Eset claims PokerAgent botnet stole 16,000 Facebook logins

News 30 Jan, 2013

Attackers demonstrate ability to commit large-scale Facebook theft.

The login details of more than 16,000 Facebook users were stolen by the PokerAgent botnet during 2011 and 2012, according to IT security firm Eset.

While the Trojan now appears to be inactive, the analysis shows how botnets have changed strategy by targeting social networking sites.

According to Robert Liposky, a malware research at Eset, the threat was mostly active in Israel. It is understood that 800 computers were infected, and 16,194 Facebook credentials stolen.

The code suggests the attacker seeks out Facebook users who have something of value.

He said the botnet was designed to harvest Facebook log-on credentials, and collect credit card information linked to Facebook accounts and Zynga Poker player stats, presumably with the intention to mug the victims.

It was discovered about a year ago, said Liposky. An analysis of the source code found it was written in C#, making it easy to decode.

The botnet does not log into the infected user's Facebook account, he revealed. “The botnet serves rather as a proxy, so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator’s computer,” said Liposky.

Using an existing stolen Facebook username and password, the botnet logs into a compromised account and browses to ‘secure.facebook.com/settings?tab=payments§ion=methods’.

It then searches for the string ‘You have X payment methods saved’, and directs the relevant info back to the command and control server.

In doing so, the credentials database becomes one listing potentially valuable Facebook victims.

The credentials database is enlarged by a ’ShouldPush’ function in the malware.

“Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement,” said Liposky.

“The details of the investigation cannot be disclosed for reasons of confidentiality.”

With the botnet largely inactive for now, Liposky could only speculate how the attacker abused the harvested data.

“The code suggests the attacker seeks out Facebook users who have something of value, worth stealing – determined by the Poker stats and credit card details saved in their Facebook account.

"Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals,” he said.