Web Gang Operating in the Open

The New York Times

By RIVA RICHMOND

January 16, 2012

A member of the Koobface gang posted to Foursquare, showing an office, complete with coordinates, in St. Petersburg.

The men live comfortable lives in St. Petersburg — and have frolicked on luxury vacations in places like Monte Carlo, Bali and, earlier this month, Turkey, according to photographs posted on social network sites — even though their identities have been known for years to Facebook, computer security investigators and law enforcement officials.

One member of the group, which is popularly known as the Koobface gang, has regularly broadcast the coordinates of its offices by checking in on Foursquare, a location-based social network, and posting the news to Twitter. Photographs on Foursquare also show other suspected members of the group working on Macs in a loftlike room that looks like offices used by tech start-ups in cities around the world.

Beginning in July 2008, the Koobface gang aimed at Web users with invitations to watch a funny or sexy video. Those curious enough to click the link got a message to update their computer’s Flash software, which begins the download of the Koobface malware. Victims’ computers are drafted into a “botnet,” or network of infected PCs, and are sent official-looking advertisements of fake antivirus software and their Web searches are also hijacked and the clicks delivered to unscrupulous marketers. The group made money from people who bought the bogus software and from unsuspecting advertisers.

The security software firm Kaspersky Labs has estimated the network includes 400,000 to 800,000 PCs worldwide at its height in 2010. Victims are often unaware their machines have been compromised.

The Koobface gang’s freedom underscores how hard it is to apprehend international computer criminals, even when identities are known. These groups tend to operate in countries where they can work unmolested by the local authorities, and where cooperation with United States and European law enforcement agencies is poor. Meanwhile, Western law enforcement is awash in computer crime and lacks the resources and skilled manpower to tackle it effectively, especially when evidence putting individuals’ fingers on keyboards must be collected abroad.

On Tuesday, Facebook plans to announce that it will begin sharing information about the group and how to fight them with security researchers and other Internet companies. It believes public namings can make it harder for such groups to operate and send a message to the criminal underground.

None of the men have been charged with a crime and no law enforcement agencies have confirmed they are under investigation.

The group investigators have identified has adopted the tongue-in-cheek name, Ali Baba & 4: Anton Korotchenko, who uses the online nickname “KrotReal”; Stanislav Avdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the online moniker “PoMuc”; and Alexander Koltyshev, or “Floppy.” )

Efforts to contact members of the group for comment have been unsuccessful.

Weeks after early versions of the Koobface worm began appearing on Facebook, investigators inside the company were able to trace the attacks to those responsible. “We’ve had a picture of one of the guys in a scuba mask on our wall since 2008,” said Ryan McGeehan, manager of investigations and incident response at Facebook.

Since then, Facebook and several independent security researchers have provided law enforcement agencies, including the Federal Bureau of Investigation, with information and evidence. Most notably, Jan Droemer, a 32-year-old independent researcher in Germany, has provided important information and leads, including a password-free view inside Koobface’s command-and-control system, known as the “Mothership.” Mr. Droemer spent nights and weekends for four months in late 2009 and early 2010 unmasking the gang members using only information available publicly on the Internet.

The F.B.I. declined to comment.

That computer crime pays is fueling a boom that is leaving few Internet users and businesses unscathed. The toll on consumers alone is estimated at $114 billion annually worldwide, according to a September 2011 study by the security software maker Symantec.

Russia, in particular, has a reputation as a hacker haven, although it has pursued several prominent cases against spammers recently. The Soviet education system’s emphasis on math and science combined with post-Communist economic collapse and weak private industry meant there were many highly trained engineers, but few legitimate outlets for their skills, said Vsevolod Gunitskiy, an assistant professor at the University of Toronto.

“Russia is sort of a perfect storm for cybercrime,” he said. The proliferation of organized crime and official corruption created “this very strong legacy of contempt for the laws and general culture of criminality.”

The Russian Embassy in Washington said it does not have any information regarding this group and that American law enforcement officials had never contacted the embassy on this issue.

The men investigators believe are behind Koobface look a lot like ordinary software enthusiasts, albeit with more tattoos and an outlaw persona. Mr. Avdeyko, who is two decades older than the other men and has been tied to an infamous spyware program dating to 2003 called CoolWebSearch, appears to hold a leadership role.

He and at least two of the other men have worked in the world of online pornography, said Mr. Droemer. Mr. Korotchenko and several of the other men apparently tried to run a legitimate mobile software and services business, colorfully named MobSoft Ltd. They did not reply to e-mails requesting interviews.

Mr. Droemer said the gang’s success was more attributable to workaday persistence and willingness to adapt than technical sophistication. They could have spread Koobface to many more PCs, he said. “They could have done a lot more technical things to make it more perfect, more marvelous. But there was just no need to do it. They were just investing as much to get the revenue they wanted to get.”

The group cleverly harnessed the infrastructures of powerful online services — from Facebook and Twitter to Google’s search engine and Blogger — to do the heavy lifting, and may have run its enterprise with just a few computers.

Koobface will probably earn its place in history for pioneering and leading the criminal exploitation of social networks, rather than the size of its profits. Data found in the botnet’s command-and-control system suggests the group has earned at least $2 million a year for the 3 1/2 years of its existence, although the actual total is very likely higher, Mr. Droemer said.

Experts say the gang could have further enriched itself through identity fraud, since it has had access to millions of PCs and social-network profiles, but that there is no evidence it has done so.

Indeed, in a 2009 Christmas e-card to security researchers left inside victim computers, the gang vowed it would never steal credit card or banking information. It called viruses “something awful.” Its tactics have been less ruthless than those of many other hacker groups, experts said. For instance, it has never deployed malicious programs that install automatically, and rather has required its victims to make several unwise clicks.

While the Koobface gang operates freely, Facebook has focused on building elaborate defenses against the worm, which relentlessly struck the site again and again until disappearing in March. The gang abandoned the site after Facebook mounted a major counteroffensive, which included an effort to dismantle the command-and-control system of the botnet and a simultaneous push to scrub its network of the worm and clean up infections in users’ PCs.

“We fired all the different guns at the same time,” said Joe Sullivan, chief security officer at Facebook. “If we could literally shut down the command-and-control, all the infections, and just make them have to start over from scratch in all contexts, we figured they might decide to move on.” He hoped they would conclude Facebook was unprofitable, he said.

But Facebook’s effort and two earlier takedown efforts by security researchers — including one by the Bulgarian researcher Dancho Danchev, who revealed the name of one Koobface member on his blog last week — have failed put an end to Koobface, and smaller sites continue to suffer.

“People who engage in this type of stuff need to know that their name and real identity are going to come out eventually and they’re going to get arrested and they’re going to be targeted,” Mr. Sullivan said. “People are fighting back.”

This article has been revised to reflect the following correction:

Correction: January 19, 2012

An article on Tuesday about the Koobface gang, a Russian group believed to be responsible for spreading a notorious computer worm on social networks, misspelled the surname of one man identified by investigators as a member of the group. He is Alexander Koltyshev, not Koltysehv.

Direct Link:  http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html?nl=todaysheadlines&emc=tha26