91Èȱ¬

Facebook Koobface worm 'hacker gang named'

  • Published
Sophos network diagram
Image caption,

Sophos researchers identified a network of connections linking group members

Alleged cybercriminals behind an internet worm, which spread via Facebook and other social networks, have been named.

The suspected gang were tracked down to St Petersburg after an investigation by Facebook and cybersecurity researchers.

The worm gave the gang control of hundreds of thousands of computers.

While not the largest such network of hijacked machines or "botnet", the so-called Koobface worm is notable for its targeting of social networks.

The security company Sophos published details of an

The report, based on work by independent researcher Jan Dromer, and the firm's Dirk Kollberg, details how the suspects were tracked down.

Graham Cluley, a senior technology consultant at Sophos, told the 91Èȱ¬ he believed they had identified the right people: "We're pretty confident. I mean obviously we have to assume these people are innocent until proven guilty

"It's very difficult to be 100% certain of these things. Of course it's always possible that someone could be trying to frame these people, but the evidence feels pretty strong to us. Certainly there's enough evidence to investigate these people."

None of the alleged gang members have been arrested or charged with offences connected to Koobface.

The 91Èȱ¬ attempted to contact members of the group via a business linked to the gang but was unsuccessful.

Security researchers say Koobface became active in 2008.

The worm spread through social networks, presenting users with bogus links to online videos.

The links encouraged users to install a copy of the Koobface malware masquerading as a Flash update.

The worm was even able to create fake social networking profiles able to propagate the malware.

"It can create Facebook accounts and then use those accounts to start sending links to people," Mr Cluley said.

Researchers believe that up to 800,000 machines could have been infected by the worm.

Facebook is expected to share details of the gang with security and internet companies later.

Mr Cluley is aware that publishing details of the suspects will affect the inquiry into their activities: "These sort of investigations can take years. I think in an ideal world then these identities wouldn't have become public knowledge. But the cat is out of the bag now and we have to take a different tactic.

"We've been sharing this information now for a couple of years with law enforcement agencies in the USA, UK and Germany who've been working with their Russian colleagues. What we really need now is some way to stop them [the gang] taking advantage of people," he said.

Money trail

Clues discovered on the server used to control machines hijacked by the Koobface worm helped researchers track the gang down.

The Sophos report suggests that, far from maintaining a low-profile, the alleged cybercriminals were able to hide in plain sight. Researchers were even able to closely follow the cybercriminals movements via social networking sites according Mr Cluley: "They are all over the internet. We were able to track them on the likes of Foursquare so we could actually track some of them hour by hour."

The company estimates the gang was making in the region of $2m every year. But Mr Cluley says that the cybercriminals' desire to keep an eye on their earnings assisted the researchers.

"They were receiving daily SMS updates on how much money they were making, because we saw that - we could also see their phone numbers."

He says there is some frustration at the slow response of the authorities: "It's pretty well known who they are now, we just need the Russian police to go and investigate this and stop them."

Facebook was not available for comment, however speaking to the New York Times, Joe Sullivan the firm's chief security officer said people who engaged in this type of cybercrime "need to know that their name and real identity are going to come out eventually".

Related internet links

The 91Èȱ¬ is not responsible for the content of external sites.