Categories: MalwareSecuritySocial Networks

How PokerAgent botnet has stolen Facebook credentials

We never tire of repeating, social networks are an ideal conduit, due their large diffusion, for the spread of malware, they are used by cybercrime to realize complex fraud schema and by military to conduct offensive operations or cyber espionage campaigns. ESET Security Research has published an interesting analysis on the ‘PokerAgent’ botnet detected during 2012 that hit Facebook users stealing log-on credentials and collecting information on credit card details linked to the Facebook account and Zynga Poker player stats.

The botnet infected computers all around the world, mainly located in Israel stealing over 16194 Facebook credentials.

“Our tracking of the botnet revealed that at least 800 computers have been infected with the Trojan and that theattacker had at least 16194 unique entries in his database of stolen Facebook credentials by March 20, 2012”

It adopted a consolidated schema providing a link to the victims would lead to a compromised webpage, the pages featured tabloid topics which a user could be curious to click on. Users are anyway redirected to a fake Facebook login page used to collect user’s credentials.

Very interesting the logic implemented in malware code that uses a funcion dubbed ShouldPublish to determine whether the phishing links should be posted to the user’s wall depending on whether the victim has any credit cards linked to his account and his Zynga Poker ranking.

The ESET researchers noted that the malware does not log into or in any way interfere with the Facebook account of the victim, the tasks given to bots are not carried out from the attacker’s computer.

Having said that, the aforementioned facts lead us to the conclusion that the purpose of the botnet is to:

Expand the database of stolen Facebook usernames and passwords
Update the database: pair the credentials with information on the user’s Zynga Poker stats and their saved credit cards.

Probably attacker are interested to collect credit card information ro successively sell the database to other criminals.

The ‘PokerAgent’ isn’t the unique malware-based attack that exploits social media, to avoid to be victim of similar fraud it is suggested to use updated defense system and to take proper conduct in the use of social networks.
Fortunately principal social media platform are implementing a series of countermeasure to mitigate cyber threats such as two-factor authentication to prevent the infected bots from logging into the victim Facebook accounts.

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.