It's VKontakte, *not* Vikontakte. Twitter phishing, Soviet-style

Filed Under: Featured, Phishing, Twitter

VKontakte and Twitterish rubber duckVKontakte is Russia's equivalent to Facebook.

VK - as it is commonly known - claims to be the largest European social network, and is particularly popular with Russian speakers who have made it the second most commonly visited website in all of Russia.

Of course, VKontakte is not immune from security and privacy challenges - and its users have to be careful about what they share, and who with, just as with any other social network.

For instance, plenty of evidence about the identity of the Koobface malware gang was fortuitously found being carelessly shared by the cybercriminals on their VKontakte profile pages.

I found myself wondering today if Western figures and celebrities like Barack Obama had attempted to make a landgrab for social media exposure on VKontakte.

Serendipitously, I made a spelling mistake. And typed "VKontakte" as "Vikontakte".

Barack Obama on 'vikontakte'

Woah! That's odd. The URL says the content is hosted on vikontakte.net, but the description claims that it's Twitter.

A visit to vikontakte.net reveals what appears to be a familiar Twitter login page.


Twitter phishing site

However, closer inspection of the browser's address bar confirms that it really is vikontakte.net that you are looking at.

A closer look at the URL

I asked my colleagues in SophosLabs what they felt was occurring, and they confirmed that the site appears to have been set up for the purposes of phishing credentials.

The bogus login page will accept any random credentials you choose to enter, and redirect your browser to a .SU domain that will attempt to grab your browser's history and other data, including (the criminals hope) your Twitter username and password.

HTML source code

Seeing as the Soviet Union ceased to exist in December 1991 (long before many of us had jumped onto the internet), you should perhaps have alarm bells ringing whenever you see a .SU domain name.

Chances are that it's a sign that someone is up to no good.

What's curious about this apparent phishing campaign is that the domain name is clearly designed to trick you into believing it's one thing (VKontakte) whereas the contents of the site itself are trying to dupe into thinking it's another (Twitter).

With a plan like this, maybe it's no wonder the Soviet Union didn't survive.

SophosLabs has chosen to block vikontakte.net as a phishing site.

Thanks to Anna Szalay of SophosLabs for her assistance with this article.

, , , ,

You might like

6 Responses to It's VKontakte, *not* Vikontakte. Twitter phishing, Soviet-style

  1. Nigel · 516 days ago

    "With a plan like this, maybe it's no wonder the Soviet Union didn't survive."

    There are a great number of reasons why the Soviet Union didn't survive, quite apart from present-day phisheries. But it is nonetheless valuable advice to be on the lookout for any URL with one of those ".su" domains. And you're entirely correct — the sort of plan evidenced in the article is not exactly a recipe for continuing success.

  2. Dynamix · 516 days ago

    It is my resource. (i can prove, i get an abuse letter from my hosting provider) It is made just for fun. No fishing, no redirecting.

    i just tested some PHP script and forgot about it for a while.
    So all new pages created dynamicly, when google-bot connecting to site.

    • Well, we don't know if you did anything with the data sent from the form posts - so maybe you had no malicious intentions, or maybe you did. Who knows?

      But you deliberately spoofed Twitter's website, copied their HTML code, and duped people into entering their credentials. There wasn't even an attempt to display a warning to users who might land on the site.

      Sounds like a phishing site to me. Don't be surprised if search engines and security vendors assign your site a bad reputation.

  3. Whoops. Thanks. Fixed.

  4. And we frequently see .SU websites used for dodgy purposes.

    I'm not saying that there aren't any legitimate .su websites, but people should be cautious.

    I'm not the only one to offer this advice regarding .su domains. See http://www.abuse.ch/?p=3581 for instance.

  5. Mohawk · 515 days ago

    Mr.Cluley, I would suggest you check your spelling before hitting "return" button (either just surfing the Internet or posting your opinion: check your first line! "VKontake"??!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.