Summary
Most business owners think they have a hardened environment. They’ve got the firewall, they have MFA enabled, now they think they have their security all figured out. But then they leave a literal tunnel that allows direct traffic and communication to their servers anonymously. If a Tor Exit Node is hitting your network (which it probably is) then you have an anonymous, encrypted connection directly to your server that can be used against you.
At Speculus our mission is to make network threat intelligence accessible and simple to understand for companies of all sizes. Our goal today is to help you understand what a Tor node is.
Understanding Tor Nodes
To understand this concept, you must first understand “The Onion Router” also known as Tor. Unlike standard internet connection using the web, connections via The Onion Router don’t go straight to its desired destination, instead, it’s wrapped in three “Onion” layers of encryption and sent through a pipeline of three servers:
The First Layer:Known as “Entry or Guard Node”. This layer knows who you are but doesn’t know where you’re headed.
In more technical terms “The Entry Node” sees your IP address, but it cannot see the final destination of your data or the actual content of your request because that information is encrypted for the subsequent layers.
The Second Layer:Known as the “Middle Node” This layer doesn’t know who you are or where you’re headed; it simply acts as a mediator that relays communication between the “Entry Node” and the “Exit Node”.
“The Middle Node” sees that data is coming from the Entry Node and sends it to the Exit Node, but because of the layers of encryption, it knows neither your original IP address nor the final website you are visiting.
The Third Layer:Known as the “Exit Node” This layer knows where you’re headed but doesn’t know who you are.
“The Exit Node” strips away the final layer of encryption to deliver your request to the destination website, but it only sees the IP of the Middle Node, meaning it has no way of knowing which user actually started the connection. It is the only part of the circuit that communicates with the open internet, meaning your servers and endpoints.
Why Tor Nodes Can Be Dangerous
While the three layers provide privacy for everyday users, they also create a perfect environment for malicious activity.
Threat Actors have been observed leveraging Tor Nodes to do a number of malicious actions. Think of the following scenarios where Tor Nodes have been used:
Scenario A: (Persistent Botnets)
A hacker embeds a .onion address in a malware binary. When your computer is infected, the malware connects to the Tor network to “call home.” (aka. “beaconing”) Since the C2 server is a Hidden Service, it has no public IP address making the connection extremely hard to trace back to the Threat Actor.
Scenario B: (Ransomware Data Leaks)
Threat Actor groups host “leak sites” on Tor. They use the Tor network to move gigabytes of stolen data from a victim’s network to their own servers without being flagged by Geo-IP blocking, as the traffic appears to originate from a local Tor Entry Node.
Scammers have used Tor nodes for years, take the scenarios below as an example of the activity we have observed:
Scenario A: (Bypassing E-commerce Fraud Filters)
Scammers use Tor to automate testing stolen credit card numbers on small-ticket items to see if the cards are active.
Most payment gateways flag multiple failed transactions from the same IP as high-risk. A scammer runs a script that attempts a small purchase, the script then requests a new identity from Tor before the next attempt.
To the e-commerce site, it looks like 50 different customers from 50 different countries are shopping simultaneously. Allowing the scammer to validate thousands of cards without getting their home IP blacklisted.
Scenario B: (Ad Fraud & Click Farms)
Scammers use Tor to automate thousands of clicks on ads or affiliate links. Because each click comes from a different Exit Node IP, the ad network’s fraud detection sees them as unique, legitimate visitors rather than a single bot or script launched by a single person.
How Speculus Solves this problem
We help companies identify malicious Tor node activity by providing the context behind the IP. We don’t just flag a Tor node as “bad” simply because it’s part of the Tor network. We go a step further, validating the specific activity that has recently originated from that source and analyzing the network traffic it is currently creating.
The core of our data is powered by our partners at Scamalytics which already allow us to precisely identify Tor nodes. We further extend those capabilities and give you a story behind what each tor node is doing and has done historically through our threat intelligence data as well as behavioral analysis done through our massive network of Sepeculus nodes trained to precisely identify bad activity.
We tackle this problem in two primary ways:
- API & MMDB (MaxMind Database): These allow your development team to bake our threat intelligence directly into your custom workflows or internal systems however you choose.
- Plug-and-Play Integrations: We ship native integrations for the major security platforms and add new ones on a regular cadence.
By feeding our Threat Intelligence data directly into your existing security stack, you gain access to live Threat Maps, automated Detection Rules, and Custom Playbooks. This ensures that when an incident occurs, your team isn’t wasting a second. We make sure you have the data you need to act fast.