TORRENT SITE PROXIES RIFE WITH MALWARE INJECTING SCRIPTS
New research shows that torrent site proxies, which are often used to access blocked sites, are rife with malware and suspicious ads. From a sample of more than 6,000 sites more than 99% were found to insert their own code. According to researcher Gabor Szathmari some of these sites pose a great security risk.
In many countries including the UK, Italy, Denmark and France, the leading torrent sites are no longer freely accessible.
These court-ordered blockades requested by the music and movie industries are becoming widespread, but so are the tools to circumvent them.
For every domain name blocked, many proxies and mirrors emerge. These sites allow people to access the blocked sites and effectively bypass the restrictions put in place by the court.
Initially, the proxy sites were launched to help users gain access to their favorite torrent sites. However, more recently the demand for circumvention tools is being abused by people who are out to make hard cash.
Instead of offering a simple workaround, many proxies add their own scripts. In some cases these scripts are harmless, but according to security researcher Gabor Szathmari the majority serve questionable content.
Szathmari examined a sample of 6,158 proxy sites and found that over 99% added their own code. Only 21 sites in the sample did not modify the original site.
The researcher informs TF that many of the researched proxies are suspicious because they use code that is either obfuscated or has a lot of random redirects. These scripts pretty much all use the proxyads.net domain name.
Taking a closer look at the proxies reveals that several of the ads link to malware. In addition, one of the scripts generated fake views of car racing videos in the background.
The original torrent sites, including The Pirate Bay, KickassTorrents and ExtraTorrent, are aware of the problem and are trying to minimize the damage by blocking suspicious proxies and mirrors.
"It's a serious issue. We have been fighting against it for a long time," the ExtraTorrent team informs TF.
ExtraTorrent has been able to block several proxies, but they can't do anything against those that use a cached version of the site. To guide users in the right direction they therefore publish a list of official mirrors on their site.
The KickassTorrents (KAT) team informs TF that they don't have any official proxies, although this may change in the future. They ask users to be cautious and not to enter their account details at proxy sites, as these can be easily stolen.
"It's definitely bad idea to enter Kickass credentials on any of the proxies – this way original Kickass account can be easily hacked," The KAT teams says.
Copyright holders often warn that pirate sites may serve malware, but this research suggests that they are only making the problem worse by censoring the original sites.
"I am an advocate for unfiltered Internet, and this example shows that censorship can violate the security of end-users," Szathmari tells TF.
Of course, some of the original sites may also run dubious ads, but the malicious proxies appear to be much worse and should be avoided.
"I would advise downloaders to always use the original sites or the official proxy sites whenever possible," the researcher says.
"If the original sites are blocked by the ISP, I would recommend to bypass the filtering with a reputable VPN service that does not modify traffic, or a reputable mirror that does not alter the website in any way."
Szathmari published the full findings and his research methodology in a recent blog post.
Update: most of the proxy sites above are operated by the "ProxyHouse" group. ProxyHouse informed us that they contacted their advertising network PropellerAds about the malicious ads. They also clarified that they have always disabled logins on their sites.
The ProxyHouse group operates over 17,000 proxy sites for KickassTorrents, ThePirateBay, YTS, ExtraTorrent and 1337 and complies with DMCA takedown notices.