the facebook pokeragent robert lipovsky [email protected]
TRANSCRIPT
![Page 2: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/2.jpg)
O čom si povieme...
• OnlineGames trojany• „Pokec Sniffer“• Ransomware• Android malware• Šedá zóna
![Page 3: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/3.jpg)
• 1.11 Billion active users (March 2013)
• Malware use:• Distribution vector• Motive
![Page 4: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/4.jpg)
Win32/Delf.QCZ
• July 2011• Spread through Facebook & Vkontakte – improved social engineering• Removed AV in safe-mode• Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
![Page 5: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/5.jpg)
Like-jacking through Malicious Browser Plug-ins
![Page 6: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/6.jpg)
PokerAgent: Introduction
• Interesting binary:• Facebook• Zynga Poker• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012• Most widespread: Israel
![Page 7: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/7.jpg)
PokerAgent: Overview
• Botnet: bots performed tasks• Extensive db of stolen Facebook
credentials
• Zynga Poker Stats• Linked Credit Card information• FB account phishing
• Trojan (probably) distributed through Facebook
![Page 8: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/8.jpg)
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
![Page 9: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/9.jpg)
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have <strong>X</strong> payment methods saved.
![Page 10: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/10.jpg)
PokerAgent: Details
• Phishing• Tasks contained phishing URLs
![Page 11: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/11.jpg)
PokerAgent: Additional details
![Page 12: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/12.jpg)
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials• Check Facebook accounts for Poker stats and Credit Card
info
![Page 13: The Facebook PokerAgent Robert Lipovsky lipovsky@eset.sk](https://reader037.vdocuments.net/reader037/viewer/2022102814/5515cf7d550346cf6f8b457c/html5/thumbnails/13.jpg)
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots• 16 194+ Facebook access credentials in database
• Cooperation with:• Israeli CERT• Israeli law enforcement• Facebook