The ‘PokerAgent’ botnet, which we have tracked in 2012, was designed to harvest Facebook log-on credentials, also collecting information on credit card details linked to the Facebook account and Zynga Poker player stats, presumably with the intention to mug the victims. The threat was mostly active in Israel. 800 computers were infected, over 16194 Facebook credentials stolen.

Introduction

ESET Security Research Lab has discovered an attention-grabbing Trojan horse about a year ago. The signs which indicated that it would be something interesting were references to Facebook, its Zynga Poker App (seen from the text strings in the binary), the executable name “PokerAgent” and botnet features – the Trojan would request tasks from a C&C server.

ESET has been detecting the different variants of the Trojan generically as MSIL/Agent.NKY. After the initial discovery, we were able to find other versions of the Trojan, both older and newer, and acquire detection statistics which have revealed that the Trojan was most active in the country of Israel.

We have performed a deep analysis of the Trojan’s source code (which was quite trivial as it was programmed in C#, which is easily to decompile) and started monitoring the botnet. The findings are presented below.

Additional technical details are available in the white paper.

Malware functionality

The malware author/attacker has an extensive database of stolen Facebook credentials – login names and passwords. At first, we didn’t know how he had acquired the credentials, but later on in the investigation this became clear. When the bot connects to the C&C server, it requests tasks to carry out. One such “task” equals one Facebook user. The Trojan is programmed to log into this Facebook account, and collect the following information:

  1. Zynga Poker stats for the given Facebook ID
  2. Number of payment methods (i.e. credit cards) saved in the Facebook account

The Zynga Poker user statistics are acquired by parsing the response from the URL: http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE% &platform=1

This returned response looks something like the one below, and contains various information about the user, such as his or her name, gender, profile picture, Zynga poker rank and points, number of ‘buddies’ and statistics on hands played in the game.

The Trojan is only interested in the gender of the user, points and rank. This information is sent back to the C&C server.

Note that in order to pose the query, the perpetrator only needs the victim’s numerical Facebook ID and a valid signed request parameter for the Zynga Poker application. Throughout the different versions of the bot, we have observed different parameters being used.

More information on the popular game Zynga Poker can be found here.

In order to ascertain the number of payment methods linked into the Facebook account, the bot first has to log into the account (using a Facebook username and password already in the perpetrator’s possession). The Trojan then browses to https://secure.facebook.com/settings?tab=payments&section=methods and simply parses the number between html tags in the following string “You have <strong>X</strong> payment methods saved.” from the HTML page.

We advise careful consideration before storing credit card details into any app, not only Facebook!

Again, this information is sent back to the C&C server to update the attacker’s victim database.

The infected bot can be instructed to perform one other important task on behalf of a Facebook victim:

  1. Publish links on the Facebook user’s wall

The purpose of this functionality is to direct other Facebook users (i.e. the friends of the users whose logon details have already been stolen) to a fake Facebook log-in site, in order to phish their credentials as well.

The task sent to the bot, apart from a Facebook user name and password, also contains a URL (sent in an encrypted form) and possibly some accompanying text for the post (we haven’t observed this feature being usedby the botnet, however). The Trojan, having logged in to the Facebook account, publishes the decrypted link on the Facebook user’s wall.

Here is an example:

The link would lead to a webpage like the one on the screenshot below. During our botnet monitoring, we have observed different landing pages being used. Both from our telemetry and from the text on these websites we see that the attacks were mainly targeting Israeli Internet users. The pages featured tabloid topics, which a user could be curious to click on.

Regardless of the topic of the “redirect page”, they all had one thing in common – every picture or link was an HTML link to a fake Facebook login website as seen below. Again, different URLs were used over time.

Unsurprisingly, when a victim fills in the log-in form on this counterfeit Facebook page, his credentials are sent to the attacker.

Analysis of the source code also reveals an interesting feature of the Trojan’s programming logic. The code contains a function called ShouldPublish, which determines whether the phishing links should be posted to the user’s wall. That depends on whether the victim has any credit cards linked to his account and his Zynga Poker ranking. Apparently, if one of these conditions is met, the attacker considers it a success. If not – no payment details and low Poker ranking – the Trojan seeks other victims.

How does the attack happen?

It should be noted that, unlike other Trojans we often see spreading through Facebook, this Trojan does not log into or in any way interfere with the Facebook account of the user that is infected. (In fact, they may or may not even have a Facebook account.) The botnet serves rather as a proxy, so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator’s computer.

Having said that, the aforementioned facts lead us to the conclusion that the purpose of the botnet is to:

  1. Expand the database of stolen Facebook usernames and passwords
  2. Update the database: pair the credentials with information on the user’s Zynga Poker stats and their saved credit cards

We can only speculate how the attacker further abuses these harvested data. The code suggests that the attacker seeks out Facebook users who have something of value, worth stealing – determined by the Poker stats and credit card details saved in their Facebook account. Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals.

How does it spread?

Above, we have shown the fake Facebook login page that the attacker uses to lure their victims into giving them their Facebook credentials.

