VANCOUVER -- The malware gang behind the Koobface malware attacks on social networks raked in about $35,000 a week ($1.8 million a year) in 2009, according to Facebook security researcher Nick Bilogorskiy.
During a keynote address at the Virus Bulletin 2010 conference here, Bilogorskiy said the Koobface gang controls a massive botnet that's "in a perpetual state of development" and combines clever social engineering -- and technological -- techniques to make money from the sale of fake security software (scareware).
Bilogorskiy offered a peek into some of the malicious activity squirming through the world's most popular social network, stressing that the company has set up a dedicated security response team to monitor and block incoming malware attacks.
While the activity of the Koobface gang dominated his presentation, Bilogorskiy said Facebook is a target of many different threats -- from rogue apps to clickjacking to Nigerian 419 advance fee scams.
"Most things that deliver value have risks. Those risks need to be managed, not avoided," Bilogorskiy said.
He said a dedicated team of Facebook staffers look for malicious apps but acknowledged that some slip through the cracks.
Bilogorskiy said the emergence of Nigerian (advance fee) fraud on Facebook was a turning point that proved that scammers were quickly adapting to find new victims. He said the Nigerian scammers were stealing Facebook accounts and using the site's live chat utility to chat with the victim's friends and ask for money transfers.
"They're usually stuck in London. Lost their phone. Lost their wallet. It's human versus human. Users get too jaded to be fooled so the scammers adapt. It's all about good social engineering," he added.
"These [Nigerian/419] are one of the top threats facing us. We spend significant resources dealing with it."
Bilogorskiy said Facebook's security team is investing in several counter-measures to identify and block malicious threat, noting that these defenses are "invisible" to end users. "You only see a very small percentage of the attacks that are attempted on Facebook users," he added.
The company has a global moderation team (in the USA and Dublin, Ireland) that's monitoring user feedback on security and is experimenting with new ideas to fight phishing attacks that hijack Facebook usernames and passwords.
For example, Facebook can spot logins from suspicious places and ask for additional information before the login in permitted. "We'll confirm your identity via cell phone and allow you to review recent logins and reset your passwords," he explained.
The company is also testing a "social authentication" feature that displays photographs of friends and asks the user to identify the persons tagged in the photographs. "It's not perfect but we're still testing and tweaking to improve effectiveness," Bilogorskiy said.
Also read this article by Paul Roberts, who interviewed Bilogorskiy after his Virus Bulletin presentation.