The Koobface Gang gained notoriety from 2008 to the 2010s for spreading malware via Facebook and other social networks. Believe it or not, the gang amassed millions of dollars from their online scams while hiding in plain sight in St. Petersburg, Russia. After being publicly identified in 2012, the gang members shut down their operations.

A decade has passed since then but the gang or at least one or a couple of its members is back to doing no good. WhoisXML API threat researcher Dancho Danchev uncovered tons of web properties owned by the Koobface gang. His in-depth investigation beginning with two email addresses led to the discovery of:

• Close to 6,000 domains registered using the said email addresses, close to 50 of which turned out to be malicious
• Nearly 40 IP addresses to which the domains resolved, one of which has been dubbed “malicious” by various malware engines
• Close to 700 possibly connected domains, as they shared the IP addresses of the original list of domains, one of which has been named a malware host
• A majority of the domains pointed to car sales, co-working and co-living space rental, and product and service provider pages

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Research Findi

Danchev began his deep dive with two email addresses believed to belong to a member or two of the Koobface Gang. Reverse WHOIS searches for these addresses led to the discovery of 5,927 domains, 48 of which have been tagged “malicious” based on a bulk malware check via Threat Intelligence Platform (TIP).

It’s interesting to note that a huge majority of the domains were old according to bulk WHOIS lookup results. Most were registered in 2011, during the Koobface Gang’s heyday. And only four were newly registered. If the gang is indeed back, they may have decided to just revive their existing infrastructure instead of starting from scratch. Or they made it a point to use aged domains to evade immediate detection and blocking.

Careful scrutiny of the sites hosted on the domains via screenshot lookups showed that 5,626 or 95% were active. While a huge majority led to parked pages, some led to live sites—which could now pertain to legitimate owners as part of domain buying and selling transactions, or still be linkable to the gang.

A bulk IP geolocation lookup, meanwhile, showed that these domains resolved to 37 unique IP addresses, most of which originated in Germany. Of the hosts, one—104[.]247[.]81[.]51—was dubbed “malicious” based on TIP malware checks.

Reverse IP lookups for the IP addresses helped uncover an additional 682 possibly connected domains, especially since all of them seemed to be dedicated hosts. One of these—ttuurrbboo[.]org—turned out to be malicious.

If the Koobface Gang has indeed risen back, they may have decided to reuse their old infrastructure. And if the sites they’re using to lure victims in provide any clue, they’re possibly going after people in search for a new car, co-living or co-working space, or service or product providers. Anyone who falls under these target categories should definitely be wary of the suspicious and outright malicious web properties identified in this report.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.