OAuth VKontakte: mercenary use

There are many ways to spread malicious spam on VKontakte. But the pests do not sleep, more and more interesting ideas come into their heads. And support for OAuth 2.0 by the VKontakte platform turned out to be just the way. Fraudsters have learned to use it to bypass the warning page about malicious sites.

And it all started when one day a message appeared on my wall:

Out of curiosity, I followed the link and got to the next phishing site. But the link itself seemed strange to me, it looked like (half the characters in ASCII):
vkontakte.ru/away.php ? to = http% 3A% 2F% 2FApi.vKontakte.Ru% 2F% 2Fo% 2561u% 2574% ...

Consider the link in detail:

• vkontakte.ru/away.php - a page with a warning about clicking on the link;
• The to parameter is the link itself. In the transcoded look it looked like this:
  Api.vKontakte.Ru/oauth/authorize?client_id=2376***&cgpopcvkqdjut4&redirect_uri=vgostivk.dyndns**&display=popup?390852

Here the most interesting part begins ...

Let's analyze the second link in parts:

• Api.vKontakte.Ru/oauth/authorize - access to the VK API, authorization through OAuth 2.0;
• client_id = 2376 *** & cgpopcvkqdjut4 & redirect_uri = vgostivk.dyndns ** & display = popup? 390852 - authorization parameters.

What each parameter means:

• client_id - ID of the application requiring authorization;
• redirect_uri - address to which access_token will be transmitted (via redirect);
• display - view of the authorization window (page, popup, touch and wap).

Actually, redirect_uri contained the address of the phishing site. Since a mistake was made in the display parameter (garbage went to it? 390852 "), the authorization window was not displayed, and a redirect to the phishing site with the parameters went right away: error = invalid_request & error_description = Invalid + display + passed

This is the whole point of the workaround blacklist of malicious sites VKontakte. Only an alert about switching to api.vk.com appears. And as a result of the transition, we directly get to the phishing site, which is on the black list. When clicking on the link vkontakte.ru/away.php?to=vgostivk.dyndns**:


As it turned out, the application supposedly requiring authorization hung on the hacked user:


And the phishing site itself was quite interesting. The custom design was contactish and offered to log in. I logged in through random mail and password, I swallowed fake perfectly. Further it was even more interesting, on the main page there was news from "Pavel Durov":


After clicking on the button "Create a personal counter", an excellent progress bar followed. Then it was suggested to indicate your number and send sms:


In theory, after a successful “activation”, I should have transferred to activ.php, but I could not get there. Excerpts from JS scripts phishing site:

...
if(req.status == 200) {
// если статус 200 (ОК) - выдать ответ пользователю
if (req.responseText == 'ok') {
//statusElem.innerHTML = 'Все гуд!';
get_activation();
}
if (req.responseText == 'not') {statusElem.innerHTML = "Неверный код активации";}
//statusElem.innerHTML = "Ответ сервера: "+req.responseText;
...
function get_activation() {
document.location="activ.php";
}

* This source code was highlighted with Source Code Highlighter.

Bottom line : Fraudsters use warning bypass through OAuth 2.0, get the password and email of the user, and even try to send sms to send (most likely using the subscription system).