How PokerAgent botnet has stolen Facebook credentials

Pierluigi Paganini January 31, 2013

We never tire of repeating, social networks are an ideal conduit, due their large diffusion, for the spread of malware, they are used by cybercrime to realize complex fraud schema and by military to conduct offensive operations or cyber espionage campaigns. ESET Security Research has published an interesting analysis on the ‘PokerAgent’ botnet detected during 2012 that hit Facebook users stealing log-on credentials and collecting information on credit card details linked to the Facebook account and Zynga Poker player stats.

The botnet infected computers all around the world, mainly located in Israel stealing over 16194 Facebook credentials.

“Our tracking of the botnet revealed that at least 800 computers have been infected with the Trojan and that theattacker had at least 16194 unique entries in his database of stolen Facebook credentials by March 20, 2012”




It adopted a consolidated schema providing a link to the victims would lead to a compromised webpage, the pages featured tabloid topics which a user could be curious to click on. Users are anyway redirected to a fake Facebook login page used to collect user’s credentials.

Very interesting the logic implemented in malware code that uses a funcion dubbed ShouldPublish to determine whether the phishing links should be posted to the user’s wall depending on whether the victim has any credit cards linked to his account and his Zynga Poker ranking.

The ESET researchers noted that the malware does not log into or in any way interfere with the Facebook account of the victim, the tasks given to bots are not carried out from the attacker’s computer.

Having said that, the aforementioned facts lead us to the conclusion that the purpose of the botnet is to:

  • Expand the database of stolen Facebook usernames and passwords
  • Update the database: pair the credentials with information on the user’s Zynga Poker stats and their saved credit cards.

Probably attacker are interested to collect credit card information ro successively sell the database to other criminals.


The ‘PokerAgent’ isn’t the unique malware-based attack that exploits social media, to avoid to be victim of similar fraud it is suggested to use updated defense system and to take proper conduct in the use of social networks.
Fortunately principal social media platform are implementing a series of countermeasure to mitigate cyber threats such as two-factor authentication to prevent the infected bots from logging into the victim Facebook accounts.

Pierluigi Paganini

you might also like

leave a comment