Researcher finds Torrent censorship bypassing proxy websites are loaded with malware injecting scriptsMost of the Torrent site proxies which are used to access the blocked sites have shown to contain malware and pose a great security threat.
Some of the big ISPs in UK, Italy, Denmark and France have all blocked the leading torrent sites; however movie and music lovers are still finding out ways and means to bypass these restrictions. One of the most popular ways to circumvent the filters is by using proxies and mirrors. It has been observed that for each of the blocked domains there emerges some corresponding mirror or proxy site which helps users to access their favorite blocked sites and circumvent the restrictions levered by the court. Basically, these proxy and mirror sites came into existence just as a means to help people to get an access to their favorite torrent sites. Sadly, though in the recent times some people who just want to make quick money are abusing these circumvention tools and services. It is possible to bypass the filters with the help of simple workarounds, however the proxy sites add some of their own scripts and various advertisements to these tools. A British, Information security consultant, Gabor Szathmari says that some of these scripts are actually harmless; however a majority of them do pose security threat to the user’s computer. During his study, Szathmari examined around 6,158 proxy sites and discovered that around 99% of the lot had their own code and surprisingly only 21 sites had not modified the original site! In addition he says that the proxies which he examined are pretty suspicious because the codes that they use either directs the user further to a lot of random sites or they are very much complicated and puzzling. The security researcher also mentioned that all these scripts seem to be using the same domain name and that is ‘proxyads.net’. Szathmari told TorrentFreak : “Ninety-nine-point-seven percent of the tested mirrors are injecting additional JavaScript into the Web-browsing traffic. A great share of these scripts serve content with malicious intent, such as malware and click fraud.” During his study, Szathmari found that the ads and the scripts presented by these proxies link to malware. He also noted that the scripts could even generate fake videos.
He explained that though these proxy sites help users to access their favorite torrent sites; however users are first bombarded with advertisements that are fully loaded with malware. Most of the times, these proxy site operators join hands with the torrent sites are paid to broadcast these advertisements. It could be possible that if the original website is not able to host the ads then the sites which operate as proxy would be ready to take the paycheck and thus take undue advantage of the situation and also successfully infect user’s computer with unwanted malware. According to Szathmari, the torrent sites such as The Pirate Bay, KickassTorrents and ExtraTorrent, are already aware of this problem and as a preventive measure they say they are blocking the suspicious and malicious proxies and mirrors. ExtraTorrent group stated that,”It’s a serious issue. We have been fighting against it for a long time,” they went on to add “Most unauthorized proxy websites loaded ExtraTorrent in a frame and added malware JavaScript code or replaced ET’s banners with others.” On the other hand, ExtraTorrent was successful in blocking several proxy sites; however they were not able to stop those proxy and mirror sites which use a cached version. The next step taken by the ExtraTorrent team was to publish a list of official mirrors on their site so that they can help users to access the right proxies or mirrors. When TF approached KickassTorrents (KAT) team, they informed that currently their site does not have any official proxies; however they cannot guarantee this in future. For now, KAT team have urged their users not to entire the details of their accounts in any of the proxy sites as these sites may contain malware which can store their details. KAT team says: “It’s definitely bad idea to enter Kickass credentials on any of the proxies – this way original Kickass account can be easily hacked.” Copyright holders are also warning people regarding the security threat which these pirate sites pose; however Szathmari concludes that according to the study he conducted it is clear that the problem has basically emerged due to censoring the original sites, thus he feels that internet censorship is the root cause of this internet insecurity! One of the the best solution in the present scenario would be to simply avoid all proxy and mirror sites. Definitely, we cannot just ignore the fact that some of the original sites might also contain malware. The researchers adds: “I would advise downloaders to always use the original sites or the official proxy sites whenever possible.” He further said: “If the original sites are blocked by the ISP, I would recommend to bypass the filtering with a reputable VPN service that does not modify traffic, or a reputable mirror that does not alter the website in any way.” It seems most of the proxy sites are being operated by the “ProxyHouse” group. ProxyHouse has already taken the essential steps, they have informed their advertising network regarding this malicious attacks via advertisements. It seems ProxyHouse group operates over 17,000 sites for most of the well known piracy sites and it even complies with DMCA takedown notices. The entire details of his study including his methodology has been published by Szathmari in his recent blog post.