Sophos Cloud Optix
VKontakte is Russia’s equivalent to Facebook.
VK – as it is commonly known – claims to be the largest European social network, and is particularly popular with Russian speakers who have made it the second most commonly visited website in all of Russia.
Of course, VKontakte is not immune from security and privacy challenges – and its users have to be careful about what they share, and who with, just as with any other social network.
For instance, plenty of evidence about the identity of the Koobface malware gang was fortuitously found being carelessly shared by the cybercriminals on their VKontakte profile pages.
I found myself wondering today if Western figures and celebrities like Barack Obama had attempted to make a landgrab for social media exposure on VKontakte.
Serendipitously, I made a spelling mistake. And typed “VKontakte” as “Vikontakte”.
Woah! That’s odd. The URL says the content is hosted on vikontakte.net, but the description claims that it’s Twitter.
A visit to vikontakte.net reveals what appears to be a familiar Twitter login page.
However, closer inspection of the browser’s address bar confirms that it really is vikontakte.net that you are looking at.
I asked my colleagues in SophosLabs what they felt was occurring, and they confirmed that the site appears to have been set up for the purposes of phishing credentials.
The bogus login page will accept any random credentials you choose to enter, and redirect your browser to a .SU domain that will attempt to grab your browser’s history and other data, including (the criminals hope) your Twitter username and password.
Seeing as the Soviet Union ceased to exist in December 1991 (long before many of us had jumped onto the internet), you should perhaps have alarm bells ringing whenever you see a .SU domain name.
Chances are that it’s a sign that someone is up to no good.
What’s curious about this apparent phishing campaign is that the domain name is clearly designed to trick you into believing it’s one thing (VKontakte) whereas the contents of the site itself are trying to dupe into thinking it’s another (Twitter).
With a plan like this, maybe it’s no wonder the Soviet Union didn’t survive.
SophosLabs has chosen to block vikontakte.net as a phishing site.
Thanks to Anna Szalay of SophosLabs for her assistance with this article.
"With a plan like this, maybe it's no wonder the Soviet Union didn't survive."
There are a great number of reasons why the Soviet Union didn't survive, quite apart from present-day phisheries. But it is nonetheless valuable advice to be on the lookout for any URL with one of those ".su" domains. And you're entirely correct — the sort of plan evidenced in the article is not exactly a recipe for continuing success.
It is my resource. (i can prove, i get an abuse letter from my hosting provider) It is made just for fun. No fishing, no redirecting.
i just tested some PHP script and forgot about it for a while.
So all new pages created dynamicly, when google-bot connecting to site.
Well, we don’t know if you did anything with the data sent from the form posts – so maybe you had no malicious intentions, or maybe you did. Who knows?
But you deliberately spoofed Twitter’s website, copied their HTML code, and duped people into entering their credentials. There wasn’t even an attempt to display a warning to users who might land on the site.
Sounds like a phishing site to me. Don’t be surprised if search engines and security vendors assign your site a bad reputation.
Whoops. Thanks. Fixed.
And we frequently see .SU websites used for dodgy purposes.
I’m not saying that there aren’t any legitimate .su websites, but people should be cautious.
I’m not the only one to offer this advice regarding .su domains. See http://www.abuse.ch/?p=3581 for instance.
Mr.Cluley, I would suggest you check your spelling before hitting "return" button (either just surfing the Internet or posting your opinion: check your first line! "VKontake"??!!