How To Avoid A Honeypot.
There are many different definitions of a “honeypot” one will find on the Internet that covers both technical terms or otherwise. Let us first make it clear on what a honeypot actually represents in technical terms, so as to prevent further misunderstandings.
A honeypot in Darknet and Internet slang in general represents a website that has a purpose of acquiring certain information about its users. The name stems from the term “you will trap more flies using honey,” meaning that the content of the website in question is used to lure in the users and trap them. The difference between a honeypot and an ordinary website that gathers some basic user information is that honeypot uses much more intrusive methods, and the information they are gathering can in most cases be used to identify the person behind the computer or worse, steal their personal information.
What is Honeypot used for?
It is important to note that not all honeypots are used for malicious purposes. While most of them are set up in an attempt to illegally acquire user’s information, in some cases that information is used for purely research purposes.
Nonetheless, it is always important to be able to recognize and avoid a honeypot, since most of them will abuse our data in one way or the other.
Types of Honeypot
There are two types of honeypot in general, and the difference between them is largely in the people who are setting them up. The first type is a honeypot set up by federal agencies used to catch criminals or record criminal activity.
The first type is a honeypot set up by federal agencies used to catch criminals or record criminal activity. These are mostly present on Darknet and differ slightly depending on what type of criminals they are made to catch. For example, a honeypot made to catch Darknet marketplace users who are buying drugs will often come in a form of a newly opened marketplace, or a marketplace that has recently been reopened after a prolonged period of activity.
This means that while the site was inactive, some federal agency or someone else has managed to infiltrate the site, which in turn gives them full control over it.
At this point, it is easy for them to implement some changes to the site that are invisible to the user, but can have serious consequences if said user is unaware that they are being monitored.
Even if the user is careful when it comes to their personal information, for example using PGP to encrypt his messages, the owner of the honeypot can replace the encryption key with the one they control ultimately tricking the user into giving them their personal information.
Another possibility and we are still talking about Darknet marketplaces here, is that if it is under control of some federal agency, they will be able to create “fake” vendor accounts that will be used for catching and charging buyers.
But not only marketplaces can become a honeypot, but there are also quite a few cases of forums becoming one as well. Pretty much any site on Darknet that has ties to illegal operations could, in fact, be a honeypot of some sort or is under threat of becoming one.
The other type of a honeypot site are those set up by a single person or organization and these are almost exclusively used for stealing personal information or some other malicious intent.
These types of honeypots will often attempt to discover information including full name of the user, their personal or corporate email address, credit card information and such. There is a large market for stolen personal information on Darknet, and this is one of the ways to supply that market.
Methods for compromising data
There are different ways in which honeypot work, but the most common one is the use of phishing links.Phishing links are essentially “fake” links that will lead to a clone of a certain site and then prompt the user to enter their login information.
The site then records the said information and sends it to the owner of the site.
While phishing links are less common on legitimate sites due to the fact that the links on said sites are regularly checked, on honeypot sites the owner of the site is aware that the links are malicious, since they put them there in the first place. Another way one can compromise their data is if they download any file from a honeypot site. These files often contain some sort of malicious software and after they are downloaded the software will have easy access to all the data stored on that computer.
There was a case of a person setting up honeypot sites in order to attempt to identify users who frequent child pornography sites on Darknet. This is one case where I am glad these scum bags were caught by using a honeypot site.
Among other systems designed to determine accurately who the person behind the Darknet username is, there was a scanner that was supposed to scan the computer of a person using it in order to determine whether their system is secure.
What the users were not aware of was the fact that when they downloaded something, executable software at that, from an untrusted site, they immediately exposed all their personal information to the owner of that software.
How to prevent falling victim to honeypot sites
Given all this information it becomes clear that protecting one’s personal information can be quite a daunting task when entering Darknet. Luckily, there are several ways to identify a possible honeypot site and even more ways to avoid them altogether. As with most things in life, “prevention is the best cure,” meaning if you never stumble onto honeypot sites, the list of things to worry about shortens by one entry.
Unfortunately, there is no surefire way of never visiting such a site, but a good start is to always check the link you are on. Most of the time difference between a phishing link and a legitimate one is in a single character.
This leads us to the next important thing tied to links on Darknet and that is to only click on a link if it comes from a VERY trusted source.
Another good practice is to check sites and forums that talk about Darknet.Reddit.com, since many of those will have some sort of blacklist of sites and hidden services that are proven to be a honeypot. This, of course, is not a 100% way to protect yourself since a newly launched honeypot site will not be marked yet.Also, as mentioned before, if a certain site is brought down without any notice and then it starts operating again after a long period of time, there is a good chance that it has become a honeypot.
This is especially important to note if said site is a marketplace or forum with ties to illegal activity since it is a common tactic of federal agencies to use captured marketplaces to lure in and arrest both vendors and buyers.
If one decides to send their personal information using PGP encryption, it is important to check and compare the PGP key they have with the one provided by those we wish to communicate with.
This can be tricky if we are communicating with someone for the first time, but such cases are rare.
Ultimately we should always be reluctant to give away personal information and on the off chance that it must be done, only the most basic information should be given.
Lastly, there are several ways that can and should be used in order to prevent a less direct attempt a honeypot site can make at identifying you. While these methods might prove to be overkill for a casual Tor user, somebody who is planning to do more than just browsing should consider them. Using a good VPN before Tor is the least one can do in order to protect their anonymity.
Since the point of honeypot sites used by federal agencies is to identify the person using a certain account, it can be a good idea to hide Tor usage from your Internet Service Provider. If you are so unlucky and use monitored entry and exit nodes, your IP can be determined through series of calculations unless you also use a VPN.
If you are using a VPN with Tor then when the feds trace the IP address back then it will lead to a pool of thousands of users using the same IP, so it makes it impossible to trace it any further, at least if you are using a good VPN that keeps no logs.
Other possible layers of protection include the use of Tails OS and proxies, but those require a certain degree of technical knowledge to set up properly and are not absolutely necessary for a casual Tor user.
You should also not open any documents downloaded from the Darknet unless absolutely necessary, if you do then make sure to scan it for malware and viruses, keep it stored on a USB drive so it can’t access your PC while you are no there, and best of all try to only open on a separate PC that is completely disconnected from the internet.
The fact that Darknet is not nearly as large as its Clearnet counterpart and that it is much less monitored, means that illegal actions like honeypot sites are a lot more common. Since there is none to monitor and conduct legal action to take them down, honeypot sites can stay operational for as long as their owners want them to.
Luckily, most of these honeypot sites are uncovered by the community after some period of time, and one can find information about specific sites being honeypots quite easily.
Nonetheless, there are new hidden services and marketplaces appearing every day on Darknet, and it is never a certainty if some of them are more than what they seem to be.