has 500,000 users daily – although a massive botnet infection using Tor for Command & Control (C&C) has driven daily connections up to more than 1.5 million as of early September 2013.

Including the botnet, whose transactions weren’t classified as “fraudulent,” iovation analyzed 240 million transactions in August 2013, originating from the 1.5 billion devices it has in its device reputation database. Transactions utilizing Tor were identified by leveraging technology that iovation developed to correlate transactions to IP addresses that are part of Tor.

For its part, Tor says that “criminals can already do bad things,” as it explained on its website. “Since they're willing to break laws, they already have lots of options available that provide better privacy than Tor provides. They can steal cell phones, use them, and throw them in a ditch; they can crack into computers in Korea or Brazil and use them to launch abusive activities; they can use spyware, viruses and other techniques to take control of literally millions of Windows machines around the world.”

Tor aims instead to provide protection for ordinary people who want to follow the law, it said, arguing that only criminals have privacy since they go to elaborate lengths to hide their identities and tracks. And that’s a state of affairs that needs to change, it said.

“Some advocates of anonymity explain that it's just a tradeoff — accepting the bad uses for the good ones — but there's more to it than that,” the company said. “Criminals and other bad people have the motivation to learn how to get good anonymity, and many have the motivation to pay well to achieve it. Being able to steal and reuse the identities of innocent victims (identity theft) makes it even easier. Normal people, on the other hand, don't have the time or money to spend figuring out how to get privacy online. This is the worst of all possible worlds.”

Even so, the FBI recently carried out a massive malware attack on Tor users as it targeted a large ring of child pornography sites using Tor for hidden services.

What’s hot on Infosecurity Magazine?