Today data from more than 40,000 VKontakte accounts (the Russian equivalent of Facebook) was put up on a hacker site. We know that the site (220.127.116.11) is a phishing site, and our personal products block attempts to access the site.
Trojan.Win32.VkHost.an (which we added detection for on 28th July) spreads via the VKontakte app (hxxp://vkontakte.ru/app711384?&m=2, currently blocked by VKontakte admins). Once installed, this Trojan modifies the hosts file:
If your machine is infected and you try and open either of the sites, the browser gets redirected to a phishing page which requests login credentials. The login and password get sent to the database at 18.104.22.168. (The Odnoklassniki database was empty at the time of writing, so it’s still a bit too early to say if Odnoklassniki user data has been compromised.)Enter your details on the phishing page, and you get redirected to a new page which shows a warning in Russian. Here’s the translation:
Your account has been identified by the system as potentially dangerous.
Spam mailings are being conducted from your IP address.
The account is recognized as being fake, created by malicious users in order to conduct spam mailings, and will be deleted 24 hours after this notification has been read if the account details are not verified.
If the account is genuine, it needs to be verified.
Send an SMS reading orderit30913 (no spaces) to 6008. You will receive an activation code in the response SMS.
The SMS will be charged in accordance with your service provider’s plan.
It looks as though if you send an SMS you do get some sort of code in return, as the site has a page with this message:
Code accepted! Download and launch file – Download
The link leads to a file called access.exe, which restores the original hosts files. (127.0.0.1 localhost).
If you just enter a random code, you get this message:
You’ve entered an incorrect code. Go back and enter the code from the SMS!
If you’ve got a VKontakte or Odnoklassniki account, check your hosts file (%windir%system32driversetc) and if you find links to vkontakte.ru and odnoklassniki.ru, delete them. You should also change all your passwords to all social networking accounts; if you end up on a phishing page like the one above, don’t enter your details; and last but not least, don’t send an SMS. This is yet another attempt by the bad guys to make a bit of money on the side using short, premium pay numbers.
Finally, if you think your account data might have been compromised, you can check via our Russian-language blog on the subject.