A beautiful example of phishing in Vkontakte

    Not so long ago, an article “ Memoirs of an Ex- Spammer” was published in Chaskor . In it, one of the Internet entrepreneurs who made money on spam in Vkontakte announced that such a business would almost run out of air very soon.

    To some extent, we can agree with him - now the spam is really noticeably less than it was even last year. But the remaining spammers are resorting to increasingly sophisticated methods. Now I want to talk about one of these methods that I met today.

    It all starts quite innocently, one of my friends writes you a banal “hello. how are you?". You answer no less banally that everything is fine with you, and are interested in the interlocutor’s affairs, he clarifies: “are you at the computer now?”, Asks: “do you want to laugh?” And throws a link like
    http://tinyurl.com/home-video-10737644-html




    At this stage, it is already impressive that the bot, with an obviously hacked account, writes three quite relevant remarks before throwing the link. Link redirects to page
    http://46.98.28.65/home-video/10737644
    with the YouTube interface. An attentive user, of course, will notice that the URL does not match the site, but the calculation is obviously done for those who do not pay such attention.

    The linked page is personalized. The numbers 10737644 in the link is my id. My name is inserted in the title and description of the alleged video:



    The video cannot be watched, because I have, it turns out, an outdated Flash Player. It is proposed to download it "from the Adobe site" at the link
    http://46.98.28.65/Flash-Player.exe

    No less wonderful are the "comments." As the authors of the comments, my real friends from VKontakte with their avatars are indicated:



    Particularly noteworthy is the second comment, which should finally convince me that this "Flash Player" still needs to be downloaded.

    I turned to Onthar , the author of previous topics about malicious spam in VKontakte, here is his comment:

    This file is a downloader. That is, it downloads and runs malicious files from the network. The fact is that there is some kind of affiliate program or something else. Unusually a lot of files are loaded (2-3 only in 5 minutes of analysis), and they all continue to be active in the system. So far I can say for sure one thing - this is a botnet from bootloaders, all files are accessed on different domains (n-78.ru, vn-66.ru ...), but on one ip - 91.223.89.99.

    It’s no secret that a wide variety of malware, including the famous TDSS bootkit, is capable of downloading these files to the victim’s system.

    Also popular now: