⬆️ ⬇️

In the footsteps of human curiosity

Have you ever sat on the wonderful site "Odnoklassniki.ru"? Perhaps, then, you know that the function “My guests” was and is on “Odnoklassniki”. With it you can view profiles of people who visited your page. Whether the matter of "VKontakte" - there is no such function and never was. But not everyone is ready to submit to fate, some are looking for ways to amuse ambition, but the attackers were not slow to take advantage of it.

image

Vyacheslav Zakorzhevsky, senior virus analyst at Kaspersky Lab, followed in the footsteps of human curiosity.



image


Official explanation from the administration of VKontakte



Almost from the moment of the appearance of VKontakte, websites and programs that supposedly provide access to the “guests” have been actively promoted. However, in reality, this turned out to be either a trojan or a simple divorce by SMS. Regrettably, the situation has not changed for the better in a few years. Here is the result of a Google search:

')

image



Some users still hope and look for a magical way to find out who is interested in them. I decided to check out Google’s first page.



image


image


image


image


image


image




Thousands of them! In total, 8 out of 10 links led to fraudulent resources, which is impressive. Most of these sites show animation after “activation of the scanner” in order to convince the user that the service is real. And after that they usually ask to send an SMS to a premium number or activate a subscription. In most cases, such sites do not have rules for the provision of services, unlike other “divorces by SMS”, where the agreement even says what is provided, for example, a joke program or a game. On one of the fraudulent pages there was a link to the “rules for the provision of services”, but from the screenshot below it becomes all clear :)



image



However, in addition to the relatively harmless divorce for money, the user may lose the account altogether if he decides to download a program for viewing guests.



image



I downloaded this Vk-Visit, which is written in Borland C ++ and occupies as much as 6 megabytes, and opened it in IDA. It turned out that the program in open form transfers the entered email and password to the attacker's server.



image



I didn’t stop there, but I’ve investigated the rogue’s server a bit. On it were found pictures in the style of "VKontakte guests", PHP-pages with scripts and a file containing stolen logins and passwords in the clear. We have already informed the VKontakte administration about the information found.



image



In addition to losing an account or money, the user also risks if he searches for “guests in contact” from a mobile device. So, after searching for a similar phrase on Google under the mobile user-agent, I was redirected several times to the pages offering “refresh the browser” or the mobile application started downloading right away.



image



As expected, it turned out to be mobile malware for Android, sending SMS to premium numbers without the user's knowledge.



Behind most of these fraudulent sites are well-known to us affiliate programs. In this post, I will not give their overview, I will show as an example only one responsible for the distribution of “Jimm2_.apk” from the previous screenshot.



image



We are actively engaged in detecting all such frauds - we block websites, detect malware for mobile devices and PCs, i.e. We try to make the life of scammers as difficult as possible. However, we should not forget that the secret to saving drowning people often lies in themselves. With regard to our case, this means that users should restrain their curiosity and with a reasonable degree of skepticism to treat attractive offers in the network. But is it possible to eradicate Internet naivety?

Source: https://habr.com/ru/post/138543/



All Articles