Cybercriminals unveiled

For three-and-a-half years, Koobface operated as a cybercriminal gang that fooled Facebook users into watching links to YouTube videos that were actually a piece of malware. That malware then infected these computers and made them part of a botnet, a vast network of computers worldwide that can be controlled remotely. Then, the Koobface gang would trick the users again by serving up advertisements, send them fake computer security warnings and offer to sell them bogus software.

Experts believe that somewhere between 400,000 and 800,000 users were infected -- enough to earn the Russians behind Koobface millions of dollars. But, last week, the Koobface botnet went dark, suspending operations, after being exposed by a Bulgarian cybersecurity researcher.

Deutsche Welle contacted this researcher, Dancho Danchev last week at his home office in Sofia, Bulgaria.

Deutsche Welle: Last week, you published a number of personal details of the leaders of the Koobface gang. Who are they?

Dancho Danchev: Koobface is a group of several people based in St. Petersburg, Russia. I've been tracking them for the last 2.5 years. What's interesting is that they've pioneered the propagation of cybercrime on social networking software, particularly on Facebook, where they've earned over $2 million (1.5 million euros). And, they've pioneered the breaking of CAPTCHA on social networking websites by outsourcing it to other victims.

How did you first notice them?

I'm part of an invite-only group of cybersecurity researchers, who had started tracking them. I expressed an interest in tracking them because they were propogating across Facebook, and this is one of the few worms that moves across Facebook.

When you say that they've made a worm that travels across Facebook, does that mean they were the first?

In particular, Koobface was the first to propogate across social networking websites in such a magnitude.

What would a typical scam look like?

It would look like a fake YouTube video screen and would advertise on the Facebook walls of targeted victims. Then when the targets click on it, they would actually download a binary, a piece of software. Then, they would be exposed to fake security software, which is how Koobface monetizes the traffic, by selling fake software that are properties of the Koobface gang.

So someone would think they were going to watch a video, but actually they would be downloading a piece of malware?

Yes, exactly. And what's interesting about Koobface is that they are not exploiting any software flaws, it's social engineering only.

You've exposed Koobface on your blog, and you've published an ad by one of the Koobface leaders selling kittens, selling a BMW car, there's photos of him on vacation in various places around Europe, with a woman who might be his girlfriend, and even his name and address. How did you manage to do this? This is highly unusual to publicize such a high level of personal details, no?

Yes, I know, it took me some efforts to do this. I've been following them for 2.5 years. This guy, the leader, his name is Anton Nikolaevich Korotchenko, but his online nickname is Krotreal. But he made a mistake. He registered a domain using his personal e-mail address, and left it in the command-and-control structure of the botnet, which I was monitoring at the time.

In other words, because - not just criminals - but lots of people use the same nickname across different websites, this guy had used the same user name on this domain that was part of Koobface, you were able to track it do different websites across the Internet, and link an online handle with an actual person.

Yes, I found the same phone number that was used to sell the kittens was also used to sell the BMW, his Facebook account, his VKontakte.ru account, his Foursquare account, his Twitter account, pretty much everything including his name and address. This all happened because he made a simple mistake.

In a way, it seems ironic that Koobface targeted their scams by tricking people into downloading things on Facebook and yet, they themselves were victims of oversharing on social networking sites - perhaps not Facebook, but the Russian equivalent, VKontakte.ru.

Right, exactly. That's very ironic. They thought they were invincible, and they thought no one was following them and they started forgetting they were on everyone's radar, and they made a simple mistake that lead to total exposure.

Interview: Cyrus Farivar
Editor: Stuart Tiffen