ESET discovered a social engineering Trojan horse that managed to steal the login credentials of more than 16,000 Facebook users.

The 'PokerAgent' Trojan targeted Zynga Poker, the most popular online poker site in the world. Zynga Poker hosts the Texas Hold'Em Poker App for Facebook. According to APPData, the game has more than 35 million active monthly users.

Specifically, the malware was designed to steal users' Facebook login details and link them with user information for the online poker game. ESET first began studying the Trojan in early 2012. However, thanks to proactive generic detection of this threat, ESET users were protected against the Trojan as early as December 2011.


Because 'PokerAgent' was most active in Israel, ESET contacted the Israeli CERT as well as the Israeli police in early 2012. Because of the ongoing investigation, ESET was not able to publicly disclose any details about the threat. However, in addition to working with the Israeli CERT team, Facebook was also notified and took immediate preventive measures to protect their members and thwart future attacks on the hijacked accounts.

The attacker used the malware to gain access to the users' Facebook login credentials, their game scores, information on the number of credit cards stored in their Facebook settings, and their ability to buy more online credit. The game's functionality allowed credit card and PayPal payment to be used to increase chip value.

In cases where the user wasn't using a credit card, or had a low game score, the infected computer received instructions to infect the victim's Facebook profile with a link to a phishing site. That site then acted to directly, or indirectly, lure the player's friends to a website resembling the official Facebook homepage where, if they input their login credentials, the attacker harvested their information.

In order to gain login credentials, the attacker used a botnet army of 800 computers–all infected and controlled by the attacker using a command and control server.

One way to protect against a phishing attack is to pay attention to the page address or URL. "To protect against attacks relying on social engineering methods, having a good security solution is not enough, users should be attentive to any such ploys," said Robert Lipovsky, ESET security intelligence team lead. "The user could recognize the fake Facebook login page if they checked the site's URL."

ESET estimates that the 'PokerAgent' Trojan potentially gained access to a total of 16,194 login credentials and that, in addition to Texas Hold'Em Poker on Zynga Poker, other Facebook applications could have been similarly infected.

The number of threats utilizing Facebook is rapidly growing. More than 11.5 million Americans were victims of identity fraud in 2011, according to Javelin Strategy & Research. Social media is also a growing factor in the threat landscape with nearly five percent of Facebook users reporting some degree of identity theft.