Social Networking: October 2009 Archives

Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer "Hacked Facebook and Photobucket accounts" for a price:

hackedfbaccts1.jpg

The site the image links to is called...well, see for yourself.

Wait...what?, originally uploaded by Paperghost.

Yes, the site is actually called "Hackedsluts.com" and claims to offer up an endless series of images from "hacked" accounts including Myspace, Photobucket and Facebook in return for a monthly fee. Or, as they like to put it:

As porn site marketing campaigns go this one is certainly, uh, different.

"Every day we prowl Facebook, Photobucket, Myspace and a ton of others....then we let our team of hackers do their thing"...

Account hacked!, originally uploaded by Paperghost.

Just to force the message home, hovering over any image will pop up some text on top of the picture:

hackedfbaccts5.jpg

Just when you think they can't possibly get any creepier or salacious, the final image at the bottom of the first set actually looks like this:


Extreme, originally uploaded by Paperghost

...yep, we'll throw in dubious claims of hacked accounts / stolen images AND we'll lob in a blood splattered "Too extreme" banner supposedly covering up some of the pictures. While this is clearly a piece of Lame Marketing 101, the overall effect of the site is extremely disturbing.

Are the images actually stolen? It's doubtful; in all probability the bulk of the content (if not all of it) is made up of stock pornographic content. But simply claiming they've been plundering images from supposedly hacked accounts on Facebook, Myspace and all the rest of them for financial gain blows my mind, is an amazingly dubious piece of non-ethical marketing and is surely a fast track to a day in court.

You would hope...
(Huge thanks to Baz of Malwarecrawler.com, who provided the Vkontakte.ru screenshots, translations and helped me to make the connection between a number of rogue blogs I'd been looking at recently and a particularly nasty Vkontakte scam that I had no idea existed until yesterday).

Now that we've got that bit out of the way, your first question may well be "What is Vkontakte"?

Well, it's billed as the Russian Facebook and seems to be pretty popular (45 million users as of October 09). With that amount of users, it seems that the usual "build it, and they will come" rule applies to scammers, phishers and malware authors as we shall see.

What's Happening?

You know how on Facebook you get those wonderful Koobface worms that post links to fake videos, and if you run the file you end up with infections galore and a bunch of messages posted to the walls of your friends?

This is a similar scenario, with messages (which may or may not be automated) posted to Vkontakte pages which lead to malicious downloads - many of which will do horrible things to your computer if given the chance including account theft, Trojans and desktop lockouts.

Here is a sample message posted to a typical Vkontakte page:

Vkontakte Fake Exploit Message, originally uploaded by Paperghost.

It says that there is a "mega hole" in Vkontakte which allows you to see private profiles. Click the link, and you're redirected to one of a chain of Blogspot blogs which look like this:


Vkontakte Scam Blog, originally uploaded by Paperghost.


Here is the translation, courtesy of my new pal Baz:

Page title: Mega hole in Vkontakte!

How to get full access to a private Vkontakte profile and how to defend your profile


This hack will be fixed at any moment, so use it before it is too late!

Everything is very simple.

1. Download the program <link> <mirror>

2. Run it

3. Enter the id of the profile you want to get access to.

Finding the id is very simple, just go to the persons (profile) page and at the top there will be something that looks like: http://vkontakte.ru/id******

4. Afterwards, you will have full access to the profile of the person whose id you have entered.

If you have any doubts, just check the program with antivirus and convince yourself that everything is in order.

If the first program didn't work, here is the second: <link>


Depending on the payload, you may end up with Trojans, Rootkits, worms and / or other assorted junk deposited on your PC with a strong emphasis on SMS scamming. We'll take a look at some of those momentarily, but I should mention a particular spamming technique that Baz spotted which seems to be getting past whatever spam filters Vkontakte has in place.

On Facebook you've probably seen the graffiti wall application, which allows you to draw an endless series of humorous body parts on the wall of your choice.  Vkontakte has a similar (if not identical) application, and it looks like the scammers are pasting their "massive hole" messages onto that which neatly sidesteps spam filters.

Vkontakte Graffiti Spam, originally uploaded by Paperghost.

"ahahahaha!!! s*it!! I got access to your profile via vkon-fire.msk.ru"

Pretty smart.

What do the files do?



Vkontakte Scam Infection Files, originally uploaded by Paperghost.

Here's a bunch of scan results, feel free to browse through and be glad none of them were dropped onto your computer. In general, the files claim to attempt contacting the Vkontakte servers, then "fail" with a nice fake error message; meanwhile (...you know the drill...) a wide variety of junk is inserted onto the PC behind the scenes and your login vanishes into the wide blue yonder.

The messages posted to the Vkontakte site may or may not be automated; none of the files tested display any sign of worm related shenanigans. A big part of this scam is a phishy Hosts file hijack:


Vkontakte Scam Hosts file hijack, originally uploaded by Paperghost.

Something to note where the Hosts file hijack is concerned - they'll swipe your login details and potentially direct you to the following fake login, complete with SMS activation code:

Vkontakte SMS Message, originally uploaded by Paperghost.

Yes, they'll take your login and your money too. However, I want to wrap up with this particularly eye watering file:

Vkontakte SMS Lockout File, originally uploaded by Paperghost.

"Activate"? Whatever does it activate, I hear you cry? Well...


...ouch. It claims you're running an unlicensed version of Windows, and won't give you your desktop back until you cough up a random amount of cash via SMS.

All in all, a nasty collection of exploits and scammery - if you know anyone who uses Vkontakte, feel free to give them a heads up and avoid any random messages promising access to secret profiles / images / leprechauns.

Pages

About this Archive

This page is a archive of entries in the Social Networking category from October 2009.

Social Networking: September 2009 is the previous archive.

Find recent content on the main index or look in the archives to find all content.