Koobface Makes a Comeback | WhoisXML API

Threat reports

Read other reports

Koobface Makes a Comeback

Download PDF

The infamous Koobface Gang1 is possibly causing malware mayhem again. After Facebook and cybersecurity researchers unmasked the perpetrators back in 2012, the gang members shut down their servers in a bid to avoid capture.2

After almost a decade, the gang may be back. WhoisXML API threat researcher Dancho Danchev uncovered artifacts possibly alluding to the Koobface Gang’s comeback. His deep dive into the threat revealed:

  • Close to 6,000 domains registered using the said email addresses, close to 50 of which turned out to be malicious
  • Nearly 40 IP addresses to which the domains resolved, one of which has been dubbed “malicious” by various malware engines
  • Close to 700 possibly connected domains, as they shared the IP addresses of the original list of domains, one of which has been named a malware host
  • A majority of the domains pointed to car sales, co-working and co-living space rental, and product and service provider pages, possibly indicating new targets

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html
  • [2] https://www.nbcnews.com/id/wbna46060605
Download PDF Read other reports
Try our WhoisXML API for free
Get started