How does phishing work and how can I avoid getting phished?

Phishing, the biggest mystery since magnets? Well not really. We'll explain to you exactly how they work (phishing sites that is, not magnets, nobody knows how they work), and how to keep yourself safe.

There are actually way more phishing sites out there than there are legitimate market links since they're so profitable for scammers, since they get to keep 100% of the proceeds of anything they steal from you. But with some simple precautions, you can avoid being caught out and losing your hard earned cash.

So, what exactly is a phishing site and how do they work?

While some phishing sites are simply clones of genuine sites, most modern phishing sites on the darknet are typically operated in the form of a 'Man in the Middle' (MITM) attack. What this means is the site (such as a darknet market) you see will look exactly like the what you'd expect, and your login details and other functions will typically all work as normal. This is because you are indeed making a connection with the real site, but instead of that connection being direct, it is going through a server controlled by a rogue entity, meaning they can manipulate every input and output. Think of it like a proxy, albeit a very bad type of proxy!

What happens if I use a phishing site?

The phisher will be able to access everything you enter, such as your username, password, PIN and anything else. They can also change some of what you see. For example, they could change the crypto deposit address displayed on a darknet market to a wallet address they own, meaning all of your funds will be stolen. Once they have your market login details, they could also access your account on the real market to withdraw funds if you have any deposited.

What can I do to avoid being phished?

There are a range of precautions you can take:

Check links against multiple reputable sources
If you're unsure whether a link is legitmate or not, check it against several reputable index sites. The chances are if it's listed by several sites, it's genuine. If a particular site recommends a list of indexes for obtaining mirrors, then cross-check with those first.

Verify against a site PGP key
Most darknet sites on the Tor Network that entail financial transactions such as markets will provide a PGP key and signed mirrors. You can verify the signed mirror list against their PGP key using a program such as Kleopatra. This may not help you if accessing a site for the first time, but once you know a site is legit, it is advisable to save its PGP key for future reference in case your regular mirror is down and you find yourself searching for an alternative mirror. Many sites provide a list of their mirrors at /mirrors.txt. If it's a phishing site, it's likely it either won't exist at all, or will be signed with a PGP that differs from the real one.

Activate PGP 2FA
Many markets display the onion URL in the decrypted message you are provided when logging in via PGP Two Factor Authentication (2FA). This is one of the few outputs that attackers are not able to interfere with. If the onion URL listed does not match the one shown in your address bar, do not proceed and exit the site immediately. Learn more about PGP 2FA here.

What should I do if I think I've been phished?

It is advisable not to use that account again and simply create a new one for future transactions, but if you have funds in it for example, then be sure to change your password and PIN (where applicable) at the earliest opportunity. Two-Factor Authentication (2-FA) can provide you with protection against someone else accessing an account you own, but it won't protect you against getting phished if you go to a rogue site, since the 2FA will still function as normal since it will simply be routed via the legitimate server.