Editorial Policy

Card Fraud Scheme Targets Facebook Users

Eva Norlyk Smith Ph.D.

February 7, 2013

Facebook users may want to think twice before storing any sensitive personal or credit card information on Facebook-linked apps.

A recently publicized scam shows that, even if hackers can't steal stored credit card information directly from Facebook, they can use Facebook to vet potential victims — and attack later.

How the scam works
The scam was discovered and tracked over 2012 by IT security company ESET, which published its findings in January 2013. It does not involve criminals stealing credit card account information stored by Facebook. Instead, it's akin to a burglar casing your home to learn your habits and peering in your windows to see what you have to steal.

In the scam, hackers set up a botnet of more than 800 computers infected with a social engineering Trojan horse. Also referred to as the “PokerAgent” botnet, the malware network managed to steal the Facebook login credentials of more than 16,000 users.  The malware specifically targeted Facebook users playing Zynga Poker, one of the most popular online poker sites in the world, which offers a specialized Texas HoldEm Poker App for Facebook users.

“It's the first time we've seen hackers exploit Facebook itself for spreading malware,” says Cameron Camp, a security researcher with ESET. “The botnet was cleverly designed to spread pieces of malicious code between Facebook users.”

One of the ways the malware harvested Facebook users' login credentials was to infect victims' Facebook profiles with links to a phishing site. The link lured the victims' friends to a false Facebook home page, where hackers harvested their login information when they logged in to see their friend's “shared” link

Once the malware had harvested the Facebook credentials of users, it used them to log in and take a look at very specific information on the person relating to their Zynga poker activity. The goal? To target users with the most resources. Although the hackers couldn't get the actual full credit card numbers (Facebook displays only the last four digits), the details they could see were valuable in and of themselves.

“The malware harvests a complex combination of the victim's Zynga poker ranking, how many chips a person has and whether the person has any credit cards linked to his account,” Camp explains. “It's a way of finding victims that have something that might be worth stealing.”

Fraudsters could then either use the information gathered themselves, or more likely, bundle and sell it on the underground black market along with other stolen credit card data, says Camp. Either way, once the criminals had a hit list, they could later target those on it via email phishing and other techniques to get credit card numbers.

Protecting yourself
Should you be concerned? The PokerAgent Trojan horse targeted only users residing in Israel, and there have been no reports about U.S. activity. However, Camp warns that the malware is able to choose targets very precisely and, presumably, could just as easily be rolled out in any other number of geographic locations.

Facebook has already taken preventive measures to prevent future attacks. But still, Camp recommends, if you use Facebook apps requiring payment, never store credit card information in your Facebook settings. Instead, enter the payment information each time you purchase something.

In addition, when entering your login credentials on Facebook, always check the URL to make sure you're on the right site. If users infected by the PokerAgent malware had checked the URL before logging in, they would have quickly recognized that they were on a scam site rather than Facebook.

To further protect yourself against fraud, download the ESET Social Media Scanner, a free Facebook app, which will scan your user profile for the presence of phishing links and also detect malicious links that might be present on the timelines of your Facebook friends.