The Facebook PokerAgent Robert Lipovsky [email protected] O čom si povieme... • • • • • OnlineGames trojany „Pokec Sniffer“ Ransomware Android malware Šedá zóna Facebook • 1.11 Billion active users (March 2013) • Malware use: • Distribution.
Download ReportTranscript The Facebook PokerAgent Robert Lipovsky [email protected] O čom si povieme... • • • • • OnlineGames trojany „Pokec Sniffer“ Ransomware Android malware Šedá zóna Facebook • 1.11 Billion active users (March 2013) • Malware use: • Distribution.
Slide 1
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 2
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 3
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 4
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 5
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 6
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 7
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 8
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 9
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 10
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 11
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 12
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 13
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 14
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
Facebook
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Facebook
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
• Facebook
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 2
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 3
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 4
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 5
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 6
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 7
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 8
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 9
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 10
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 11
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 12
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 13
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com
Slide 14
The Facebook PokerAgent
Robert Lipovsky
[email protected]
O čom si povieme...
•
•
•
•
•
OnlineGames trojany
„Pokec Sniffer“
Ransomware
Android malware
Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:
• Distribution vector
• Motive
Win32/Delf.QCZ
•
•
•
•
July 2011
Spread through Facebook & Vkontakte – improved social engineering
Removed AV in safe-mode
Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:
• Zynga Poker
• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012
• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks
• Extensive db of stolen Facebook credentials
• Zynga Poker Stats
• Linked Credit Card information
• FB account phishing
• Trojan (probably) distributed through
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=
1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have X payment methods saved.
PokerAgent: Details
• Phishing
• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials
• Check Facebook accounts for Poker stats and Credit Card info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots
• 16 194+ Facebook access credentials in database
• Cooperation with:
• Israeli CERT
• Israeli law enforcement
Thank you…
[email protected]
[email protected]
WeLiveSecurity.com
VirusRadar.com