The login details of more than 16,000 Facebook users were stolen by the PokerAgent botnet during 2011 and 2012, according to IT security firm Eset.
While the Trojan now appears to be inactive, the analysis shows how botnets have changed strategy by targeting social networking sites.
According to Robert Liposky, a malware research at Eset, the threat was mostly active in Israel. It is understood that 800 computers were infected, and 16,194 Facebook credentials stolen.
The code suggests the attacker seeks out Facebook users who have something of value.
He said the botnet was designed to harvest Facebook log-on credentials, and collect credit card information linked to Facebook accounts and Zynga Poker player stats, presumably with the intention to mug the victims.
It was discovered about a year ago, said Liposky. An analysis of the source code found it was written in C#, making it easy to decode.
The botnet does not log into the infected user's Facebook account, he revealed. "The botnet serves rather as a proxy, so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator's computer," said Liposky.
Using an existing stolen Facebook username and password, the botnet logs into a compromised account and browses to secure.facebook.com/settings?tab=paymentsion=methods'.
It then searches for the string You have X payment methods saved', and directs the relevant info back to the command and control server.
In doing so, the credentials database becomes one listing potentially valuable Facebook victims.
The credentials database is enlarged by a 'ShouldPush' function in the malware.
"Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement," said Liposky.
"The details of the investigation cannot be disclosed for reasons of confidentiality."
With the botnet largely inactive for now, Liposky could only speculate how the attacker abused the harvested data.
"The code suggests the attacker seeks out Facebook users who have something of value, worth stealing determined by the Poker stats and credit card details saved in their Facebook account.
"Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals," he said.
-
HSBC says get back to the office or risk bonuses – and history shows it’s a tactic that might backfireNews HSBC is the latest in a string of financial services firms hoping to tempt workers back to the office.
-
Python’s popularity shows no signs of fading – here’s why software developers love itNews Python remains highly popular among developers for a number of key reasons, experts told ITPro.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Horabot campaign targeted businesses for more than two years before finally being discoveredNews The newly-discovered Horabot botnet has attacked companies in the accounting, investment, and construction sectors in particular
-
Brand-new Emotet campaign socially engineers its way from detectionNews This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros
-
Latest Meta GDPR fine brings 12-month total to more than €1 billionNews Meta was issued with two hefty GDPR fines for “forcing” users to consent to data processing
-
"Unacceptable" data scraping lands Meta a £228m data protection fineNews The much-awaited decision follows the scraping of half a billion users' data and received unanimous approval from EU regulators
-
Microsoft says “it’s just too difficult” to effectively disrupt ransomwareNews The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy
-
Meta notifies around 1 million Facebook users of potential compromise through malicious appsNews The vast majority of apps targeting iOS users appeared to be genuine apps for managing business functions such as advertising and analytics
-
Beating the bad bots: Six ways to identify and block spam trafficIn-depth Not all traffic is good. Learn how to prevent bad bots from overrunning your website
