Introduction: The WebTunnel pluggable transport was first introduced in December 2022 as an integration that could be tested using a Tor Browser test build.
It has also been available for deployment by bridge operators as part of a trial soft launch since June 2023, with the Tor Projects asking for more testers in October in "regions or using Internet providers where the Tor network is blocked or partially blocked."

Tor’s new WebTunnel bridges mimic HTTPS traffic to evade censorship

Sergiu Gatlan

March 12, 2024
12:49 PM
0

Tor

The Tor Project officially introduced WebTunnel, a new bridge type specifically designed to help bypass censorship targeting the Tor network by hiding connections in plain sight.
Tor bridges are relays not listed in the public Tor directory that keep the users' connections to the network hidden from oppressive regimes. While some countries, like China and Iran, have found ways to detect and block such connections, Tor also provides obfsproxy bridges, which add an extra layer of obfuscation to fight censorship efforts.
WebTunnel, the censorship-resistant pluggable transport inspired by the HTTPT probe-resistant proxy, takes a different approach.

It makes it harder to block Tor connections by ensuring that the traffic blends in with HTTPS-encrypted web traffic.

Since blocking HTTPS would also block the vast majority of connections to web servers, the WebTunnel connections will also be permitted, effectively circumventing censorship in network environments with protocol allow lists and deny-by-default policies.

"It works by wrapping the payload connection into a WebSocket-like HTTPS connection, appearing to network observers as an ordinary HTTPS (WebSocket) connection," said the Tor Project.

"So, for an onlooker without the knowledge of the hidden path, it just looks like a regular HTTP connection to a webpage server giving the impression that the user is simply browsing the web."

To be able to use a WebTunnel bridge, you'll first have to get bridge addresses from here and add them manually to Tor Browser for desktop through the following procedure:

Open Tor Browser and go to the Connection preferences window (or click "Configure Connection").
Click on "Add a Bridge Manually" and add the bridge addresses.
Close the bridge dialog and click on "Connect."
Note any issues or unexpected behavior while using WebTunnel.

You can also use WebTunnel with Tor Browser for Android by configuring a new bridge and entering the bridge addresses after clicking "Provide a Bridge I know."
The WebTunnel pluggable transport was first introduced in December 2022 as an integration that could be tested using a Tor Browser test build.
It has also been available for deployment by bridge operators as part of a trial soft launch since June 2023, with the Tor Projects asking for more testers in October in "regions or using Internet providers where the Tor network is blocked or partially blocked."

"Right now, there are 60 WebTunnel bridges hosted all over the world, and more than 700 daily active users using WebTunnel on different platforms.
However, while WebTunnel works in regions like China and Russia, it does not currently work in some regions in Iran," the Tor Project said.

"Our goal is to ensure that Tor works for everyone. Amid geopolitical conflicts that put millions of people at risk, the internet has become crucial for us to communicate, to witness and share what is happening around the world, to organize, to defend human rights, and to build solidarity."

___________________________________________________________________________________

On Friday, Roku first disclosed the data breach, warning that 15,363 customer accounts were hacked in a credential stuffing attack.

Over 15,000 hacked Roku accounts sold for 50¢ each to buy hardware

Bill Toulas

March 11, 2024
01:49 PM
3

Roku

Roku has disclosed a data breach impacting over 15,000 customers after hacked accounts were used to make fraudulent purchases of hardware and streaming subscriptions.
However, BleepingComputer has learned there is more to this attack, with threat actors selling the stolen accounts for as little as $0.50 per account, allowing purchasers to use stored credit cards to make illegal purchases.
On Friday, Roku first disclosed the data breach, warning that 15,363 customer accounts were hacked in a credential stuffing attack.
A credential stuffing attack is when threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites, in this case, Roku.com.

The company says that once an account was breached, it allowed threat actors to change the information on the account, including passwords, email addresses, and shipping addresses.
This effectively locked a user out of the account, allowing the threat actors to make purchases using stored credit card information without the legitimate account holder receiving order confirmation emails.
"It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts," reads the data breach notice.
"As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts."
"After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.

Roku says that it secured the impacted accounts and forced a password reset upon detecting the incident.
Additionally, the platform's security team investigated for any charges due to unauthorized purchases performed by the hackers and took steps to cancel the relevant subscriptions and refund the account holders.

Legitimate account holders who got hijacked must visit "my.roku.com" and click on 'Forgot password?' to get a reset link on their email.
After accessing the account, head to the Roku dashboard and review the activity, connected devices, and active subscriptions to ensure everything is legitimate.
Unfortunately, Roku does not support two-factor authentication, which prevents hijacks even in the case of credentials compromise.

Roku accounts are only worth 50 cents

Roku is a digital media and streaming content company offering streaming sticks and boxes, home automation kits, sound bars, light strips, and TVs running its specialized OS, allowing users to access services like Netflix, Hulu, and Amazon Prime Video.

To generate revenue, Roku also allows customers to purchase streaming subscriptions directly through their Roku account. This enables customers to manage all their streaming services through one account.
However, when adding a subscription, Roku stores customers' credit card information in their online accounts so that they can easily be used for future purchases.

BleepingComputer has learned that numerous threat actors are conducting credential stuffing attacks using the Open Bullet 2 or SilverBullet cracking tools.

These programs allow you to import custom configs (configuration files) that are created to perform credential stuffing attacks against specific websites, such as Netflix, Steam, Chick-fil-A, and Roku.

A researcher told BleepingComputer last week that the threat actors have been using a Roku config to perform credential stuffing attacks for months, bypassing brute force attack protections and captchas by using specific URLs and rotating through lists of proxy servers.

Successfully hacked accounts are then sold on stolen account marketplaces for as little as 50 cents, as seen below where 439 accounts are being sold.

Stolen Roku accounts sold for as little as $0.50 on a marketplace
*Source: BleepingComputer*

The seller of these accounts provides information on how to change information on the account to make fraudulent purchases.
Those who purchase the stolen accounts hijack them with their own information and use stored credit cards to purchase cameras, remotes, soundbars, light strips, and streaming boxes.

After making their purchases, it is common for them to share screenshots of redacted order confirmation emails on Telegram channels associated with the stolen account marketplaces.

Screenshots of fraudulent purchases shared on Telegram
*Source: BleepingComputer*

Recently, Roku has been under fire for making changes to its "Dispute Resolution Terms" and preventing customers from using their streaming devices until they agree to them.

Roku prompting users to agree to new terms
*Source: AJCxZ0 on Roku Community Forums*

These new terms force customers to first handle any complaints through an in-person, phone, or video call with the company's legal representatives before a claim can be filed in arbitration.
However, as shown in the image above, there is no way to continue using a Roku streaming device without first agreeing to the terms.
A source told BleepingComputer that the new Dispute Resolution Terms are in part related to the ongoing credential stuffing attacks and financial fraud being conducted through the hacked accounts.

Update 3/11/24: After the publication of our article, Roku disputed what we we were told, stating that the new Dispute Resolution Terms are not related to the hacked accounts and fraudulent activities.