Facebook names $2m 'Koobface' hacking gang
Published 18/01/2012 | 07:56
FACEBOOK has publicly identified a gang of five alleged cyber criminals it believes are behind Koobface, a piece of malicious software that has hijacked hundreds of thousands of Facebook users’ computers and made millions for its creators.
After an investigation by Facebook and several independent security researchers, the gang behind Koobface have been named as a group of Russians operating relatively openly in central St Petersburg.
According to their own social networking profiles, the five men have enjoyed a luxurious lifestyle. On one group holiday, they visited Spain, Nice and Monte Carlo, before ending the trip at a casino in Germany, according to Sophos, a British security firm involved in the investigation.
The gang were “living the life of the rich and famous”, Sophos said.
Facebook said it has known the identities of the gang for some time, but has decided to name them publicly after being frustrated by the lack of law enforcement action against them. The Telegraph has chosen not to name them for legal reasons.
“We’ve had a picture of one of the guys in a scuba mask on our wall since 2008,” said Ryan McGeehan, manager of investigations at Facebook.
“People who engage in this type of stuff need to know that their name and real identity are going to come out eventually and they’re going to get arrested and they’re going to be targeted,” added Joe Sullivan, Facebook's chief security officer.
The Koobface computer “worm” first emerged in 2008 and spread itself by sending fake messages on Facebook and other social networks to its victims’ friends. If the recipient of the message clicked on a link that promised “you look just awesome in this movie”, or similar, they were directed to a website that told them to update their Adobe Flash software.
Those who fell for the trick actually downloaded software that took control of their computer and recruited it into a “botnet”. This global network of Windows and Mac machines controlled by the Koobface gang was then bombarded with advertisements for fake antivirus software. Victims’ Google searches were also hijacked to deliver traffic to crooked websites.
The Russian security firm Kaspersky Lab estimates that at its largest in 2010 the botnet comprised up to 800,000 computers. Between June 2009 and June 2010 the scam netted the Koobface gang $2m, according to a report by internet security academics.
The gang were tracked down via complicated trails of digital footprints. According to Sophos, the gang made technical mistakes in how they configured the computer they used to control their botnet. The errors allowed investigators to gather vital information which led to the gang’s online nicknames, which in turn led to their true alleged identities.
"It is this imperfection, paired with a sense of "criminal arrogance" and an uncontrollable threat environment such as the internet, that ultimately led to the identification of multiple suspects forming the Koobface gang," Sophos said.
Investigators also found a photo with intact “metadata” that showed it was taken in central St Petersburg. One member of the gang later revealed their exact coordinates by “checking in” to Foursquare, a social network based on users’ locations.
Facebook said it banished the Koobface worm in March last year after aggressive countermeasures prompted the gang give up targeting the world’s largest social network.
“We fired all the different guns at the same time,” said Mr Sullivan. “If we could literally shut down the command-and-control, all the infections, and just make them have to start over from scratch in all contexts, we figured they might decide to move on.”
The gang is still targeting smaller services, however.
“Now we have to wait and see what, if any, action the authorities will take against the Koobface gang,” said Graham Cluley of Sophos.
The gang, who are not known to be under investigation by authorities, have not responded to email requests for comment on Facebook's allegations.