Error 404, which saved thousands of VKontakte users
Yesterday, the REG.RU technical support service did not start the day as usual - the number of calls was more than on any other May day. In their letters, people asked to unblock Google or show Yandex, open access to Twitter, etc.
')
At a certain point, there were already so many letters that it looked like some kind of flash mob.
At the same time, in the statistics of attendance of the site reg.ru there was a surge in transitions from the pages of the social network vkontakte.ru - the first coincidence, the next coincidence is even more interesting ...
The event only began to grow in scale, and the company's specialists already understood statistics in detail: 2-3 transitions were made from thousands of pages of different VKontakte users, but on these pages there was no mention of REG.RU.
(Screenshot from Google Analytics)
But the page of one event seemed very suspicious, there were only about a dozen transitions from the beginning of the day - vkontakte.ru/event27158053 The event mentions a program that makes VKontakte gifts free and has a link to download _ttp: //vkliker.ru/FreePresents. exe (do not run, there is a trojan!) .
The employees made a test download of the application, which, as it turned out, does not differ in originality and produces a record of the form “IP address - domain name” for resources:
When accessing the IP address 95.163.12.18, the Vkontakte phishing page is displayed. The user who started the program gets to the fake page, enters their authorization data and receives a certain warning about the login error. Meanwhile, his login and login password has already been sent to the attacker.
Coincidence number two. A few days ago, a person contacted technical support, introducing himself as the owner of a hosting for the domain vkliker.ru, with the question of the inability of the site verification method to add an entry to the% WINDOWS% / system32 / drivers / etc / hosts file before the DNS- update occurs servers.
The appellant claimed that the method was not workable and when it was used, an error page was displayed at the website address. The employee, specifying the details, heard the phrase: “Alexander, this method does not work for me, I add other domains besides my own, and they do not work”. The hosting technical support specialist, assuming possible unfair intentions, verbally warned the client that his actions might fall under the definition of “phishing”, i.e. to be illegal. The client, without answering, preferred to end the conversation.
The scammer failed to properly configure the additional IP of the virtual hosting, as a result, the "infected" visitors who downloaded and launched the malicious FreePresents.exe were issued not a phishing page, but a REG.RU stub with information about the nonexistent page. Infected users typed in the browser vkontakte.ru and got to the error page 404, where it was reported that such a page does not exist. Therefore, the upset wrote on the first contact from this page, namely in support of REG.RU.
Page 404, which everyone does not like so much, miraculously saved the accounts of thousands of users on Vkontakte (approx. The word “thousands” is based on the number of hits to this page in the first half of the day).
The REG.RU team responded as quickly as possible by putting an individual page notifying users of a hacking attempt and with instructions on cleaning the hosts file, recommending that you change the password for your account just in case and no longer run suspicious files on your computer.
From all this we can conclude that free cheese is only in a mousetrap. (after all, the very image on the event page hints at this):
')
At a certain point, there were already so many letters that it looked like some kind of flash mob.
At the same time, in the statistics of attendance of the site reg.ru there was a surge in transitions from the pages of the social network vkontakte.ru - the first coincidence, the next coincidence is even more interesting ...
The event only began to grow in scale, and the company's specialists already understood statistics in detail: 2-3 transitions were made from thousands of pages of different VKontakte users, but on these pages there was no mention of REG.RU.
(Screenshot from Google Analytics)
But the page of one event seemed very suspicious, there were only about a dozen transitions from the beginning of the day - vkontakte.ru/event27158053 The event mentions a program that makes VKontakte gifts free and has a link to download _ttp: //vkliker.ru/FreePresents. exe (do not run, there is a trojan!) .
The employees made a test download of the application, which, as it turned out, does not differ in originality and produces a record of the form “IP address - domain name” for resources:
95.163.12.18 baidu.com
95.163.12.18 blogger.com
95.163.12.18 facebook.com
95.163.12.18 google.com
95.163.12.18 google.ru
95.163.12.18 live.com
95.163.12.18 livejournal.com
95.163.12.18 mail.ru
95.163.12.18 msn.com
95.163.12.18 myspace.com
95.163.12.18 odnoklassniki.ru
95.163.12.18 rambler.ru
95.163.12.18 rutube.ru
95.163.12.18 twitter.com
95.163.12.18 vk.com
95.163.12.18 vkontakte.ru
95.163.12.18 webmoney.ru
95.163.12.18 wikipedia.org
95.163.12.18 ya.ru
95.163.12.18 yahoo.com
95.163.12.18 yandex.net
95.163.12.18 yandex.ru
95.163.12.18 youtube.com
95.163.12.18 durov.ru
95.163.12.18 www.baidu.com
95.163.12.18 www.blogger.com
95.163.12.18 www.facebook.com
95.163.12.18 www.google.com
95.163.12.18 www.google.ru
95.163.12.18 www.live.com
95.163.12.18 www.livejournal.com
95.163.12.18 www.mail.ru
95.163.12.18 www.msn.com
95.163.12.18 www.myspace.com
95.163.12.18 www.odnoklassniki.ru
95.163.12.18 www.rambler.ru
95.163.12.18 www.rutube.ru
95.163.12.18 www.twitter.com
95.163.12.18 www.vk.com
95.163.12.18 www.vkontakte.ru
95.163.12.18 www.webmoney.ru
95.163.12.18 www.wikipedia.org
95.163.12.18 www.ya.ru
95.163.12.18 www.yahoo.com
95.163.12.18 www.yandex.net
95.163.12.18 www.yandex.ru
95.163.12.18 www.youtube.com
95.163.12.18 www.durov.ruWhen accessing the IP address 95.163.12.18, the Vkontakte phishing page is displayed. The user who started the program gets to the fake page, enters their authorization data and receives a certain warning about the login error. Meanwhile, his login and login password has already been sent to the attacker.
Coincidence number two. A few days ago, a person contacted technical support, introducing himself as the owner of a hosting for the domain vkliker.ru, with the question of the inability of the site verification method to add an entry to the% WINDOWS% / system32 / drivers / etc / hosts file before the DNS- update occurs servers.
The appellant claimed that the method was not workable and when it was used, an error page was displayed at the website address. The employee, specifying the details, heard the phrase: “Alexander, this method does not work for me, I add other domains besides my own, and they do not work”. The hosting technical support specialist, assuming possible unfair intentions, verbally warned the client that his actions might fall under the definition of “phishing”, i.e. to be illegal. The client, without answering, preferred to end the conversation.
The scammer failed to properly configure the additional IP of the virtual hosting, as a result, the "infected" visitors who downloaded and launched the malicious FreePresents.exe were issued not a phishing page, but a REG.RU stub with information about the nonexistent page. Infected users typed in the browser vkontakte.ru and got to the error page 404, where it was reported that such a page does not exist. Therefore, the upset wrote on the first contact from this page, namely in support of REG.RU.
Page 404, which everyone does not like so much, miraculously saved the accounts of thousands of users on Vkontakte (approx. The word “thousands” is based on the number of hits to this page in the first half of the day).
The REG.RU team responded as quickly as possible by putting an individual page notifying users of a hacking attempt and with instructions on cleaning the hosts file, recommending that you change the password for your account just in case and no longer run suspicious files on your computer.
From all this we can conclude that free cheese is only in a mousetrap. (after all, the very image on the event page hints at this):
Source: https://habr.com/ru/post/119654/
All Articles