Facebook to unmask, send message to Koobface Gang
The world's largest social network will start sharing information it has gathered about the group, and engage in "public namings" to fight back.
Koobface has been a thorn in the side of Web sites for years now. But starting today, Facebook is responding with salvos that could put the gang on the run.
According to The New York Times, the world's largest social network will announce today that it's planning to share boatloads of information it has gathered over the years about the Koobface Gang. The Times said today that Facebook believes "public namings" could go a long way toward stopping the gang from operating, and potentially help law enforcement officials start taking it down.
Koobface is responsible for a computer worm of the same name that, for over three years, has targeted social networks, including Facebook. The worm targets Windows and Mac OS X users by getting them to click on malicious links. The malware is notable for . The people behind Koobface make money by using the peer-to-peer botnet to download pay-per-install malware on computers and redirecting search queries to display ads.
Though Facebook is expected to offer up a relatively large data dump, security researcher Sophos has preempted that, revealing a host of details on the gang, including its real name, "Ali Baba & 4." Both The New York Times and Sophos claim to have the names of the gang members, which the sources say, work out of St. Petersburg.
Facebook has had some information on the gang since 2008, Ryan McGeehan, Facebook manager of investigations and incident response, told the Times. And over the last several years, it has continued to gather intelligence and safeguard users from attacks.
Finding information didn't prove to be as difficult as originally believed. According to Sophos, independent researcher Jan Dromer and Dirk Kollberg of SophosLabs spent months researching the people alleged to be behind Koobface, and found that they were sloppy in their execution.
The first chink in the Koobface armor occurred when the researchers found that the gang had made its file and directory names open to public access. Though the mistake was resolved in October 2009, according to Sophos, the gang then installed a Webalizer statistics tool "in a publicly accessible way, allowing for an even better insight into the structures of their Command and Control system."
From that, the researchers were able to find a series of IP addresses, including one called the "Koobface Mothership," which provided a treasure trove of information, including revenue statistics sent to the gang via text messages to five mobile phones in Russia.
But that was just the beginning. According to Sophos, the alleged gang members posted pictures of themselves on Twitter and other services, regularly checked in to their offices on Foursquare, and even tried selling a BMW 3 Series, asking folks to phone them at the same number found in the Koobface servers. Friends and family who posted images on social networks of the men also proved to be a weak link.
So, what has the gang been doing all this time? According to the Times, living it up. The publication says images on social networks reveal the men have been going on "luxury vacations" around the world, including to Monte Carlo and Bali. Earlier this month, one of the alleged members went to Turkey. It is believed the gang has generated several million dollars since launching Koobface, giving alleged members the cash they need to do what they want, when they want.
Now that so much information is known about the Koobface gang, and Facebook plans to work with other Web sites and organizations to stop the threat, surely law enforcement will move in, right? It's tough to say. As Sophos points out, officials have all the pertinent information they need, but whether they'll find the alleged gang members in violation of a crime remains to be seen.
In certain countries around the world, it's extremely hard for alleged cybercriminals to be charged. Russia happens to be one of them.
Facebook did not immediately respond to CNET's request for comment.