VKontakte is Russia’s equivalent to Facebook.
VK – as it is commonly known – claims to be the largest European social network, and is particularly popular with Russian speakers who have made it the second most commonly visited website in all of Russia.
Of course, VKontakte is not immune from security and privacy challenges – and its users have to be careful about what they share, and who with, just as with any other social network.
For instance, plenty of evidence about the identity of the Koobface malware gang was fortuitously found being carelessly shared by the cybercriminals on their VKontakte profile pages.
I found myself wondering today if Western figures and celebrities like Barack Obama had attempted to make a landgrab for social media exposure on VKontakte.
Serendipitously, I made a spelling mistake. And typed “VKontakte” as “Vikontakte”.
Woah! That’s odd. The URL says the content is hosted on vikontakte.net, but the description claims that it’s Twitter.
A visit to vikontakte.net reveals what appears to be a familiar Twitter login page.
However, closer inspection of the browser’s address bar confirms that it really is vikontakte.net that you are looking at.
I asked my colleagues in SophosLabs what they felt was occurring, and they confirmed that the site appears to have been set up for the purposes of phishing credentials.
The bogus login page will accept any random credentials you choose to enter, and redirect your browser to a .SU domain that will attempt to grab your browser’s history and other data, including (the criminals hope) your Twitter username and password.
Seeing as the Soviet Union ceased to exist in December 1991 (long before many of us had jumped onto the internet), you should perhaps have alarm bells ringing whenever you see a .SU domain name.
Chances are that it’s a sign that someone is up to no good.
What’s curious about this apparent phishing campaign is that the domain name is clearly designed to trick you into believing it’s one thing (VKontakte) whereas the contents of the site itself are trying to dupe into thinking it’s another (Twitter).
With a plan like this, maybe it’s no wonder the Soviet Union didn’t survive.
SophosLabs has chosen to block vikontakte.net as a phishing site.
Thanks to Anna Szalay of SophosLabs for her assistance with this article.