ESET's Robert Lipovsky reports that the PokerAgent botnet, which is designed to steal Facebook login credentials along with Zynga Poker player stats and any credit card information linked to the victim's Facebook account, infected 800 systems and harvested more than 16,194 Facebook credentials between late 2011 and early 2012.
"An analysis of the source code found it was written in C#, making it easy to decode," writes IT PRO's Rene Millman. "The botnet does not log into the infected user's Facebook account, [Lipovsky] revealed. 'The botnet serves rather as a proxy, so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator’s computer,' said Lipovsky."
"From the existing database of stolen credentials, the Trojan logs into a known Facebook account, and browses to 'secure.facebook.com/settings?tab=payments§ion=methods,'" Infosecurity reports. "It then looks for the string 'You have <strong>X</strong> payment methods saved,' and sends the relevant information back to the C&C server. In this way, the credentials database becomes one of potentially valuable Facebook targets."
"We can only speculate how the attacker further abuses these harvested data," Lipovsky writes. "The code suggests that the attacker seeks out Facebook users who have something of value, worth stealing -- determined by the Poker stats and credit card details saved in their Facebook account. Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals."
"ESET said the malware author seemed to have ceased actively spreading the Trojan mid-February 2012," writes TechWeekEurope's Tom Brewster. "Efforts from ESET, Israel’s Computer Emergency Response Team (CERT) and law enforcement could well have been the catalyst for the demise of PokerAgent."