Anatomy of an Attack: ESET Discovers Trojan Malware Targeting Facebook Users

 Anatomy of an Attack: ESET Discovers Trojan Malware Targeting Facebook Users

16,000 Login Credentials Stolen by 'PokerAgent' Malware

PR Newswire

SAN DIEGO, Jan. 29, 2013

SAN DIEGO, Jan. 29, 2013 /PRNewswire/ --ESET, the global leader in proactive
digital protection with a 25 year track record of developing award-winning
technology, has discovered a social engineering Trojan horse that managed to
steal the login credentials of more than 16,000 Facebook users.



The 'PokerAgent' Trojan targeted Zynga™ Poker, the most popular online poker
site in the world. Zynga Poker hosts the Texas Hold'Em Poker App for Facebook.
According to APPData™, the game has more than 35 million active monthly users.

Specifically, the malware was designed to steal users' Facebook login details
and link them with user information for the online poker game. ESET first
began studying the Trojan in early 2012. However, thanks to proactive generic
detection of this threat, ESET users were protected against the Trojan as
early as December 2011.

Because 'PokerAgent' was most active in Israel, ESET contacted the Israeli
CERT (Computer Emergency Response Team) as well as the Israeli police in early
2012. Because of the ongoing investigation, ESET was not able to publicly
disclose any details about the threat. However, in addition to working with
the Israeli CERT team, Facebook was also notified and took immediate
preventive measures to protect their members and thwart future attacks on the
hijacked accounts.

The attacker used the malware to gain access to the users' Facebook login
credentials, their game scores, information on the number of credit cards
stored in their Facebook settings, and their ability to buy more online
credit. The game's functionality allowed credit card and PayPal® payment to be
used to increase chip value. In cases where the user wasn't using a credit
card, or had a low game score, the infected computer received instructions to
infect the victim's Facebook profile with a link to a phishing site. That site
then acted to directly, or indirectly, lure the player's friends to a website
resembling the official Facebook homepage where, if they input their login
credentials, the attacker harvested their information.

In order to gain login credentials, the attacker used a botnet army of 800
computers–all infected and controlled by the attacker using a command and
control server.

One way to protect against aphishing attack is to pay attention to the page
address or URL. "To protect against attacks relying on social engineering
methods, having a good security solution is not enough, users should be
attentive to any such ploys," said Robert Lipovsky, ESET security intelligence
team lead. "The user could recognize the fake Facebook login page if they
checked the site's URL."

ESET estimates that the 'PokerAgent' Trojan potentially gained access to a
total of 16,194 login credentials and that, in addition to Texas Hold'Em Poker
on Zynga Poker, other Facebook applications could have been similarly

The number of threats utilizing Facebook is rapidly growing. More than 11.5
million Americans were victims of identity fraud in 2011, according to Javelin
Strategy & Research. Social media is also a growing factor in the threat
landscape with nearly five percent of Facebook users reporting some degree of
identity theft.*

To counter this trend, ESET has introduced a security application ESET Social
Media Scanner which is available free of charge and is capable of scanning the
user's profile for the presence of malicious and phishing links. On top of
that, the app can detect malicious links on the timeline of user's Facebook

In addition, ESET offers cutting-edge ESET Cybersecurity Training to improve
its customers' cyber self-defense skills with real-world cybercrime scenarios
via animations and educational exercises.

For more on the PokerAgent malware visit the ESET ThreatBlog:

*Javelin Strategy & Research, "2011 Identity Fraud Survey Report: Identity
Fraud Decreases – but Remaining Frauds Cost Consumers More Time & Money."
February 22, 2012.

The ESET logo, and brand name are trademarks of ESET spol. s r.o. or ESET
North America. All other trademarks are property of their respective owners.

About ESET
ESET is on the forefront of security innovation, delivering trusted protection
to make the Internet safer for businesses and consumers. IDC has recognized
ESET as a top five corporate anti-malware vendor and one of the fastest
growing companies in its category. Trusted by millions of users worldwide,
ESET is one of the most recommended security solutions in the world. ESET
NOD32 Antivirus consistently achieves the highest accolades in all types of
comparative testing, and powers the virus and spyware detection in ESET Smart
Security, ESET Cybersecurity for Mac, ESET Endpoint Security and ESET Endpoint
Antivirus. ESET has global headquarters in Bratislava (Slovakia), with
regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina),
and Singapore; with offices in Sao Paulo (Brazil) and Prague (Czech Republic).
ESET has malware research centers in Bratislava, San Diego, Buenos Aires,
Singapore, Prague, Kosice (Slovakia), Krakow (Poland), Montreal (Canada),
Moscow (Russia), and an extensive partner network for 180 countries. For more
information, visit or call +1 (619) 876-5400.


Contact: Nathan Beers, Schwartz MSL, +1-415-512-0770,
Press spacebar to pause and continue. Press esc to stop.