Security firm ESET has presented its analysis of a botnet called PokerAgent. Identified around one year ago, the threat was designed to steal payment information from Facebook users who play Zynga Poker, one of the most popular online poker games in the world.
PokerAgent was mainly active in Israel. In March 2012, it infected at least 800 computers and the attackers’ database contained over 16,000 stolen Facebook credentials.
Once the malware found itself on a device, its masterminds ordered it to log into Facebook accounts by using the stolen credentials. Then, it retrieved Zynga Poker stats and information on the payment methods saved in the compromised Facebook account.
In order to harvest more Facebook credentials, the Trojan posted links that led to phishing websites on the compromised users’ walls.
Victims were first presented with websites featuring tabloid topics. When the links were clicked, users were taken to a replica of the Facebook login page.
“The code contains a function called ShouldPublish, which determines whether the phishing links should be posted to the user’s wall. That depends on whether the victim has any credit cards linked to his account and his Zynga Poker ranking,” Robert Lipovsky, malware researcher at ESET, explained.
“Apparently, if one of these conditions is met, the attacker considers it a success. If not – no payment details and low Poker ranking – the Trojan seeks other victims.”
Since in March 2012, when ESET was monitoring the botnet, it was no longer spreading actively, experts haven’t been able to precisely determine how it spread, but they assume that it was being distributed via Facebook.
The cybercriminals stopped actively spreading this Trojan in February 2012. Israeli CERT and law enforcement have been notified and an investigation has been launched. In the meantime, Facebook has also implemented some measures to mitigate such attacks.