Did u suddenly notice that your "about me" in ur orkut profile suddenly changed to spam ?
And also your webpage ! Did it change to something like this ? http://www.aprendendoaqui.com.br
Then U fell for a Phishing Scam !
Link to this article : http://johndasfundas.blogspot.com/2009/08/fake-orkut-page-stole-your-password.html
Phishing means using a fake email or website to fool someone into giving up his/her personal information or username and password.
Orkut is a social networking site very popular in India and Brazil and somewhat popular in the rest of the world, mostly because is now a Google brand.
This particular Orkut phishing used a fake orkut website hosted at a free webserver (so that they did not have to spend any money, and more importantly so that they cannot be traced )
They host it at http://see-my-new-pic.awardspace.biz/ (DONT go to the link !! Atleast don't give ur password there !!)
http://johndasfundas.blogspot.com/2009/08/fake-orkut-page-stole-your-password.html
The links they put in your profile "about me :" are like this :
!! HI GUYS , DO YOU LIKE SEX AND WANT TO MEET SEXY HOT PORNSTARS, AND FUCK THEM? !!
!! THEN CHECK OUT THESE NEW UPDATES DONE BY ORKUT FOR SOME SPECIAL PEOPLEGO HERE TO VIEW WEBCAM OF HOT MODELS
CONDITIONS APPLY
2009 GOOGLE/ORKUT
Its obviously porn spam, and if u click on it, it takes u to a fake orkut page at http://see-my-new-pic.awardspace.biz/
This is in addition to the "webpage:" being changed to http://www.aprendendoaqui.com.br
The second one has been disabled, probably by the appropriate authorities, but the fake page at AwardSpace free hosting is still working as I write this article.
Hope AwardSpace disables the fake site and catches the culprits. Hopefully they can trace the IP address from where it was programmed and set up.
This is probably the free plan of awardspace that they used :
Easy Starter Hosting Plan with 200 MB free space and 5GB/month bandwidth, they can get quite a number of phish from orkut.
And they have cleverly hotlinked the images from the real orkut site, meaning they reduce their bandwidth load and leech it from the real orkut !!!!Q. What should I do if I am affected by http://see-my-new-pic.awardspace.biz scam ?
First of all "DONT PANIC !"
Then, as soon as possible, Change your Password.
If you are able to change your password, very good !
http://johndasfundas.blogspot.com/2009/08/fake-orkut-page-stole-your-password.html
Q. How do I change my orkut password ?
From here https://www.google.com/accounts/ManageAccount
The option is hidden in the settings, which is on the left side of ur orkut page.
Its on your Orkut Home page ( http://www.orkut.co.in/Main#Home.aspx )
On the left side, just above the "invite friends" box, between updates and spam.
Once you click and go to the settings, and scroll to the bottom in "general" tab.
Look for this "to change your password, visit your Google Account Settings "
This is what u want https://www.google.com/accounts/ManageAccount?hl=en-US
Q. What next after changing password ?
Well, if ur profile has been edited and filled with porn links, u might want to remove it !
Go to ur profile page ( http://www.orkut.co.in/Main#Profile.aspx )
Click the "Edit" button for the "about me:" and change it back.
After that, click "View full Profile" (at the bottom)
Scroll to "webpage:" and click the "Edit" button and change ur website ( to http://www.fundazone.com if u want to promote my website)
And u are done !
Don't forget to inform your friends about this fake orkut website. Especially the person in whose profile u accidentally clicked the link.
And better to put it in your scrapbook and even status message for a few days.
Link to this site for the removal instructions.
http://johndasfundas.blogspot.com/2009/08/fake-orkut-page-stole-your-password.html
Hope this has helped someone. I din't think I'll waste so much time in writing this blog post.
EDIT :
A variant puts the following message in the "about me:" Same cure as above.
CHECK MY NUDE PICTURES
http://mysecretpics.blogspot.com
( Redirects to http://mysecretpics.awardspace.biz/ )ALL SKINS POWERED BY
2009 GOOGLE/ORKUT
When will they stop ?
Update :
Is this part of a botnet ?
Here's a list of domains and IP's many are Reported as attack sites.
Rate RED; these have been verified as currently active
Malicious content
Alliance and Leicester phishing botnet
re: http://hphosts.blogspot.com/2009/07/is-your-computer-part-of-alliance-and.html
219.83.125.242
2nd6xui4f.com
68.112.21.204
68.54.210.173
69.250.79.6
74.210.187.149
75.199.109.38
76.115.11.52
79.78.196.168
88.185.146.240
97.90.152.194
alliance-leicester084.com
alliance-leicester184.com
alliance-leicester314.com
alliance-leicester406.com
alliance-leicester450.com
alliance-leicester950.com
finalhookspot.com
justhookupnow.com
my-secret-pics.com
mybank.alliance-leicester084.com
mybank.alliance-leicester184.com
mybank.alliance-leicester314.com
ns1.besthingdomainname.com
ns2.besthingdomainname.com
ns3.besthingdomainname.com
ns4.besthingdomainname.com
ns5.besthingdomainname.com
ns6.besthingdomainname.com
pictures-plug.com
pictures-switch.com
pictures-utube.com
secret-digital-pictures.com
stolen-pictures.com
stolen-shots.com
I previously rated this back in May 2009 from this DNS-BH blog post
my-cheerful-dns.com
ns1.my-cheerful-dns.com
ns2.my-cheerful-dns.com
ns3.my-cheerful-dns.com
ns4.my-cheerful-dns.com
currently parked, but IMO it's best to catch it before it's a problem
citiaccountservices.com
- Here's a "kicker"
This domain's DNS does not resolve, though it previously listed name servers do.
whois - Created: 2009-06-05
Expires: 2010-06-05
Updated: 2009-07-03
Registrant:
Organization : cheng wu
Name yang jing zhong
Address wuhan
City wuhanshi
Province/State : hubeisheng
Country china
Postal Code 430000
Domain Status:On-hold (generic)
besthingdomainname.com
Update :
Orkut now gives a warning when accessing such profiles :
Warning | |
| |
Update :
They have started changing the orkut status message like other orkut worms used to do.
This will increase the rate of spread of this drastically.
CHECK MY NUDE PICTURES : mysecretpics.blogspot .com (remove spaces)
No comments:
Post a Comment