Vkontakte Targeted By SMS Scammers

| | Comments (0)
(Huge thanks to Baz of Malwarecrawler.com, who provided the Vkontakte.ru screenshots, translations and helped me to make the connection between a number of rogue blogs I'd been looking at recently and a particularly nasty Vkontakte scam that I had no idea existed until yesterday).

Now that we've got that bit out of the way, your first question may well be "What is Vkontakte"?

Well, it's billed as the Russian Facebook and seems to be pretty popular (45 million users as of October 09). With that amount of users, it seems that the usual "build it, and they will come" rule applies to scammers, phishers and malware authors as we shall see.

What's Happening?

You know how on Facebook you get those wonderful Koobface worms that post links to fake videos, and if you run the file you end up with infections galore and a bunch of messages posted to the walls of your friends?

This is a similar scenario, with messages (which may or may not be automated) posted to Vkontakte pages which lead to malicious downloads - many of which will do horrible things to your computer if given the chance including account theft, Trojans and desktop lockouts.

Here is a sample message posted to a typical Vkontakte page:

Vkontakte Fake Exploit Message, originally uploaded by Paperghost.

It says that there is a "mega hole" in Vkontakte which allows you to see private profiles. Click the link, and you're redirected to one of a chain of Blogspot blogs which look like this:

Vkontakte Scam Blog, originally uploaded by Paperghost.

Here is the translation, courtesy of my new pal Baz:

Page title: Mega hole in Vkontakte!

How to get full access to a private Vkontakte profile and how to defend your profile

This hack will be fixed at any moment, so use it before it is too late!

Everything is very simple.

1. Download the program <link> <mirror>

2. Run it

3. Enter the id of the profile you want to get access to.

Finding the id is very simple, just go to the persons (profile) page and at the top there will be something that looks like: http://vkontakte.ru/id******

4. Afterwards, you will have full access to the profile of the person whose id you have entered.

If you have any doubts, just check the program with antivirus and convince yourself that everything is in order.

If the first program didn't work, here is the second: <link>

Depending on the payload, you may end up with Trojans, Rootkits, worms and / or other assorted junk deposited on your PC with a strong emphasis on SMS scamming. We'll take a look at some of those momentarily, but I should mention a particular spamming technique that Baz spotted which seems to be getting past whatever spam filters Vkontakte has in place.

On Facebook you've probably seen the graffiti wall application, which allows you to draw an endless series of humorous body parts on the wall of your choice.  Vkontakte has a similar (if not identical) application, and it looks like the scammers are pasting their "massive hole" messages onto that which neatly sidesteps spam filters.

Vkontakte Graffiti Spam, originally uploaded by Paperghost.

"ahahahaha!!! s*it!! I got access to your profile via vkon-fire.msk.ru"

Pretty smart.

What do the files do?

Vkontakte Scam Infection Files, originally uploaded by Paperghost.

Here's a bunch of scan results, feel free to browse through and be glad none of them were dropped onto your computer. In general, the files claim to attempt contacting the Vkontakte servers, then "fail" with a nice fake error message; meanwhile (...you know the drill...) a wide variety of junk is inserted onto the PC behind the scenes and your login vanishes into the wide blue yonder.

The messages posted to the Vkontakte site may or may not be automated; none of the files tested display any sign of worm related shenanigans. A big part of this scam is a phishy Hosts file hijack:

Vkontakte Scam Hosts file hijack, originally uploaded by Paperghost.

Something to note where the Hosts file hijack is concerned - they'll swipe your login details and potentially direct you to the following fake login, complete with SMS activation code:

Vkontakte SMS Message, originally uploaded by Paperghost.

Yes, they'll take your login and your money too. However, I want to wrap up with this particularly eye watering file:

Vkontakte SMS Lockout File, originally uploaded by Paperghost.

"Activate"? Whatever does it activate, I hear you cry? Well...

...ouch. It claims you're running an unlicensed version of Windows, and won't give you your desktop back until you cough up a random amount of cash via SMS.

All in all, a nasty collection of exploits and scammery - if you know anyone who uses Vkontakte, feel free to give them a heads up and avoid any random messages promising access to secret profiles / images / leprechauns.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on October 26, 2009 10:00 AM.

Google Wave "Invite Generator" Programs - Avoid! was the previous entry in this blog.

Hacking: Now A Porn Marketing Tool is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.