1 min read

ESET Uncovers Trojan Targeted Zynga Poker players on Facebook

ESET, the leader in proactive protection against Internet threats, discovered the ‘PokerAgent’ botnet that was designed to harvest Facebook log-on credentials, collecting information on credit card details linked to the Facebook account and popular Zynga Poker player stats, presumably with the intention to mug the victims. The Trojan managed to steal the login credentials of more than 16,000 Facebook users in 2012.


ESET Security Research Lab has discovered an attention-grabbing Trojan horse about a year ago. ESET has been detecting the different variants of the Trojan generically as MSIL/Agent.NKY. The malware focused on stealing personal Facebook (FB) login details and linking these with the user statistics of Texas HoldEm Poker, a very popular FB application by Zynga Inc., in case the victim plays this game.


According to data from ESET LiveGrid, a cloud powered real-time protection scanner, precisely 99% of all detections of Trojan were coming from Israel.  ESET has contacted Israeli CERT (Computer Emergency Response Team) as well as Israeli police in early 2012. During the investigation ESET could not provide any details about this threat publicly and presently this threat has been deactivated.


Zynga Poker is a famous app available on all popular platforms: Zynga.com, iPhone, Facebook, iPad, Android. According to AppData, the application has a monthly share of 35 million active users. Zynga Poker on Facebook is considered to be the most popular online poker platform in India. While analyzing this botnet ESET estimates that the attacker could gain access to a total of 16,194 login credentials.


What was the actual scenario of the attack? The attacker used the Trojan to gain the user’s FB login credentials, his/her score in Texas HoldEm Poker game, as well as information on  the amount of credit cards stored in his/her Facebook settings and available to increase the credit in the game of poker.


The game had a functionality that allowed replenishing the chip value using real money by inputting the credit card details or PayPal account. To gain the user’s login credentials, an army of 800 of computers were used – all infected and controlled by the attacker. These machines were executing commands from the C&C (Command&Control) server. The creator of the threat has launched an attack using the login credentials of several FB accounts, which were gained ahead of time.


The infected computers received a command to login into the user’s FB accounts and to gain the user’s Texas HoldEm score, as well as the amount of credit cards stored in his/her FB account. In case of a user w/o a credit card or low score, the infected computer received instructions to infect the victim’s FB profile with a link to a phishing site. This site has acted to directly or indirectly lure the player’s FB friends to a website resembling the FB homepage. In case the login credentials were input by them, they were also harvested by the attacker.

1 Comment

  1. Thanks for enabling me to achieve new suggestions about personal computers. I also hold the belief that one of the best ways to help keep your laptop in prime condition is a hard plastic case, as well as shell, that suits over the top of one’s computer. A lot of these protective gear are usually model precise since they are made to fit perfectly over the natural outer shell. You can buy these directly from the vendor, or via third party sources if they are intended for your notebook computer, however not all laptop will have a spend on the market. Once more, thanks for your points.

Comments are closed.

%d bloggers like this: