Blog Archive

Tuesday, 29 June 2010

Orkut users asked to recharge phones with the power of Javascript

Here’s a curious scam putting users of Google’s Orkut in the crosshairs. There’s a number of sites out there claiming a “free recharge code” (presumably they mean call credits) will be posted to your Orkut scrapbook, but only if you take some random Javascript code – oh dear – and paste it into your browser.

We’ve seen that particular wheeze before, but let’s see what they’re doing with it here. This is one of the sites in question:

Recharge your phone, honest
Click to Enlarge

Shall we take a look at the Javascript?

lots of code

You may be able to see the URL already. Let’s clean it up a little bit:

yet more code
Click to Enlarge

Can you see it yet? “Snurl(dot)com/fr33ee”.

That triggers a big page of javascript code located at orkutaddict(dot)net/freerecharge/dpd(dot)js. At this point, the path branches off depending on whether you’re logged into Orkut or not. If you’re not, you’ll see this popup:

orkut popup
Click to Enlarge

“We are done now, login to Orkut and you’ll have your free recharge in just 24 hours”.

You’re then dumped at the following page, located at freerecharge(dot)orkutaddict(dot)net:

orkut login, honest
Click to Enlarge

“Sign in to OrkutPorn with your Google Account”.

Yeah, right.

Now we’ll see what happens if the victim posts the javascript into their browser while logged into Orkut. First you’re asked for your mobile number:

mobile, please

Then you’re given a collection of popup boxes promising you wonderful “recharge codes”.

wait 5 minutes

here it comes

After all of that, you’re dumped at a site flagged as a Phish:

phishy phishy
Click to Enlarge

Worse, your Orkut account has started to spam out messages galore:

spam

Here’s another one:

code

Even better(!), they’ve automatically signed you up to a collection of groups.

orkut groups

While Orkut Codes and Orkut Tools look legit, the middle group with 1,811 “members” is clearly related to this particular shenanigan. As you’ve probably guessed, all of the spamlinks on the profiles and in the group take you to more sites asking victims to cut and paste Javascript into their browser – many of which give you rather cheeky popups like this one begging for free advert clicks:

click my ads!

In conclusion, then, we have a whole bunch of dodgy Javascript, phish pages, advert clicking, spammed messages on profiles and popup boxes asking for mobile phone numbers.

Is this the concluding part of the writeup where I advise you to avoid the above at all costs?

You better believe it.

Christopher Boyd





No comments:

Post a Comment