W32.Gammima.AG, an infostealer best known for targeting massively multiplayer online role-playing games, is now also going after a game on Facebook. This is the first time we have encountered the malware going after an app on Facebook.
This particular malware doesn't just target any Facebook user. It’s only interested in collecting login credentials from those who use the Perfect Poker app, which is a game that allows you to play online poker with other Facebook users. The inclusion of Perfect Poker to the list of targeted games in W32.Gammima.AG appears to have taken place around December 2010.
As with other variants of W32.Gammima.AG, which attempt to gather login credentials and steal online coins from the accounts in order to profit, the variant targeting Perfect Poker seeks the same goal. The attacker likely uses the accounts he or she compromises to dump chips (deliberately lose a hand in order to transfer chips to another player) to predetermined accounts that the he or she maintains on the game site. The attacker may also make chip transfers outside of the site, since chips can easily be bought or sold on forums, auction sites, and third-party online shops that specialize in online poker chips. It should be noted that the developers of Perfect Poker does not permit chip-dumping, and it asks users to refrain from making transfers to others.
Malware attempting to steal login credentials isn't new; however, it is interesting to see online monetary assets being targeted on a social network. There may perhaps be a new trend here. As always, keep your virus definitions up to date in order to avoid being hustled in this way.
Thanks go out to Kaoru Hayashi and Masaki Suenaga for their contribution on the analysis.