VK freebie or exchange password for stickers

You all know about such an abstract thing as a "freebie."

The opportunity to get a thing for free, even if unnecessary, gathers entire forums of like-minded people on the Internet. Some of these proposals require some active actions, such as registration, passing tests, data entry. And for the most part this is a mutually beneficial exchange both for the company (obtaining data on the target audience) and for the person (free trinket). But in some cases, people provide many personal data in exchange for a magnet / mug / notepad. And they can take advantage of this data.

VK stickers- an amusing thing, isn't it? Beautiful monosyllabic answers, designed in the form of pictures that can be answered in dialogs. Many spend money for the opportunity to get stickers, and some get them for free, and it is the opportunity to get stickers for free (what will you rarely use ? ).



Today I received a message from one of my VK friends about the possibility of getting free stickers.


When sending a message to the bot, he writes that you like and send him a message. Trying to just send him a message.


Everything has passed. Now he asks to send a message to 15 friends and write to him. We try to just write to him


He writes that we are cheating, but we understand that the bot will not be able to read our messages without confirmation through the VK API and obtaining access rights, just try to write “Completed” and cheers, it remains to follow an incomprehensible link and get stickers. raised dough, things became different


When you click on the link, after redirects, we are thrown onto a well-designed website with a suggestion to log in via VKontakte to finally get the coveted stickers.


When you click on the button, it goes to the page with a modal login window and the already installed favicon from VKontakte. An attentive user will notice an incorrect address in the address bar and the fact that we were previously authorized by VK.


Also, for the curious, the context menu call and selection are disabled.

The data is sent by POST request to the same address.


We are going to the meeting to which we were sent a link


The links contain the real Coca-Cola page, and the meeting organizer is the left closed group. But framed all more than believable.

What we have:

More than 15,000 views of the record, more than 3400 likes of the record, which means they unsubscribed to the bot .

Perhaps this is the largest discharge of VK data for this year. I have already unsubscribed in support, I'm waiting for an answer.

UPD: Wrote in support and after 15 minutes


Any conclusion? But not him. Remembering the famous phrase of Mavrodi, people who relate to the issue of their security loyally will never end, we can make the assumption that many similar groups will be created. As for protection - just remember the words of the venereologist: see what and where to enter.

UPD 2 (for comments): Questions of literacy among the population in the field of computer security can and should be addressed , because minors will always be hooked, and questions of hacking are always silent. People need to know how they can be hacked. And I hope then the number of such questions will become less