An investigation by Jan Drömer, independent researcher,
and Dirk Kollberg, SophosLabs.
Just as first and last names are the key to a person’s identity in real life, so nicknames serve that purpose online.
Usually nicknames are life-long once chosen, and often have trust and reputation associated with them. This holds especially true for the underground economy were no-one is using their real identity in communications, yet there is a need to distinguish between those that offer reliable cybercrime services and those who don’t.
Although some criminals use multiple nicknames or variations, they are forced to retain them to a certain extent to remain identifiable within the cybercrime ecosystem.
One may think that cybercriminals would “clean” all their profiles, but this is often not the case. There are several contributing factors to this, the most simple being for example that old profiles might have been simply forgotten or others may have all of a sudden become public due to a terms-of-service change.
Identifying such profiles at various social or Web 2.0 websites is easily possible through search engines or services like namechk.com or knowem.com. While these website are intended to help users with choosing a unique nickname not occupied by other users or to maintain their digital identities, they are in turn highlighting all those services used by a particular nickname.
This is exactly what we can use to our advantage in order to identify potential profiles containing additional information. Care must be taken during the analysis, of course, as profiles may belong to other individuals using the same nickname, or may even be intentionally forged.
In the case of the nickname “Krotreal” profiles at Flickr, Netlog, LiveJournal and later during the investigation vkontakte.ru, YouTube, FourSquare, Twitter, etc. could be identified.
This shows the importance of a repeatedly searching over several weeks.
All of these profiles were investigated for information leading to the real identity of “Krotreal”. Profiles time and time again showed the name Anton, various email addresses, hobbies, references to St. Petersburg and an ICQ number.
Some of these profiles even contained portraits of “Krotreal”, providing another linking pin between the profiles, similar to the reappearing avatar pictures used within the profiles.
Access levels to individual profiles generally varies. The Flickr photo streams, for instance, aren’t publicly accessible in this case. Nonetheless it is generally advisable to perform tailored searches against the profile using various search-engines, as there might be historic information cached by the search engine, or deep-links to profile information not show as it is the case with Flickr. One of the images turned up by a search showed a car with the same numberplate as discussed above and a caption “My little beauty :)”.
Images in themselves may contain vital information, e.g. in this case the licence plate is framed with the name and and phone number of a German car-dealer, which could be used to trace the ownership chain of the car from that dealer towards it current owner.
Yet another photo of his Flickr profile shows him holding a Sphynx cat, which is an additional indication to the identity of “Krotreal” with regards to the kitten forum post discussed above.
While most of the profiles contain similar information, one is of additional interest as it references the website “www.<omitted>.ru” as belonging to “Krotreal” with the same holding true for his ICQ account.
This page is an adult website. Surprisingly enough it appears the Whois details of the website had not been concealed, listing an Anton K., with a St. Petersburg telephone number as owner of the domain. Yet the accuracy of Whois details must be treated with care.
Querying Whois data for the Domain verybest.org, which is used to provide name services for http://www.<omitted>.ru, reveals yet another email address (“Krotreal@mobsoft.com”) indicating that “Krotreal” was in one way or the other affiliated with this company.
Note: Later during the investigation hosting of http://www.<omitted>.ru moved to the IP address of the Koobface Mothership – 126.96.36.199.
Of special interest are of course social networks like Facebook or vkontakte.ru as they allow the identification of family members, friends and colleagues in case the profiles are publicly accessible.
The profile of “Krotreal” was initially very restricted, only allowing access by his friends. This situation changed over time, again a reminder for investigators to recheck such profiles from time to time.
Although the profile wasn’t accessible initially, “Krotreal” posted links to photos within his profile on his Twitter account, thereby making these pictures publicly available.
Although the pictures are interesting by itself, given that they reveal travel activities, etc., more interesting are the comments made by other vkontakte.ru users.
Considering that the profile itself is restricted to the effect that only his friends have full access, these comments are especially useful to determine social relations and may thus provide clues related to the other actors behind Koobface, assuming that they know each other and are probably connected via social networks.
Unfortunately no such references could be found, however one comment made by Olesya L. is of particular interest due to the fact that she has a more accessible vkontakte.ru profile with several accessible photo albums. Further analysis of these photo sets portrayed both Anton K. and Olesya L. together on several occasions, suggesting that they are a couple.
While it was possible to elaborate “Krotreal’s” social relations in more detail, no additional evidence confirming his identity could be obtained. Although it is suggested that “Krotreal” is in fact Anton K. further proof is necessary to substantiate this conclusion.
Obtaining proof of an identity is a difficult task, given that profiles, Whois data, etc. can be forged. Fortunately enough one of the found email addresses suggests that Anton K. was or is affiliated either as freelancer, employee or even as owner with a company called MobSoft.
Next: Inside the Koobface firmFollow @SophosLabs