December 21, 2024

Koobface Gang That Spread Worm on Facebook Operates in the Open

The men live comfortable lives in St. Petersburg — and have frolicked on luxury vacations in places like Monte Carlo, Bali and, earlier this month, Turkey, according to photographs posted on social network sites — even though their identities have been known for years to Facebook, computer security investigators and law enforcement officials.

One member of the group, which is popularly known as the Koobface gang, has regularly broadcast the coordinates of its offices by checking in on Foursquare, a location-based social network, and posting the news to Twitter. Photographs on Foursquare also show other suspected members of the group working on Macs in a loftlike room that looks like offices used by tech start-ups in cities around the world.

Beginning in July 2008, the Koobface gang aimed at Web users with invitations to watch a funny or sexy video. Those curious enough to click the link got a message to update their computer’s Flash software, which begins the download of the Koobface malware. Victims’ computers are drafted into a “botnet,” or network of infected PCs, and are sent official-looking advertisements of fake antivirus software and their Web searches are also hijacked and the clicks delivered to unscrupulous marketers. The group made money from people who bought the bogus software and from unsuspecting advertisers.

The security software firm Kaspersky Labs has estimated the network includes 400,000 to 800,000 PCs worldwide at its height in 2010. Victims are often unaware their machines have been compromised.

The Koobface gang’s freedom underscores how hard it is to apprehend international computer criminals, even when identities are known. These groups tend to operate in countries where they can work unmolested by the local authorities, and where cooperation with United States and European law enforcement agencies is poor. Meanwhile, Western law enforcement is awash in computer crime and lacks the resources and skilled manpower to tackle it effectively, especially when evidence putting individuals’ fingers on keyboards must be collected abroad.

On Tuesday, Facebook plans to announce that it will begin sharing information about the group and how to fight them with security researchers and other Internet companies. It believes public namings can make it harder for such groups to operate and send a message to the criminal underground.

None of the men have been charged with a crime and no law enforcement agencies have confirmed they are under investigation.

The group investigators have identified has adopted the tongue-in-cheek name, Ali Baba 4: Anton Korotchenko, who uses the online nickname “KrotReal”; Stanislav Avdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the online moniker “PoMuc”; and Alexander Koltysehv, or “Floppy.” )

Efforts to contact members of the group for comment have been unsuccessful.

Weeks after early versions of the Koobface worm began appearing on Facebook, investigators inside the company were able to trace the attacks to those responsible. “We’ve had a picture of one of the guys in a scuba mask on our wall since 2008,” said Ryan McGeehan, manager of investigations and incident response at Facebook.

Since then, Facebook and several independent security researchers have provided law enforcement agencies, including the Federal Bureau of Investigation, with information and evidence. Most notably, Jan Droemer, a 32-year-old independent researcher in Germany, has provided important information and leads, including a password-free view inside Koobface’s command-and-control system, known as the “Mothership.” Mr. Droemer spent nights and weekends for four months in late 2009 and early 2010 unmasking the gang members using only information available publicly on the Internet.

The F.B.I. declined to comment.

That computer crime pays is fueling a boom that is leaving few Internet users and businesses unscathed. The toll on consumers alone is estimated at $114 billion annually worldwide, according to a September 2011 study by the security software maker Symantec.

Article source: http://feeds.nytimes.com/click.phdo?i=e8727e2dfd54dafa347871c1acf8aa88

Koobface Gang Uses Facebook to Spread Powerful Worm

Five men believed to be responsible for spreading a notorious computer worm on Facebook and other social networks — and to have pocketed several million dollars from online schemes — are hiding in plain sight in St. Petersburg, Russia, according to investigators at Facebook and several independent computer security researchers.

The men live comfortable lives in St. Petersburg — and have frolicked on luxury vacations in places like Monte Carlo, Bali and, earlier this month, Turkey, according to photographs posted on social network sites — even though their identities have been known for years to Facebook, computer security investigators and law enforcement officials.

One member of the group, popularly known as the Koobface gang, has regularly broadcasted the coordinates of its offices by checking in on Foursquare, a location-based social network, and posting the news to Twitter. Photographs on Foursquare also show other suspected members of the group working on Macs in a loftlike room that looks like offices used by tech start-ups in cities around the world.

Beginning in July 2008, the Koobface gang aimed at Web users with invitations to watch a funny or sexy video. Those curious enough to click the link got a message to update their computer’s Flash software, which begins the download of the Koobface malware. Victims’ computers are drafted into a “botnet,” or network of infected PCs, and are sent official-looking advertisements of fake antivirus software and their Web searches are also hijacked and the clicks delivered to unscrupulous marketers. The group made money from people who bought the bogus software and from unsuspecting advertisers.

The security software firm Kaspersky Labs has estimated the network includes 400,000 to 800,000 PCs worldwide at its height in 2010. Victims are often unaware their machines have been compromised.

The Koobface gang’s freedom underscores how hard it is to apprehend international computer criminals, even when identities are known. These groups tend to operate in countries where they can work unmolested by the local authorities, and where cooperation with United States and European law enforcement agencies is poor. Meanwhile, Western law enforcement is awash in computer crime and lacks the resources and skilled manpower to tackle it effectively, especially when evidence putting individuals’ fingers on keyboards must be collected abroad.

On Tuesday, Facebook plans to announce that it will begin sharing information about the group and how to fight them with security researchers and other Internet companies. It believes public namings can make it harder for such groups to operate and send a message to the criminal underground.

None of the men have been charged with a crime and no law enforcement agencies have confirmed they are under investigation.

The group investigators have identified has adopted the tongue-and-cheek name, Ali Baba 4: Anton Korotchenko, who uses the online nickname “KrotReal”; Stanislav Avdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the online moniker “PoMuc”; and Alexander Koltysehv, or “Floppy.” )

Efforts to contact members of the group for comment have been unsuccessful.

Weeks after early versions of the Koobface worm began appearing on Facebook, investigators inside the company were able to trace the attacks to those responsible. “We’ve had a picture of one of the guys in a scuba mask on our wall since 2008,” said Ryan McGeehan, manager of investigations and incident response at Facebook.

Since then, Facebook and several independent security researchers have provided law enforcement agencies, including the Federal Bureau of Investigation, with information and evidence. Most notably, Jan Droemer, a 32-year-old independent researcher in Germany, has provided important information and leads, including a password-free view inside Koobface’s command-and-control system, known as the “Mothership.” Mr. Droemer spent nights and weekends for four months in late 2009 and early 2010 unmasking the gang members using only information available publicly on the Internet.

The F.B.I. declined to comment.

That computer crime pays is fueling a boom that is leaving few Internet users and businesses unscathed. The toll on consumers alone is estimated at $114 billion annually worldwide, according to a September 2011 study by the security software maker Symantec.

Article source: http://feeds.nytimes.com/click.phdo?i=750362dfbcefecdb93ac97b03dd9f87c