Infection Links target Orkut Users On Twitter
Orkut has long been a popular target for hackers, and we’ve come across evidence of Orkut users being targeted via Twitter pages carrying infection links. Here is the page in question, the profile carrying three links that have been sent out to the 17 people following the profile (and also fired into the “all-users” timeline):
Click to Enlarge
As you can see, we’ve already clicked one of the links which requests one of the three executables linked to from the page (the messages themselves say things like “To download the album with photos from the profile directly from orkut click on the link below” and “Take a look at the pictures” in Portuguese, according to Google Translator!)
The pages linked to either try and get you to download an infection file straight away, or pretend you’re installing a Flash update:
Click to Enlarge
Click to Enlarge
Once the files are run on the end-users PC, a variety of malicious files will be installed and various types of data theft may be attempted. For example, one of the EXEs will pop open the Orkut website in what is obviously an attempt to get you to fill in your user details:
Click to Enlarge
Of course, you need to sign into Orkut with your Google Account, so if you happen to see the Orkut website magically appear on your desktop prompting you to login, think twice about entering your login until you can ensure your PC is free of infection. “Luckily”, you’ll have a very large clue in the form of the following error messages constantly cycling on your desktop:
Click to Enlarge
Similarly, run one of the other files and you’ll end up with this rather happy looking person appearing in your web browser:
Apparently “Malandro” means “trickster” in Portuguese -I don’t know about you, but I would tend to suspect all is not well with my PC when something like that shows up unannounced! As with many Orkut themed / targeted attacks, the files being used are a collection of older attacks, with some pieces clearly being reused from this infection.
What’s particularly interesting to me is the use of Twitter to push these Orkut attacks, and also the fact that the attackers have seemingly created the majority of the profiles 17 followers – presumably to make the infection link carrying profile seem more legitimate and part of a small group or community of friends.
Click to Enlarge
Most of them have no user image, random sounding names and (the dead giveaway) most of them are following each other, despite none of them seemingly sending out any messages since joining that would make people want to follow them in the first place. The small amount of messages sent from the profile would tend to suggest a trial run, perhaps – or maybe they have many accounts and are sending out only a few tweets at a time from each one to keep themselves under the radar.
In some ways, then, this is a refinement of the attack noted by Kaspersky here because they’re targeting a specific group of users instead of taking the “Come and get it, everybody” approach. Obviously, just because you don’t use Orkut doesn’t mean you’re safe from this – the URLs are entirely indescriminate with regards who clicks them and becomes infected, so if you see any profiles on Twitter that mention Orkut with hyperlinks that reference “Photo albums” or “galleries” (the oldest Orkut-targeted infection tactic in the book), steer well clear. For now, we’ve notified Twitter of this particular profile.
We detect this as Orkontron.
(Thanks to Senior Threat Researcher Chis Mannon for additional research).
Leave a Reply