Koobface ring goes offline after Facebook exposes its members

Facebook appears to have the leaders of the Koobface ring on the run, and authorities are still hoping to catch up with them. After Facebook released the names of those responsible for that malware ring that targeted the social network's users, the group's central command and control server went offline, apparently as a precautionary measure to avoid getting apprehended.

The Koobface worm originated on the social network in 2008 and prompted users to click on a funny or sexy video. Once clicked, the user would be asked to update his or her Adobe Flash plugin, which would install the group's malware instead.

It is estimated the Koobface ring has stolen millions of dollars, and, at the height of the ring, had infected between 400,000 and 800,000 computers.


Related stories:

How to allow social media without getting 'Koobfaced'

Cyber threats in 2012: 5 pain points


However, once the malware ring was found targeting the social network's users in 2008, Facebook security experts started implementing measures to counteract Koobface.

"After more than three years and numerous hours of working closely with industry leaders, the security community and law enforcement, we are pleased to announce that Facebook has been free of infections for over nine months," Facebook Security wrote in a blog posting.

Along with recently shutting down the central node, the group, believed to be located in St. Petersburg, Russia, reportedly deleted all of their profiles. However, according to Graham Cluley, senior technology consultant at Sophos, that will not stop them from being prosecuted using their data history:

"Although social networking accounts have been wiped, security researchers and law enforcement agencies have archives of the vast amount of material already published by Koobface gang members, including photographs, movies, and locations as they checked into sites such as FourSquare.


"That data can be used in a variety of ways. For instance, FourSquare logins can be displayed on Google Earth, allowing researchers to replay how individuals have moved from place to place at certain times."

And this is exactly how Facebook was able to identify what it believes are the ring perpetrators. Many of the members actually checked into the location of the command-and-control hub multiple times with FourSquare over  the company's three-year investigation.

None of the named suspects have been charged as of yet due to issues with Russian law enforcement authorities. "An official request needs to be filed to the K Directorate first, and when it's filed, we will certainly investigate and work on it," Larisa Zhukova, a representative at the cyber unit, said to Reuters. "The request must come from the victim, that is Facebook. Because anyone can say or write anything, but it is all unfounded so far."

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above