Koobface Makes a Comeback | WhoisXML API

Threat Reports

Koobface Makes a Comeback

The infamous Koobface Gang1 is possibly causing malware mayhem again. After Facebook and cybersecurity researchers unmasked the perpetrators back in 2012, the gang members shut down their servers in a bid to avoid capture.2

After almost a decade, the gang may be back. WhoisXML API threat researcher Dancho Danchev uncovered artifacts possibly alluding to the Koobface Gang’s comeback. His deep dive into the threat revealed:

  • Close to 6,000 domains registered using the said email addresses, close to 50 of which turned out to be malicious
  • Nearly 40 IP addresses to which the domains resolved, one of which has been dubbed “malicious” by various malware engines
  • Close to 700 possibly connected domains, as they shared the IP addresses of the original list of domains, one of which has been named a malware host
  • A majority of the domains pointed to car sales, co-working and co-living space rental, and product and service provider pages, possibly indicating new targets

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html
  • [2] https://www.nbcnews.com/id/wbna46060605
Try our WhoisXML API for free
Get started