The Financial Services Club's Blog

And the flaw is humanity.

Humanity is going to screw up our wirelessly connected planet.

Humanity is going to rebel against the assault of technology.

Why?

Because the technology is messing up our lives.

You are no longer able to keep anything secret.

You do something at university that becomes a huge hit on facebook … then you apply for a job four years later and they say, “aren’t you the guy on facebook?”

You create a viral for youtube about what’s in your underwear … and you get a brown envelope the following day at work with your severance papers.

Even criminals are not immune to this assault.

I was listening to a presentation from Sophos the other day and they told this wonderful story about catching cybercriminals.

The story is legend and is how Sophos tracked down the Koobface gang.

It’s a long story (27 page PDF download), but here’s my summary.

Koobface  (an anagram of “Facebook”) is malware that spreads via social networking sites, infecting PCs and builds a botnet of compromised computers. It is so sophisticated it can even create its own social networking accounts, so that it can aggressively post links helping it to spread further.

This particular botnet does not steal financial information, but it does download pay-to-download software and hijacks search queries in order to find specific pay-to-display adverts.

The thing is that cybercriminals aren’t that cute, and the Koobface gang made a big mistake.

Reading the Sophos report makes for interesting understanding.

A major breakthrough came in December 2009 when the Webalizer statistics tool showed an unusual request to a file named “last.tar.bz2,” which turned out to contain a full daily backup of the Koobface Command & Control software.  

Within these backups, two things were found that gave away who the gang were.

First, a PHP script which was used to submit daily revenue statistics via short text messages to five mobile phones. Unfortunately for the gang, this script included their international prefix +7 identifiers, showing that this was being transmitted to Russian telephone numbers.

There was also an image found within one of the backups. This picture is completely unrelated to the function of the Koobface botnet, but appeared to have been placed there by a Koobface gang member.

What the gang member may not have known is that, unless you turn off location functions, every iPhone picture carries with it metadata that provides the geolocation of where the photograph was taken and, according to the metadata contained within this photo, it was taken with an Apple iPhone with a Latitude of N 59° 55.66' and a Longitude of E 30° 22.11'. This directly points to the centre of St. Petersburg, Russia.

The Sophos investigrators then used this information to start searching for any digital footprint related to these telephone numbers in St. Petersburg, and found that one of them was selling a BMW on an online car auction website, albeit with the number plate hidden.

The same telephone number was also being used to try to sell some lovely fluffy little kittens.

Yes, even criminals like cats.

Trouble is that the gang member has now given an email address: krotreal@****.com.  Although the website domain was hidden, the investigation discovered the name Krotreal was his handle on various websites including Flickr, Netlog, LiveJournal, vkontakte.ru, YouTube, FourSquare, Twitter and more.  This then provided a goldmine of personal information, such as the full number plate for that BMW that was up for sale.  This was a picture on Flickr accompanied by the caption “My little beauty :)”:

Aha!  Now that the investigators had got hold of the number plate of Krotreal, they also had the name and telephone number of the German car-dealer who sold the car, and used that to trace the chain of ownership for the car from that dealer to its current Russian owner.

All well and good, but not enough to get an indictment or conviction for spreading Koobface malware around the world.

So the investigators delved into vkontakte, facebook, twitter and more, and eventually found a reference to Krotreal being the owner of an adult website allcelebrity.ru.

Every website is logged with ownership information, and this website was registered by Krotreal@mobsoft.com.  Surprisingly the Whois details of the website had not been concealed (it is now) and also showed that an Anton K. was the owner, with a St. Petersburg telephone number.

The team now had a name and full email address, and found that MobSoft.com rented offices on the top floor of this St. Petersburg building.

Companies usually need to be registered with the government or the tax service and fall under specific legislation mandating reports.  They usually keep public websites providing information about their history and the former and current management.  This is now making life interesting as a suspect who is the owner or shareholder of a company is easier to find as they are more likely to have filed valid identity information during the company registration processes.

Investigating in depth, the Sophos team found that registered persons were listed for MobSoft, or МобСофт in Cyrillic, and the details included dates of birth and passport ID number confirming that one of the owners was Anton K.

Upon further searches about the company, the team also found a job advert listing another contact.  This time it is an Alexander K. with a telephone number that also was found on the original list of numbers in the PHP script.

Searching in a similar fashion to the searches made about Anton K., the researchers discovered that Alexander K. was also commenting on various vkontakte.ru walls under various nicknames including “floppy”, “megafloppy” and “darkfloppy” (vkontakte is a Russian version of facebook).  This led the investigators to identify another potential gang member, Roman K.

At this point howevr, the trail began to run cold and trying various avenues, most reached a dead end.

That was until the team hit upon Maria K. 

Maria K. was listed as a co-owner of one of the MobSoft companies and luckily her vkontakte profile gave full public access.

Her profile not only gave the team access to a list of all of her friends but also many tagged photos of them.  They found that not only was Roman K. on her friend list, but that Maria and Roman K. were married with a daughter. 

They also found that the family spent their holidays with Anton K., suggesting a fairly close relationship between them. The links also led them to identify two more gang members: Syvatoslav P., and Stanislav A.

A painstaking research project, with most of the information showing that social networking is just as dangerous for a cybercriminal as it is for an honest citizen.

Sophos eventually handed all their research on the gang to law enforcement authorities … but no charges have been brought to date because, as with all cybercrime, when the victims are in one country, the servers in another rand the perpetrators in a third, it’s pretty hard to get any indictment.

Shame.

But I recount the story as this is a corollary of one I wrote up a while ago about Aaron Barr, former head of cybersecurity at America’s leading digital security company HBGary.

And you can also read the whole story about the Koobface sting at the Sophos Website.

Oh, and just to finish off, here’s the Koobface gang’s annual holiday snaps.

Nice!