As far as the distribution of the “PokerAgent” Trojan itself is concerned, we haven’t been lucky enough to catch ‘in the act’ of spreading. At the time when we were monitoring the botnet in March 2012, it was no longer spreading actively.  What we do know, however, is that the Trojan is downloaded onto the system by another downloader component (of which we have also seen several versions). This downloader component was seen on the web (on various dynamically changing URLs) and the victims have been fooled into downloading it.

Given the nature and techniques used by the Trojan, it’s a fair assumption that the Trojan downloader was also distributed through Facebook, making use of similar social engineering tricks.

Scale of the attacks and action taken

We have been detecting the Trojan MSIL/Agent.NKY since December 3, 2011. Sometime later, we noticed that this was something that deserves more of our attention and conducted an in-depth analysis of the code, started tracking the threat and, after having analyzed its C&C protocol, began monitoring the botnet.

Thanks to our generic detection, we were able to capture both earlier and later versions of the Trojan. We have found 36 different versions of ‘PokerAgent’ with compilation timestamps from September 2011 to March 2012. MD5 hashes are provided at the end of this paper. Thus, we were able to see the malware writer actively developing his project.

Our tracking of the botnet revealed that at least 800 computers have been infected with the Trojan and that the attacker had at least 16194 unique entries in his database of stolen Facebook credentials by March 20, 2012. Note that this number does necessarily correlate exactly to the number of valid users whose credentials have been stolen, as there could have been more, which we didn’t see. However, of those that we did see, not all entries were valid as not all users were tricked by the phishing scheme and have entered details that were obviously fake.

As can be seen from our ESET LiveGrid ® detection timeline below, the malware author seemed to have ceased actively spreading the Trojan mid-February 2012.

The attacks are regionally concentrated in only one country. Our telemetry indicates that precisely 99% of all MSIL/Agent.NKY detections by ESET security products come from Israel.

Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement. The details of the investigation cannot be disclosed for reasons of confidentiality.

Facebook has also been notified and has taken preventive measures to thwart future attacks on the hijacked accounts.

Conclusion

The ‘PokerAgent’ case represents a successful attack against the users of the largest social network in the world and players of the largest Poker site in the world. There are, however, several security practices – aside from the obvious recommendation to use an updated anti-virus – which would have prevented the perpetrators from being so lucky.

  • Not only technical measures, but also user vigilance are important as countermeasures to all attacks that employ social engineering. While visually it's a perfect copy of the real thing, the fake Facebook log-on webpage could easily be recognized as such if the user checked the browser address bar, yet the majority of victims were duped by the phishing scam.
  • Facebook has implemented various mechanisms for improving the security of their users. In particular, two-factor authentication would have prevented the infected bots from logging into the victim Facebook accounts.
  • We advise careful consideration before allowing a browser or other app to ‘remember’ passwords for sensitive services and before storing credit card details into any application (not only Facebook!).
  • With popular social networks being exploited for malware dissemination, spam, phishing, and other nefarious purposes, it is highly advisable to ensure that you are protected from this attack vector as well. In order to keep your Facebook account clean, ESET has introduced the ESET Social Media Scanner app.

PokerAgent - stealing Facebook account credentials

List of MD5s

1a177ad790309f162043557da2c178b8
2cbe2ba07c5887170fe587c91739f137
82eecb76e4f0efea29ce7e790ebfff99
aef2313baae374ce3ab000ae15046cc5
4988851c88674ce45883141628559c04
4a05b90f662cbc47cc4c826abebebe8f
335864d4e02cefe9e328043730ba4630
725a34b0f9ee536b63e75913ca17dec8
538312bdad9f1ea62d5690e87caba00f
47ac52b3a13443b061dd293d64142d18
6b51fef476c48ad121d2543f037cc438
b038a93d36fa9fa82f2c2ad3908f79a9
bb1236655a35d74f43fc1087ba0a6d59
eb4740d54570e847086d863e1fa51c61
1c6689abd86a1114b50dcf1f809b164d
b1e168de7e9e495f2c02f73bc0092fe3
c854d298d5a70e89390f55e998682b1a
5e8a0b4ef16b784ca4d78f8036eec52e
4d3dbfca81f73f03ce18a848478838cd
4f2ba75830b3470615c9ad66a3b86916
d764e2b23addd8156afe259097713101
10abb121ff6c6edc47aea2263f00df2e
2e2f62c79f31eff7a2f4605d6b59455d
82482f49f9e204e48cd68f3a6081162f
911b0edc23382c8e6bc4684c759fe429
6FF4D77ED54F50EF36348478D71BA490
B29E3ACDF92D665D2B175C60A70C72AC
4E917F6FBB9F4D722018273B0C764B86
F6695F4B63073F059ABD57DFFA397353
5168C1A87AAE174272FD9993B2365ACA
BA15FE1242D471BCB80803A40C30F9EE
3C7485C07D631EB67486A06C9BA6037A
85728B5295F48905E33FF2833AC7A70B
D78ED2A9268068129266F8B28C97C9BA
287e4debe7e1f407add481ed67897eec
D21A691EEFBA72113C4B44389A304466