Facebook, researchers turn up heat on Koobface gang
Security researchers are worried that the alleged Russia-based authors of Koobface, a piece of malicious software that plagued social networking sites such as Facebook, may slip away before law enforcement can catch them.
Those concerns come after the publication of a trove of information about the five men, said to be based in St. Petersburg, Russia, that security companies, Facebook and the FBI have been carefully tracking for at least two years.
The men are alleged to have created Koobface, a network of infected computers that have been used to drive traffic to websites that sell Web nuisances such as fake antivirus software. They’ve allegedly made an estimated US$2 million or more since 2008 by infecting computers and directing them to harmful websites, earning a fee for every forced referral.
The information released includes photographs, email addresses, names they used on social networking sites and physical locations—essentially, enough detail to walk to their offices, knock on the door and call them by name.
The first leak came on Jan. 9 from Dancho Danchev, a security researcher and writer who posted extensive information on his blog about Anton Korotchenko, one of those accused. Danchev harvested a wealth of information that Korotchenko, who went by the nickname “KrotReal,” publicly posted on services such as Twitter and Foursquare.
Danchev said on Tuesday that he publishes “what I research, and my intention is to actually speed up the investigation of the Koobface botnet masters.” He added that he released the information because he is “very frustrated as it’s been years that the security community has known and shared their data with law enforcement.”
Much of the information was already known throughout the security community. A “top secret cabal,” known as the Koobface Working Group, had drawn together researchers from a variety of security companies to track the group, said Graham Cluley, senior technology consultant for Sophos.
In fact, Sophos had performed an exhaustive investigation and prepared a paper scheduled for presentation at a Virus Bulletin security conference last year, said Dirk Kollberg, one of its authors. But because the FBI was involved in the investigation, the presentation was canceled.
“We had to wait to not risk giving law enforcement the chance to take action,” Kollberg said.
But after Danchev’s writeup, Sophos decided to release the report on Tuesday. Kollberg said “it’s a shame” the initial information was released, as it could hurt law enforcement investigations.
The New York Times also published an article on the leak on Tuesday, writing that Facebook plans to disclose more information on the group. Facebook’s move is unprecedented, as most technology companies rarely reveal such detailed information on people they allege are doing something criminal.
The men have not been charged by Russian authorities. The other four men have been identified as Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk and Stanislav Avdeiko. Korotchenko did not respond to instant messages or emails sent on Monday.
Danchev published more than 35 photographs of Korotchenko, including his ICQ name, phone number, email addresses and nicknames on Flickr, Twitter, Foursquare and Vkontakte.ru, a Russian social networking site.
Kollberg of Sophos had also collected much information on Korotchenko, who was an avid user of Foursquare, a location-based application where people can “check in” to places. Korotchenko frequently did, up to three or four times a day. Kollberg plotted Korotchenko’s check-in locations and posts on Twitter into Google Earth.
“It looks awesome,” Kollberg said. “You can take a tour and follow his trail.”
But the trail may soon grow cold. Since the public release of the information, all of Korotchenko’s accounts have vanished. The release may pose a larger problem for the FBI, which Kollberg said Sophos has had contact with since December 2009 on the case.
The FBI does not confirm ongoing investigations. Spokeswoman Jenny Shearer said on Tuesday she could not comment on Koobface. The FBI has agents that specialize in cybercrime investigations in the Ukraine, Romania, Estonia and the Netherlands, but does not have those kinds of agents based in the U.S. Embassy in Moscow, she said.
Russia has been frequently characterized as a hotbed of cybercrime and security researchers have noted that the country is difficult to work with on investigations. Russia is not a party to the Convention on Cybercrime, also known as the Budapest Convention. The treaty, which was opened for signatures in November 2001, sets guidelines for laws and procedures for dealing with Internet crime. Russia has opposed the treaty on grounds that it contains provisions the country alleges violate international law norms and countries’ sovereignty.
Cybercriminals can take advantage of the lack of coordination between countries and “hide between the cracks,” said David Emm, senior security researcher for the Russian security vendor Kaspersky Lab. “It’s great to have joined-up initiatives, but actually if some of the key areas in terms of cybercrime development are not signed up, that leaves a bit of a hole,” he said.
The alleged creators of Koobface may take advantage of that and try to melt away or assume other identities now that the heat has been turned up, said Alex Kuzmin, the U.S. director for Group-IB, a security company based in Moscow.
“We certainly think that exposing further information on those individuals involved in the Koobface botnet … might in fact spoil or harm the ongoing investigation,” Kuzmin said.
It is not unprecedented for Russian cybercriminals to occasionally take drastic action to avoid getting caught, including obtaining fake identification and even plastic surgery, Kuzmin said.
Group-IB tracked a man who targeted a Russian e-payments provider called QIWI, Kuzmin said. He was nearly apprehended in 2009 by Russian police, but fled to western Siberia where be obtained fake identification, had plastic surgery and “returned to the cybercriminal underworld as a new man” before eventually being caught, Kuzmin said.