- Over 800 computers were infected with a Trojan targeting Zynag Poker players.
- The botnet calculated the value of the accounts based on factors including the number of credit cards on file.
- If an account was deemed of high enough value, then “phishing” links would be posted to the user’s wall.
A computer botnet that operated throughout 2012 collected the login credentials and payment details of over 16,000 Facebook users, security researchers revealed earlier this week.
Over 800 computers were infected with a Trojan, which would then connect to a central server and and be given login details to a Facebook account, with which it would then perform various tasks.
According to the detailed report from Robert Lipovsky, a security researcher at anti-virus firm ESET, the machine, with the compromised Facebook account details, would obtain play statistics from the Facebook app Zynga Poker along with the number of payment methods on file.
Apparently, the code would then use these statistics—the ranking on Zynga and whether any credit cards were on file—to determine the “value” of the account.
If an account was deemed of high enough value, then “phishing” links would be posted to the user’s wall. These posts, which would purport to be a titillating news story, would take a user to a fake Facebook page and prompt them to log in. The username and password of these “high value” Zynga accounts would then be obtained by the botnet.
ESET, Fair use No actual credit card information was stolen directly with the Botnet, but clearly it was designed to obtain the security credentials of accounts specifically with “high value” Zynga Poker accounts, and those that had credit cards on file.
As Lipovsky concludes, “... the purpose of the botnet is to firstly “expand the database of stolen Facebook usernames and passwords” and then to update the database, “[pairing] the credentials with information on the user’s Zynga Poker stats and their saved credit cards.”
“We can only speculate how the attacker further abuses these harvested data … Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals,” adds Lipovsky.
The threat was mostly active in Israel, ESET reports, running from December 2010 to about mid-February 2011, at which point the malware author apparently “ceased actively spreading the Trojan.”
Having informed Facebook of the malware, the company reset the passwords of all compromised accounts and “has taken preventive measures to thwart future attacks on the hijacked accounts,” according to Lipovsky.
In addition, ESET cooperated with Israeli law enforcement agencies.
Zynga Poker is planning to enter real money poker this year, under the brand Zynga Plus Poker, with bwin.party providing the platform with a gaming license in Gibraltar.