Incidents

Vkontakte accounts compromised

Today data from more than 40,000 VKontakte accounts (the Russian equivalent of Facebook) was put up on a hacker site. We know that the site (83.133.120.252) is a phishing site, and our personal products block attempts to access the site.

Trojan.Win32.VkHost.an (which we added detection for on 28th July) spreads via the VKontakte app (hxxp://vkontakte.ru/app711384?&m=2, currently blocked by VKontakte admins). Once installed, this Trojan modifies the hosts file:

83.133.120.252 vkontakte.ru
83.133.120.252 odnoklassniki.ru

If your machine is infected and you try and open either of the sites, the browser gets redirected to a phishing page which requests login credentials. The login and password get sent to the database at 83.133.120.252. (The Odnoklassniki database was empty at the time of writing, so it’s still a bit too early to say if Odnoklassniki user data has been compromised.)Enter your details on the phishing page, and you get redirected to a new page which shows a warning in Russian. Here’s the translation:

WARNING!
Your account has been identified by the system as potentially dangerous.
Spam mailings are being conducted from your IP address.
The account is recognized as being fake, created by malicious users in order to conduct spam mailings, and will be deleted 24 hours after this notification has been read if the account details are not verified.

If the account is genuine, it needs to be verified.

Send an SMS reading orderit30913 (no spaces) to 6008. You will receive an activation code in the response SMS.

The SMS will be charged in accordance with your service provider’s plan.

It looks as though if you send an SMS you do get some sort of code in return, as the site has a page with this message:

Code accepted! Download and launch file – Download

The link leads to a file called access.exe, which restores the original hosts files. (127.0.0.1 localhost).

If you just enter a random code, you get this message:

You’ve entered an incorrect code. Go back and enter the code from the SMS!

If you’ve got a VKontakte or Odnoklassniki account, check your hosts file (%windir%system32driversetc) and if you find links to vkontakte.ru and odnoklassniki.ru, delete them. You should also change all your passwords to all social networking accounts; if you end up on a phishing page like the one above, don’t enter your details; and last but not least, don’t send an SMS. This is yet another attempt by the bad guys to make a bit of money on the side using short, premium pay numbers.

Finally, if you think your account data might have been compromised, you can check via our Russian-language blog on the subject.

Vkontakte accounts compromised

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2021

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

Subscribe to our weekly e-mails

The hottest research right in your inbox