Facebook has taken the unusual step of making public the names and personal details of five men it believes to be behind the Koobface computer worm that attacked hundreds of thousands of computers through the social network’s profiles.
The alleged gang appear to be living in St Petersburg and were tracked by Facebook and a team of researchers over three years.
None of the men has been arrested or charged with any offences related to Koobface. However, by making their names public, Facebook appears to be trying to force the Russian authorities to look into the issue.
“We have spoken to the FBI and the German and UK authorities, and it appears there has not bee much traction on the Russian side on this case. Maybe Facebook became frustrated and decided to take a more hard line on it,” said Graham Clueley, senior technology consultant at Sophos. One of Sophos’ researchers, Dirk Kollberg, was part of the team tracking down the Koobface gang.
“There is enough evidence there that these guys should be questioned and their computers looked at,” Mr Clueley said.
Russia is often criticised for being slow to act in cyber-crime cases, and a vast majority of investigations into hacking attacks end up being abandoned at the company’s borders.
“St Petersburg might as well be on the far side of the moon,” Mr Clueley said.
The Koobface virus first surfaced in 2008, and spread through social networking sites, where it encouraged user to click on bogus links to online videos. Researchers estimate that the gang made around $2m a year from exploiting the hacked computers.
The Sophos team published a blow by blow account of how the Koobface gang was identified, and this contains several interesting lessons.
Above all, it demonstrates just how many digital breadcrumbs people – even canny cybercriminals – leave on the internet. The alleged Koobface hackers were tracked through their social networking profiles, pictures posted by their wives and girlfriends, and the sale of items such as cars and kittens online. Most of it was publicly available information that was simply linked together by the hard graft of investigators.
The investigators watched videos of the men on holiday and knew from their postings on Foursquare their movements across St Petersburg – seeing even the stubs of the cinema tickets they had purchsed.
When the details of their identities began to leak into the public domain, some of the gang shut down their social networking pages. But the investigators soon found the new ones they had created because their friends were linking to those.
This campaign is a curious strategy by Facebook. As much as the company gains kudos for its aggressive approach to hunting down cybercriminals, it also shows ordinary social network users just how much can be exposed through their profiles. There is nowhere to hide.
