updated 1/17/2012 4:15:57 PM ET 2012-01-17T21:15:57

Researchers have named five Russian cybercriminals believed to be responsible for operating the Koobface worm, which has wreaked havoc on Facebook since 2008, spreading fake anti-virus ads and hijacking Web searches. The public shaming, however, isn't likely to make a dent in the overwhelming number of scams Facebook users deal with every day, at least until the law catches up with the suspected crooks.

The identities of the five men — Anton Korotchenko, Alexander Koltysehv, Roman Koturbach, Svyatoslav Polichuk and Stanislav Avdeyko — were uncovered by Facebook's security team along with independent researchers Jan Drömer and Dancho Danchev and Dirk Kollberg of the security firm Sophos. (The New York Times was the first to publish the full names of all the members of the "Koobface gang.")

From Oct. 2009 to Feb. 2010, Drömer and Kollberg tracked the worm's operators, who used Koobface (an anagram of Facebook) primarily to spread advertisements for fake anti-virus software. The group netted at least $2 million since its inception in 2008. (Danchev has run a parallel investigation.)

Facebook issued  its own statement on the identification of the Koobface gang Tuesday afternoon. It said, "While we have been able to keep Koobface off Facebook, we won't declare victory against the virus until its authors are brought to justice." Koobface, Facebook said, has not been spotted on Facebook for more than nine months.

Authorities have not filed any charges against the suspected criminals.

Naming does not equal punishment

The information that led Facebook to unmask the Koobface gang's members was shared with authorities years ago, and while the suspected criminals' names may now be public, as are tales of their lavish vacations to Bali, Turkey and Monte Carlo, there's a gap separating the naming of the gang from any real punishment.

"We know that cybercrime investigations can take a long time, but the ball is really in the Russian police's court to take action now," Graham Cluley, senior technology consultant with the security firm Sophos, told SecurityNewsDaily.

Cybercriminal investigations, Cluley said, often take years, and, as in cases like this one and Operation 'Trident Tribunal', a two-year hunt for scareware crooks that employed the coordinated efforts of the FBI and law enforcement from 11 countries, authorities have to navigate a terrain ridden with of legal loopholes.

Russia is the 'dark side of the moon'

"The crooks, the victims and the evidence are typically distributed through many legal jurisdictions," Cluley said. "This makes coordinating investigations, charges and prosecutions much more complex than handling crimes which happened in one city or country."

[How to Become a Cybercriminal for Only $7]

The five men responsible for running the botnet that infected between 400,000 and 800,000 computers since 2008 may be especially difficult to bring to justice given their home turf.

"Sadly, Saint Petersburg might as well be on the dark side of the moon," said Cluley. "It's very hard for the authorities in the U.S.A. and U.K to influence the Russian authorities."

The cart before the horse

Unmasking the Koobface gang may have been a hasty decision, and one that could force the group to adapt, and even thrive, by shifting its tactics.

"This kind of disclosure generally doesn't help law enforcement," Roel Schouwenberg, senior researcher for the security company Kaspersky Lab, told SecurityNewsDaily. "The Koobface authors are now informed and can go into hiding and/or change-up their game, which will be no problem given their financial situation. I'm strongly convinced that this type of attribution research should only be disclosed after charges have been pressed, not before."

To Facebook's credit, Schouwenberg said the social network "has been good responding to new threats and coming up with measures to combat them."

Will this affect Facebook?

There's no way to predict if shining a light on the Koobface criminals will change day-to-day operations on Facebook, a site that, given its overwhelming popularity, is a petri dish of threats and scams aimed at disarming unsuspecting users.

"Koobface or no Koobface, new threats will emerge on Facebook and security will evolve accordingly," Schouwenberg said.

Cluley agreed, adding, "Anything which takes cybercriminals offline has to be good for the entire Internet community, not just Facebook users. However, if the Koobface gang was permanently put out of business it would be a brave man who betted that there wouldn't be other criminals waiting to take their place."

Both experts said only time will tell if the public exposure of the notorious criminal gang members will deter future scammers from following in their ranks.

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments