New research shows that torrent site proxies, which are often used to access blocked sites, are rife with malware and suspicious ads. From a sample of more than 6,000 sites more than 99% were found to insert their own code. According to researcher Gabor Szathmari some of these sites pose a great security risk.

In many countries including the UK, Italy, Denmark and France, the leading torrent sites are no longer freely accessible.

These court-ordered blockades requested by the music and movie industries are becoming widespread, but so are the tools to circumvent them.
For every domain name blocked, many proxies and mirrors emerge. These sites allow people to access the blocked sites and effectively bypass the restrictions put in place by the court.
Initially, the proxy sites were launched to help users gain access to their favorite torrent sites. However, more recently the demand for circumvention tools is being abused by people who are out to make hard cash.
Instead of offering a simple workaround, many proxies add their own scripts. In some cases these scripts are harmless, but according to security researcher Gabor Szathmari the majority serve questionable content.
Szathmari examined a sample of 6,158 proxy sites and found that over 99% added their own code. Only 21 sites in the sample did not modify the original site.
“99.7% of the tested torrent mirrors are injecting additional JavaScript into the web browsing traffic. A great share of these scripts serve content with malicious intent such as malware and click-fraud,” he notes.
The researcher informs TF that many of the researched proxies are suspicious because they use code that is either obfuscated or has a lot of random redirects. These scripts pretty much all use the domain name.
Taking a closer look at the proxies reveals that several of the ads link to malware. In addition, one of the scripts generated fake views of car racing videos in the background.
The original torrent sites, including The Pirate Bay, KickassTorrents and ExtraTorrent, are aware of the problem and are trying to minimize the damage by blocking suspicious proxies and mirrors.
“It’s a serious issue. We have been fighting against it for a long time,” the ExtraTorrent team informs TF.
“Most unauthorized proxy websites loaded ExtraTorrent in a frame and added malware JavaScript code or replaced ET’s banners with others,” they add.
ExtraTorrent has been able to block several proxies, but they can’t do anything against those that use a cached version of the site. To guide users in the right direction they therefore publish a list of official mirrors on their site.
Copyright holders often warn that pirate sites may serve malware, but this research suggests that they are only making the problem worse by censoring the original sites.
“I am an advocate for unfiltered Internet, and this example shows that censorship can violate the security of end-users,” Szathmari tells TF.
Of course, some of the original sites may also run dubious ads, but the malicious proxies appear to be much worse and should be avoided.
“I would advise downloaders to always use the original sites or the official proxy sites whenever possible,” the researcher says.
“If the original sites are blocked by the ISP, I would recommend to bypass the filtering with a reputable VPN service that does not modify traffic, or a reputable mirror that does not alter the website in any way.”
Szathmari published the full findings and his research methodology in a recent blog post.