Blocker classmates and other sites
Maybe not so new direction, but only now this has been noticed.
Today I waspleasantly surprised that I was blocked on classmates. There was no suspicion of fraud. Reason for blocking:
And the phone entry field.
There were no suspicions, everything looked realistic. And my photo and photos of friends and other that was inherent only in my page.
The only thing that embarrassed is that I did not open classmates! That is why drew attention to the site address. It turned out to be odnoklssniki.info/under . Immediately you can not see that the domain is "left".
And very few people will look at the domain if the user data is real.
')
Checked on friends. More than half of the people (in particular those not connected with IT) did not notice anything suspicious here and were ready to enter their number.
A study of the page source showed the structure:
The key point was the frame leading to this site classmates. If a person was already authorized, then his page was displayed, which served as the best cover.
It was strange that in such a large social network as classmates, there was no check for work inside the frame or exit from under the frame.
Setting up this script was very simple, even comments were left!
As you can see, the payment did not go straight, but was disguised as payment for access to download files from the megashara.24n6.ru file hosting service, to whom the payment was made was determined via the feed specified in the configs.
The 24n6.ru website contains the rules (http://24n6.ru/subscription_rules.php) for the service, where it is stated that the cost is from 175 rubles per day and then descending. And the first day is free. those. about the withdrawal of money a person learns only in a day.
Total we have:
All this might not have happened if:
In general, be careful!
Today I was
From your ip suspicious activity is noticed. Maybe your account tried to hack. Please confirm that you are the owner of this account.
And the phone entry field.
There were no suspicions, everything looked realistic. And my photo and photos of friends and other that was inherent only in my page.
The only thing that embarrassed is that I did not open classmates! That is why drew attention to the site address. It turned out to be odnoklssniki.info/under . Immediately you can not see that the domain is "left".
And very few people will look at the domain if the user data is real.
')
Checked on friends. More than half of the people (in particular those not connected with IT) did not notice anything suspicious here and were ready to enter their number.
A study of the page source showed the structure:
<! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
< html >
< head >
< title > </ title >
< script src ="http://www.google.com/jsapi" ></ script >
<script type= "text/javascript" >
google.load( "jquery" , "1.4.2" );
</ script >
<style type= "text/css" >
//
</style>
<script type= "text/javascript" >
//
//
</ script >
</ head >
< body onload ="start()" >
< div id ="cl" >
< center >
< div style ="height: 75px" > </ div >
< div class ="cl_box" >
< div class ="cl_title" > ! ! </ div >
< div class ="cl_body" ></ div >
< div class ="cl_foot" ></ div >
</ div >
</ center >
</ div >
< center >< iframe class ="iii" frameborder ="0" src ="http://odnoklassniki.ru/" scrolling ="no" width ="100%" height ="4000px" ></ iframe ></ center >
</ body >
</ html >
</ html >
* This source code was highlighted with Source Code Highlighter .The key point was the frame leading to this site classmates. If a person was already authorized, then his page was displayed, which served as the best cover.
It was strange that in such a large social network as classmates, there was no check for work inside the frame or exit from under the frame.
Setting up this script was very simple, even comments were left!
var aff_session_name= "" ;
var aff_session_id= "" ;
var aff_query= "" ;
var aff_fid= "3268" ; //! !
var img_close = 'http://img402.imageshack.us/img402/9458/close1.gif' ;
var img_key = 'http://img40.imageshack.us/img40/7489/key1w.jpg' ;
var domain = 'megashara.24n6.ru' ;
var domain2 = 'megashara.24n6.ru' ; //
var cl = 0;
var form_type = 3; //
var form_seconds = 5;
var mt_pre_text = '' ;
var footer_text = '' ;
var first_page_txt= ' ip . . , :' ;
var first_page_btn= '' ;
var second_page_mt_txt= ' . - !' ;
var second_page_mo_txt= ' , . - , , .' ;
var second_page_btn= '' ;
var user_check= 'checked' ;
var sub_type= "" ;//
* This source code was highlighted with Source Code Highlighter .As you can see, the payment did not go straight, but was disguised as payment for access to download files from the megashara.24n6.ru file hosting service, to whom the payment was made was determined via the feed specified in the configs.
The 24n6.ru website contains the rules (http://24n6.ru/subscription_rules.php) for the service, where it is stated that the cost is from 175 rubles per day and then descending. And the first day is free. those. about the withdrawal of money a person learns only in a day.
Total we have:
- Universal script that allows you to "block" any sites (just change the css), which do not check the work under the frame and do not go out from under the frame.
- Payments are carried out secretly, under the guise of paying for access to the content of the file hosting service.
- Money starts to take off immediately, so that people do not understand what's the matter.
- Judging by the aff_query parameter, there was previously support or planned work through anonymizers.
All this might not have happened if:
- Classmates would check the work under the frame or go out from under the frame.
- The file hosting service checked 24n6.ru would check the referer or set up a special cookie, before making a payment.
- Advertising sites controlled what they advertised and automatically opened.
- The billing services would not give anyone the opportunity to receive payment via SMS or through a subscription.
In general, be careful!
Source: https://habr.com/ru/post/139685/
All Articles