Social engineering tactics of the Koobface botnet
Image 1 of 12
Fake "Your version of Flash player is out of date" message
Fake "Your version of Flash player is out of date" message
Among the earliest and most popular spoofing attempts done by the Koobface gang.
Social engineering tactics for hire
Social engineering tactics for hire
The process of coming up with legitimately looking spoofs of known applications or web sites has already been monetized. In this case, the underground seller is offering a fake Adobe Flash Updater tool.
Koobface October 2009 Youtube spoof
Koobface October 2009 Youtube spoof
The Koobface gang has introduced a new template, this time spoofing Adobe’s Flash Updater tool.
Koobface botnet using unlicensed software
Koobface botnet using unlicensed software
The latest Koobface malware campaign is using an unlicensed copy of HyperSnap6 resulting in “buy a license” stamp embedded on every infected host.
Koobface experimenting with Bloglines
Koobface experimenting with Bloglines
The Koobface gang has been “shooting into the dark” on several occasions so far. Experiments include the use of Bloglines, where automatically registered accounts were in brief circulation in a 2008 campaign.
Fake "This content requires Adobe Flash Player 10.37" message
Fake "This content requires Adobe Flash Player 10.37" message
Yet another attempt by the Koobface gang to differentiate the already known Youtube+outdated Adobe Flash Player template combination.
Another "This content requires Adobe Flash Player 10.37" message
Another "This content requires Adobe Flash Player 10.37" message
The same template, this time using a different avatar of the user.
Koobface botnet spoof of Facebook - "Flash Player upgrade required"
Koobface botnet spoof of Facebook - "Flash Player upgrade required"
This template — still in circulation — has presents the user with a legitimately looking Facebook video page which always remains static due to the fact that it’s basically a screenshot of the real one.
Scareware affiliate network used by Koobface botnet
Scareware affiliate network used by Koobface botnet
Starting in later September, 2009, the Koobface botnet became a major player in the scareware business model by including a pop-up script on each and every of the hundreds of thousands of infected hosts. Rotating the scareware domains every 24 hours results in a lower detection rate, which helps them better monetize the botnet.
Koobface using "My computer Online Scan" scareware template
Koobface using "My computer Online Scan" scareware template
The Koobface botnet is using a slightly modified template of the most popular scareware theme, the “My computer Online Scan”.
Koobface botnet on Twitter
Koobface botnet on Twitter
Periodically, the Koobface botnet attempts to exploit the micro-blogging service by tweeting Koobface-serving URLs on behalf of already infected users with Twitter accounts.??The gang behind the Koobface botnet is on the other hand systematically abusing Twiter, Linkd, Scribd and many other related services.
Koobface botnet on Twitter - statistics
Koobface botnet on Twitter - statistics
On a daily basis, hundreds of thousands of users visit the web sites maintained by the Koobface gang. This screenshot showcases a click-through rate for one of their Twitter campaigns.
