Back to Home

404 error that saved thousands of VK users

Yesterday · the REG.RU technical support service did not start the day as always - the number of calls was more than on any other May day. In their letters · people asked to unlock Google or show ...

404 error that saved thousands of VK users

    Yesterday, the REG.RU technical support service did not start the day as always - the number of calls was more than on any other May day. In their letters, people asked to unlock Google or show Yandex, open access to Twitter, etc.





    So many letters had already arrived at a certain point that it looked like some kind of flash mob.



    At the same time, there was a surge in the traffic statistics of the reg.ru website from the pages of the vkontakte.ru social network - the first coincidence, the next coincidence is even more interesting ...

    The event only began to gain momentum, and the company's specialists already understood the statistics in detail: 2-3 the transition from thousands of pages of different VKontakte users, but on these pages there was no mention of REG.RU.


    (Screenshot from Google Analytics)

    But the page of one event seemed very suspicious, there were only about a dozen clicks from the beginning of the day - vkontakte.ru/event27158053The event speaks of a program that makes VKontakte gifts free and a link to download _ttp: //vkliker.ru/FreePresent.exe is indicated (don’t start, there is a trojan there!) .

    The employees made a control download of the application, which, as it turned out, was not original and writes down the form “IP address - domain name” for resources: When accessing the IP address 95.163.12.18, the Vkontakte phishing page is displayed. The user who launched the program gets to the fake page, enters his authorization data and receives a warning about a login error. In the meantime, his username and password have already been sent to the attacker.

    95.163.12.18 baidu.com
    95.163.12.18 blogger.com
    95.163.12.18 facebook.com
    95.163.12.18 google.com
    95.163.12.18 google.ru
    95.163.12.18 live.com
    95.163.12.18 livejournal.com
    95.163.12.18 mail.ru
    95.163.12.18 msn.com
    95.163.12.18 myspace.com
    95.163.12.18 odnoklassniki.ru
    95.163.12.18 rambler.ru
    95.163.12.18 rutube.ru
    95.163.12.18 twitter.com
    95.163.12.18 vk.com
    95.163.12.18 vkontakte.ru
    95.163.12.18 webmoney.ru
    95.163.12.18 wikipedia.org
    95.163.12.18 ya.ru
    95.163.12.18 yahoo.com
    95.163.12.18 yandex.net
    95.163.12.18 yandex.ru
    95.163.12.18 youtube.com
    95.163.12.18 durov.ru
    95.163.12.18 www.baidu.com
    95.163.12.18 www.blogger.com
    95.163.12.18 www.facebook.com
    95.163.12.18 www.google.com
    95.163.12.18 www.google.ru
    95.163.12.18 www.live.com
    95.163.12.18 www.livejournal.com
    95.163.12.18 www.mail.ru
    95.163.12.18 www.msn.com
    95.163.12.18 www.myspace.com
    95.163.12.18 www.odnoklassniki.ru
    95.163.12.18 www.rambler.ru
    95.163.12.18 www.rutube.ru
    95.163.12.18 www.twitter.com
    95.163.12.18 www.vk.com
    95.163.12.18 www.vkontakte.ru
    95.163.12.18 www.webmoney.ru
    95.163.12.18 www.wikipedia.org
    95.163.12.18 www.ya.ru
    95.163.12.18 www.yahoo.com
    95.163.12.18 www.yandex.net
    95.163.12.18 www.yandex.ru
    95.163.12.18 www.youtube.com
    95.163.12.18 www.durov.ru




    Coincidence number two. A few days ago, a man contacted technical support, introducing himself as the owner of the hosting for the vkliker.ru domain, asking about the inoperability of the site verification method by adding an entry to the% WINDOWS% / system32 / drivers / etc / hosts file before the DNS update servers.

    The applicant claimed that the method is not working and when using it, an error page is displayed at the site address. The employee, clarifying the details, heard the phrase: “Alexander, this method doesn’t work for me, I add other domains besides mine, and they don’t work”.The hosting technical support specialist, suggesting possible dishonest intentions, verbally warned the client that his actions might fall under the definition of “phishing”, i.e. be illegal. The client, without answering anything, preferred to end the conversation.

    The fraudster could not correctly configure the additional IP of the shared hosting, as a result, the “infected” visitors who downloaded and launched the malicious FreePresent.exe were given not a phishing page, but a REG.RU stub with information about a page that does not exist. Infected users typed vkontakte.ru in the browser and got to the 404 error page, where it was reported that such a page does not exist. Therefore, the upset wrote to the first contact from this page, namely in support of REG.RU.

    Page 404, which everyone dislikes so much, miraculously saved the accounts of thousands of VKontakte users (approx. The word “thousands” is based on the number of hits on this page in the first half of the day).

    The REG.RU team reacted as quickly as possible by setting up an individual page notifying users of an attempted hack and with instructions for cleaning the hosts file, a recommendation to change the account password just in case, and no longer run suspicious files on their computer.

    From all that has been said, it can be concluded that free cheese only happens in a mousetrap. (after all, the image itself on the event page hints at this):

    Read Next