Anatomy Of An Attack: ESET Discovers Trojan Malware Targeting Facebook Users

'PokerAgent' Trojan targeted Zynga Poker

January 30, 2013

4 Min Read


SAN DIEGO, Jan. 29, 2013 /PRNewswire/ -- ESET, the global leader in proactive digital protection with a 25 year track record of developing award-winning technology, has discovered a social engineering Trojan horse that managed to steal the login credentials of more than 16,000 Facebook users.

The 'PokerAgent' Trojan targeted Zynga(TM) Poker, the most popular online poker site in the world. Zynga Poker hosts the Texas Hold'Em Poker App for Facebook.

According to APPData(TM), the game has more than 35 million active monthly users.

Specifically, the malware was designed to steal users' Facebook login details and link them with user information for the online poker game. ESET first began studying the Trojan in early 2012. However, thanks to proactive generic detection of this threat, ESET users were protected against the Trojan as early as December 2011.

Because 'PokerAgent' was most active in Israel, ESET contacted the Israeli CERT (Computer Emergency Response Team) as well as the Israeli police in early 2012.

Because of the ongoing investigation, ESET was not able to publicly disclose any details about the threat. However, in addition to working with the Israeli CERT team, Facebook was also notified and took immediate preventive measures to protect their members and thwart future attacks on the hijacked accounts.

The attacker used the malware to gain access to the users' Facebook login credentials, their game scores, information on the number of credit cards stored in their Facebook settings, and their ability to buy more online credit. The game's functionality allowed credit card and PayPal® payment to be used to increase chip value. In cases where the user wasn't using a credit card, or had a low game score, the infected computer received instructions to infect the victim's Facebook profile with a link to a phishing site. That site then acted to directly, or indirectly, lure the player's friends to a website resembling the official Facebook homepage where, if they input their login credentials, the attacker harvested their information.

In order to gain login credentials, the attacker used a botnet army of 800 computers-all infected and controlled by the attacker using a command and control server.

One way to protect against a phishing attack is to pay attention to the page address or URL. "To protect against attacks relying on social engineering methods, having a good security solution is not enough, users should be attentive to any such ploys," said Robert Lipovsky, ESET security intelligence team lead. "The user could recognize the fake Facebook login page if they checked the site's URL."

ESET estimates that the 'PokerAgent' Trojan potentially gained access to a total of 16,194 login credentials and that, in addition to Texas Hold'Em Poker on Zynga Poker, other Facebook applications could have been similarly infected.

The number of threats utilizing Facebook is rapidly growing. More than 11.5 million Americans were victims of identity fraud in 2011, according to Javelin Strategy & Research. Social media is also a growing factor in the threat landscape with nearly five percent of Facebook users reporting some degree of identity theft.*

To counter this trend, ESET has introduced a security application ESET Social Media Scanner which is available free of charge and is capable of scanning the user's profile for the presence of malicious and phishing links. On top of that, the app can detect malicious links on the timeline of user's Facebook friends.

In addition, ESET offers cutting-edge ESET Cybersecurity Training to improve its customers' cyber self-defense skills with real-world cybercrime scenarios via animations and educational exercises.

For more on the PokerAgent malware visit the ESET ThreatBlog:

*Javelin Strategy & Research, "2011 Identity Fraud Survey Report: Identity Fraud Decreases - but Remaining Frauds Cost Consumers More Time & Money." February 22, 2012.

The ESET logo, and brand name are trademarks of ESET spol. s r.o. or ESET North America. All other trademarks are property of their respective owners.

About ESET

ESET is on the forefront of security innovation, delivering trusted protection to make the Internet safer for businesses and consumers. IDC has recognized ESET as a top five corporate anti-malware vendor and one of the fastest growing companies in its category. Trusted by millions of users worldwide, ESET is one of the most recommended security solutions in the world. ESET NOD32 Antivirus consistently achieves the highest accolades in all types of comparative testing, and powers the virus and spyware detection in ESET Smart Security, ESET Cybersecurity for Mac, ESET Endpoint Security and ESET Endpoint Antivirus. ESET has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Sao Paulo (Brazil) and Prague (Czech Republic). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Kosice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia), and an extensive partner network for 180 countries. For more information, visit or call +1 (619) 876-5400.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights