Eset claims PokerAgent botnet stole 16,000 Facebook logins

published 30 January 2013

The login details of more than 16,000 Facebook users were stolen by the PokerAgent botnet during 2011 and 2012, according to IT security firm Eset.

While the Trojan now appears to be inactive, the analysis shows how botnets have changed strategy by targeting social networking sites.

According to Robert Liposky, a malware research at Eset, the threat was mostly active in Israel. It is understood that 800 computers were infected, and 16,194 Facebook credentials stolen.

The code suggests the attacker seeks out Facebook users who have something of value.

He said the botnet was designed to harvest Facebook log-on credentials, and collect credit card information linked to Facebook accounts and Zynga Poker player stats, presumably with the intention to mug the victims.

It was discovered about a year ago, said Liposky. An analysis of the source code found it was written in C#, making it easy to decode.

The botnet does not log into the infected user's Facebook account, he revealed. "The botnet serves rather as a proxy, so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator's computer," said Liposky.

Using an existing stolen Facebook username and password, the botnet logs into a compromised account and browses to secure.facebook.com/settings?tab=paymentsion=methods'.

It then searches for the string You have X payment methods saved', and directs the relevant info back to the command and control server.

In doing so, the credentials database becomes one listing potentially valuable Facebook victims.

The credentials database is enlarged by a 'ShouldPush' function in the malware.

"Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement," said Liposky.

"The details of the investigation cannot be disclosed for reasons of confidentiality."

With the botnet largely inactive for now, Liposky could only speculate how the attacker abused the harvested data.

"The code suggests the attacker seeks out Facebook users who have something of value, worth stealing determined by the Poker stats and credit card details saved in their Facebook account.

"Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals," he said.

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.