Eset claims PokerAgent botnet stole 16,000 Facebook logins
Attackers demonstrate ability to commit large-scale Facebook theft.


The login details of more than 16,000 Facebook users were stolen by the PokerAgent botnet during 2011 and 2012, according to IT security firm Eset.
While the Trojan now appears to be inactive, the analysis shows how botnets have changed strategy by targeting social networking sites.
According to Robert Liposky, a malware research at Eset, the threat was mostly active in Israel. It is understood that 800 computers were infected, and 16,194 Facebook credentials stolen.
The code suggests the attacker seeks out Facebook users who have something of value.
He said the botnet was designed to harvest Facebook log-on credentials, and collect credit card information linked to Facebook accounts and Zynga Poker player stats, presumably with the intention to mug the victims.
It was discovered about a year ago, said Liposky. An analysis of the source code found it was written in C#, making it easy to decode.
The botnet does not log into the infected user's Facebook account, he revealed. "The botnet serves rather as a proxy, so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator's computer," said Liposky.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Using an existing stolen Facebook username and password, the botnet logs into a compromised account and browses to secure.facebook.com/settings?tab=paymentsion=methods'.
It then searches for the string You have X payment methods saved', and directs the relevant info back to the command and control server.
In doing so, the credentials database becomes one listing potentially valuable Facebook victims.
The credentials database is enlarged by a 'ShouldPush' function in the malware.
"Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement," said Liposky.
"The details of the investigation cannot be disclosed for reasons of confidentiality."
With the botnet largely inactive for now, Liposky could only speculate how the attacker abused the harvested data.
"The code suggests the attacker seeks out Facebook users who have something of value, worth stealing determined by the Poker stats and credit card details saved in their Facebook account.
"Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals," he said.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
HSBC says get back to the office or risk bonuses – and history shows it’s a tactic that might backfire
News HSBC is the latest in a string of financial services firms hoping to tempt workers back to the office.
-
Python’s popularity shows no signs of fading – here’s why software developers love it
News Python remains highly popular among developers for a number of key reasons, experts told ITPro.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up sting
News Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Horabot campaign targeted businesses for more than two years before finally being discovered
News The newly-discovered Horabot botnet has attacked companies in the accounting, investment, and construction sectors in particular
-
Brand-new Emotet campaign socially engineers its way from detection
News This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros
-
Latest Meta GDPR fine brings 12-month total to more than €1 billion
News Meta was issued with two hefty GDPR fines for “forcing” users to consent to data processing
-
"Unacceptable" data scraping lands Meta a £228m data protection fine
News The much-awaited decision follows the scraping of half a billion users' data and received unanimous approval from EU regulators
-
Microsoft says “it’s just too difficult” to effectively disrupt ransomware
News The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy
-
Meta notifies around 1 million Facebook users of potential compromise through malicious apps
News The vast majority of apps targeting iOS users appeared to be genuine apps for managing business functions such as advertising and analytics
-
Beating the bad bots: Six ways to identify and block spam traffic
In-depth Not all traffic is good. Learn how to prevent bad bots from overrunning your website