Koobface is the name of a piece of malware and the cybercriminal gang behind it that gained infamy in the late 2000s.

As a malware variant, Koobface emerged in 2008. It spread via social media platforms, notably Facebook, hence its name—a palindrome of the social networking site’s name.

The Koobface gang, meanwhile, is believed to have five Russian members. They called themselves “Ali Baba & 4.” They were Anton Korotchenko, also known as “KrotReal”; Stanislav Avdeyko, AKA “leDed”; Svyatoslav E. Polichuck, AKA “PsViat” and “PsycoMan”; Roman P. Koturbach, AKA “PoMuc”; and Alexander Koltysehv, AKA “Floppy.”

Read More about Koobface

Koobface’s heyday lasted from 2008 to around 2016. Here’s a timeline showing its history.

Koobface history

How Does Koobface Work?

A Koobface infection starts when a user clicks a video link embedded in a social media private message, status update, or post. The message is designed to entice the user to watch the video. The user tricked into doing so is prompted to install an executable file, typically a fake Adobe Instant Player installer that’s a Koobface component downloader.

When installed, Koobface collects the user’s login information for File Transfer Protocol (FTP) sites, Facebook, Skype, and other social media platforms, along with sensitive financial data. Infected computers also become part of a peer-to-peer (P2P) botnet that sends the same message (i.e., Koobface lure) to the affected user’s contacts to further expand the botnet.

More advanced Koobface variants install additional pay-per-install (PPI) malware on compromised computers. They also hijack affected users’ search queries to display relevant ads.

Watch this video for more details.

How Dangerous Is Koobface?

In its heyday—between 23 June 2009 and 10 June 2010—the Koobface gang earned US$2,067,682.69. Half of this came from their rogue antivirus business, while the remaining sum originated from their pay-per-click (PPC) endeavors.

What Platforms Did Koobface Abuse?

Apart from Facebook, the Koobface gang also went after the users of the following platforms:

  • YouTube: Host fake videos that ask users to install the Koobface component downloader.
  • MySpace and Twitter: Send messages to potential targets.
  • Skype and Yahoo! Messenger: Send messages to potential targets.
  • Gmail, Yahoo! Mail, and AOL Mail: Send messages to potential targets.
  • Microsoft Windows, Mac OS X, and Linux: The operating systems (OSs) Koobface affected.

What Are Some Koobface Facts Many May Not Know About?

While several studies have been published about both the Koobface malware and gang, many may not know that:

  • The Koobface gang is connected to or probably maintains the Bahama botnet, which gained infamy for redirecting traffic to a fake Google site that pushes pharmaceutical ads to monetize the hijacked traffic.
  • The gang was behind the malvertising attack targeting the New York Times website in September 2010.
  • The gang was responsible for a massive scareware campaign that affected more than 1 million websites in November 2009.
  • The gang monetized Mac OS X traffic through adult dating and Russian online movie marketplaces.
  • The gang sent Christmas greetings to the cybersecurity researchers who published reports about them in 2009.

How Were the Koobface Gang Members Exposed?

Facebook received so much flak for serving as the Koobface gang’s first playground. And it took some time for cybersecurity researchers and the platform to identify them. In fact, it was also criticized for how it resolved the issue—via public shaming.

Who Are the Alleged Koobface Gang Members, and Where Are They Now?

Five Russian nationals were publicly named as alleged members of the Koobface gang in 2012, namely:

  • Anton Korotchenko, AKA “KrotReal”: Still at large but not part of the Federal Bureau of Investigation (FBI) Most Wanted—Cyber.
  • Stanislav Avdeyko, AKA “leDed”: Still at large but not part of the FBI Most Wanted—Cyber.
  • Svyatoslav E. Polichuck, AKA “PsViat” and “PsycoMan”: Still at large but not part of the FBI Most Wanted—Cyber.
  • Roman P. Koturbach, AKA “PoMuc”: Still at large but not part of the FBI Most Wanted—Cyber.
  • Alexander Koltysehv, AKA “Floppy”: Still at large but not part of the FBI Most Wanted—Cyber.

While Koobface has become easy to address, no one has been charged for stealing millions of dollars from its victims.

Key Takeaways

  • Koobface is the name of a piece of malware and the cybercriminal gang behind it that gained infamy in the late 2000s.
  • In its heyday—between 23 June 2009 and 10 June 2010—the Koobface gang earned US$2,067,682.69. Half of this came from their rogue antivirus business, while the remaining originated from their PPC endeavors.
  • YouTube, MySpace, Twitter, Skype, Yahoo! Messenger, Gmail, Yahoo! Mail, AOL Mail, Microsoft Windows, Mac OS X, and Linux have been abused by the Koobface gang for their malicious campaigns.