An investigation by Jan Drömer, independent researcher,
and Dirk Kollberg, SophosLabs.
The Koobface gang rent offices on the top floor of this St Petersburg building. Note that there are other companies based in the building who have nothing to do with cybercrime.
Companies are an interesting research subject during an investigation, given that they usually need to be registered with the government or the tax service and fall under specific legislation mandating reports, etc.
Furthermore they usually keep public websites, eventually providing information about their history, the former and current management or also interesting employee testimonials on the careers pages.
In cases where a suspect is believed to be the owner or shareholder of a company, chances are that it will likely be possible to obtain valid identity information, as a company registration processes normally require valid identity documents, etc. to be shown.
Even though employees or owners of a company might be involved in malicious activities, this does not automatically imply any whatsoever involvement of the company as such.
The research on MobSoft came to an early end, however, as the domain mobsoft.com was no longer resolving to a corporate website. Querying search engines also remained inconclusive and even complicated matters with multiple entities operating under the name MobSoft.
However, one lead was remaining with a copyright noticed placed on the website incall.ru, claiming the service to be a joint development between UPL Telecom s.r.o and MobSoft Ltd., with the name MobSoft Ltd. pointing to the website mobsoft.eu.
UPL Telecom s.r.o is a Czech company and was either directly or indirectly the hosting provider of the Koobface mothership server.
Reviewing the http://www.mobsoft.eu website, MobSoft Ltd. presents itself to be a company specialized in software development and distribution of mobile applications and services. According to its website it is operating from two offices, one located within the Czech Republic and one located in St. Petersburg, Russia.
Even though mobsoft.eu was also hosted on the Koobface Mothership server there was no proof that both mobsoft.com and mobsoft.eu were related to each other.
Additional research however revealed cached artifacts from the defunct mobsoft.com website such as the company logo as well as product descriptions such as the “Mobile Casino Management System” suggesting both to be owned by the same company.
The St. Petersburg address listed on the MobSoft website isn’t providing any additional insights, unlike the Czech address. Google Streetview shows the address to be located in a residential area of Prague, and search results suggest a flurry of companies are registered at this address, including three Mobsoft entities.
The Czech government maintains an online portal providing easy access to company details such as the business purpose, registered address as well as details about shareholder and owners.
Registered persons are listed including their dates of birth and passport ID numbers. Reviewing the company details, we found Anton K. as proprietor of one of these companies, suggesting “Krotreal” is indeed Anton K. from St. Petersburg, Russia.
Similar searches were performed against the St. Petersburg company register, as well as the UK and Isle of Man registers. The latter two, due to the fact that forum posts were suggesting a joint UK & Russian company, with other information suggesting that Compact Disc India acquired MobSoft (Mobile Software Limited) with development centers in both the UK and St. Petersburg. These traces, albeit interesting, remained inconclusive.Follow @SophosLabs