Archive for January, 2012

An investigation by Jan Drömer, independent researcher,
and Dirk Kollberg, SophosLabs.

On 17 January 2012, The New York Times revealed that Facebook plans to name five men as being involved in the Koobface gang. As a result of the announcement, we have decided to publish the following research, which explains how we uncovered the same names.

Introduction: there ain’t no perfect (cyber)crime

The Koobface botnet – a product of the self proclaimed “Ali Baba & 4″ or “Koobface Gang” – has been terrorizing millions of internet users since mid 2008 and continues to do so up to the present day, despite multiple takedown efforts.

The research below, conducted by independent researcher Jan Drömer and Dirk Kollberg of SophosLabs, is focused on the suspects behind one of the largest cybercrime threats in recent years and the process of their identification.

Research into the suspects was mainly conducted from early October 2009 until February 2010 and has since been made available to various international law enforcement agencies.

As in real life, a perfect (cyber)crime is something of a myth. The simple truth is that today’s cybercrime landscape is aimed at achieving maximum revenue with minimal investment, and that implies a certain level of accepted imperfection.

It is this imperfection, paired with a sense of “criminal arrogance” and an uncontrollable threat environment such as the internet, that ultimately led to the identification of multiple suspects forming the “Koobface gang”. Read the rest of this entry »

A worm previously used to commit financial fraud is now stealing Facebook login credentials, compromising at least 45,000 Facebook accounts with the goals of transmitting malicious links to victims’ friends and gaining remote access to corporate networks.

The security company Seculert has been tracking the progress of Ramnit, a worm first discovered in April 2010, and described by Microsoft as “multi-component malware that infects Windows executable files, Microsoft Office files and HTML files” in order to steal “sensitive information such as saved FTP credentials and browser cookies.” Ramnit has previously been used to “bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks,” Seculert says.

Recently, Seculert set up a sinkhole and discovered that 800,000 machines were infected between September and December. Moreover, Seculert found that more than 45,000 Facebook login credentials, mostly in the UK and France, were stolen by a new variant of the worm.

“We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims’ Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware’s spread even further,” Seculert said. “In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.” Read the rest of this entry »