November 23, 2015 at 20:37

How to lure 2 clients from competitors and make excuses to a thousand?



    Recently, many services and modules for online stores have become popular, these include callbacks, chats, like buttons and various counters and analytics.

    Owners of sites are happy to install them on their site and do not suspect that they give access to “such” services and what consequences they will eventually have to cope with.

    The story of the exposure of one of the callback services under the cut.


    One of the callback services that hosts the js code of its module on hundreds of different sites, to increase the number of customers, has added a unique opportunity: determining the profile of a Vkontakte user coming to your site.
    The opportunity is really interesting, and many online stores would be interesting. Our clients also began to contact us with a request to make a similar opportunity. However, we understand all responsibility to our customers, so we check every decision.
    And we decided to figure out what such a tricky function is and why “real” large companies do not provide it? For example, Yandex metric or Google analytics, because for them such an opportunity would be very relevant. And there is no doubt that they have the opportunity to implement such a function.

    First of all, we did not find such an opportunity in the official api / documentation on Vkontakte, namely, obtaining user profiles coming to a third-party site.

    We wrote in support of the Vkontakte company, and received the following response:



    As can be seen from the screenshot, the Vkontakte company is categorically against such a service.
    The opinion of the official representatives turned out to be negative, it became obvious that adding such functionality is prohibited, which means it is impossible.

    How does it work and why is it bad?

    Even on habrhabr was an article about sotsfishinge , and other sources, too, but if briefly and without going into details, it works as follows:
    The user comes to your site, the malicious code can be hidden layer, and emulates a click on a page of your site, as if the visitor of your site did it himself, after which the script receives the data.

    Those, a certain module works on your site, draws a window invisible to the user, makes a click on behalf of the user in this window, naturally without his knowledge, and receives data about his VKontakte profile. Thus, the user does not even know that he went to Vkontakte, made clicks, etc. Agree that this is at least not correct for visitors to your site, because you can go further: emulate like, send private messages automatically without the knowledge of the visitor to your site, etc.

    How this feature is positioned to service users.

    Alas, the owner of the callback service beautifully kept silent about how this feature works. He simply wrote: we have a new opportunity - and the owners of online stores, without knowing the details, became his actual accomplices, thereby providing their sites as a platform on which his malicious code is executed.

    The use of such frauds is a matter of time. Not a lot of time passed, and as a result, VKontakte blocked all transitions to the pages of this callback service for users of social networks. And antiviruses introduced this resource into phishing lists as phishing - those involved in fraudulent activities without the knowledge of users.









    Pressure on trust
    Now the owner of the “dark” callback is happy and misleading antiviruses are trying to remove their site from their databases. Not caring for their customers or not realizing that their actions to host malicious code on other people's sites, undermines their credibility. He thinks only about his service and forgets that his malicious code is located on many sites that can also get into the antivirus ban, and thereby risk losing their business.





    At the moment, the owner of the service removed the malicious code from the module and contacted the antivirus representatives, so some of them removed it from the black list.



    But then what will happen? If such an Internet service, is silent about how this or that functional works, does not talk about the risks that the owners of online stores pass onto the shoulders, continues to write in open sources about its “fluffiness” after exposure, dumping everything on competitive wars, is it worth trusting such a service? After all, once done, he can again activate the “hidden opportunity on the sites of his customers”, without telling them about it.

    Dear owners of sites and services - “do not use dubious services, do not fall for such tricks!”

    After all, if malicious code is launched on your site, then there is always the opportunity to quickly get into the blacklist, and going to your site you will see:


    or

    or


    Be attentive! Work with stable companies that have at least an office :)



    Sincerely,
    Callback service: Pozvonim.com

    PS: This article impressed the owner of Callbackkiller, and he officially admitted his guilt:





    We hope that soon there will be a new malicious code in this service or others will not appear.
    Tags:

    Also popular now: