The Trojan collected information on credit card details linked to the Facebook account and popular Zynga Poker player stats.
ESET,
the leader in proactive protection against Internet threats, discovered
the ‘PokerAgent’ botnet that was designed to harvest Facebook log-on
credentials, collecting information on credit card details linked to the
Facebook account and popular Zynga Poker player stats, presumably with
the intention to mug the victims. The Trojan managed to steal the login
credentials of more than 16,000 Facebook users in 2012.
ESET Security Research Lab has
discovered an attention-grabbing Trojan horse about a year ago. ESET has
been detecting the different variants of the Trojan generically as
MSIL/Agent.NKY. The malware focused on stealing personal Facebook (FB)
login details and linking these with the user statistics of Texas HoldEm
Poker, a very popular FB application by Zynga Inc., in case the victim
plays this game.
According to data from ESET LiveGrid, a
cloud powered real-time protection scanner, precisely 99% of all
detections of Trojan were coming from Israel. ESET has contacted Israeli
CERT (Computer Emergency Response Team) as well as Israeli police in
early 2012. During the investigation ESET could not provide any details
about this threat publicly and presently this threat has been
deactivated.
Zynga Poker is a famous app available on
all popular platforms: Zynga.com, iPhone, Facebook, iPad, Android.
According to AppData, the application has a monthly share of 35 million
active users. Zynga Poker on Facebook is considered to be the most
popular online poker platform in India. While analyzing this botnet ESET
estimates that the attacker could gain access to a total of 16,194
login credentials.
What was the actual scenario of the
attack?The attacker used the Trojan to gain the user’s FB login
credentials, his/her score in Texas HoldEm Poker game, as well as
information on the amount of credit cards stored in his/her Facebook
settings and available to increase the credit in the game of poker.
The game had a functionality that
allowed replenishing the chip value using real money by inputting the
credit card details or PayPal account. To gain the user’s login
credentials, an army of 800 of computers were used – all infected and
controlled by the attacker. These machines were executing commands from
the C&C (Command&Control) server. The creator of the threat has
launched an attack using the login credentials of several FB accounts,
which were gained ahead of time.
The infected computers received a
command to login into the user’s FB accounts and to gain the user’s
Texas HoldEm score, as well as the amount of credit cards stored in
his/her FB account. In case of a user w/o a credit card or low score,
the infected computer received instructions to infect the victim’s FB
profile with a link to a phishing site. This site has acted to directly
or indirectly lure the player’s FB friends to a website resembling the
FB homepage. In case the login credentials were input by them, they were
also harvested by the attacker.
“Analyzing the attack flow, I can say
users should be more careful and, initially, more educated. While
noticing that Facebook login page is fake may not be possible all the
times, especially if the bad guys had designed it well, storing your
payment credentials, credit card or PayPal account details into any app
on Facebook, smartphone or elsewhere can and should be avoided. Not only
Texas HoldEm Poker, but any other Facebook application could have been
infected in the same way”, says Pankaj Jain, Director at ESET India.
The number of threats utilizing Facebook is rapidly growing. To counter this trend, ESET has introduced a security application ESET Social Media Scannerwhich
is available free of charge and is capable of scanning the user’s
profile for the presence of malicious and phishing links. On top of
that, the app can detect malicious links on the timeline of user’s
Facebook friends.
0 comments:
Post a Comment