The Botnet That Stole 16,000 Facebook Logins

Malware managed to pilfer over 16,000 Facebook credentials in 2012, as well as credit card information linked to user accounts, it was revealed today.

The PokerAgent botnet was in control of 800 systems, as it sought to harvest information on Facebook users running the Zynga Poker app. The botnet was most active in Israel, security company ESET said, revealing the findings today, having worked with police in the country and with Facebook to kill the threat.

Botnet botheration

Infected users did not have their own Facebook accounts hacked. Their systems were instead used to carry out nefarious activities on other user accounts for which the attackers had acquired details, as the hackers sought to cover their tracks. Those systems carrying the malware were also used to propagate and grow the botnet.

“Facebook was notified and has responded promptly by forcing password resets for all known victims,” Robert Lipovský, ESET malware researcher, told TechWeekEurope.

“We only know that the attacker had at least 16,194 unique entries in his database of stolen logins. On the one hand, there may have been more, on the other, not all of these were valid – so that number is just a rough estimate.”

ESET had no information on how much money was stolen.

The Trojan was programmed to log into Facebook accounts and collect information on Zynga Poker stats for the given Facebook ID and the number of payment methods saved in the Facebook account.

PokerAgent was only interested in gathering gender information, points and rank from poker players. It is unclear what the attackers were doing with the harvested data, but ESET suggested they were amassing databases for future attempts to steal user identities and funds.

“The code suggests that the attacker seeks out Facebook users who have something of value, worth stealing – determined by the Poker stats and credit card details saved in their Facebook account,” Lipovský wrote in a blog post. “Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals.”

The malware was also ordered to publish links on the infected Facebook user’s wall. Those links would lead visitors to a fake Facebook login site, where their details would also be phished.

But Facebook users should not have to worry about this threat today. ESET said the malware author seemed to have ceased actively spreading the Trojan mid-February 2012. Efforts from ESET, Israel’s Computer Emergency Response Team (CERT) and law enforcement could well have been the catalyst for the demise of PokerAgent.

ESET noted that two-factor authentication would have prevented the malware from logging into Facebook accounts.

Think you know security? Test yourself with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

15 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

16 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

18 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

19 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

22 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

23 hours ago