US and European mainstream media are carrying reports on a malware scam that appears to target the largest online poker sites Pokerstars and Full Tilt.
The scam was spotted by San Diego-based security company Eset, where specialists advise that it impacts players with accounts at the two major poker providers.
The spyware has been dubbed Win32/Spy.Odlanor, and reportedly allows cybercriminals to view users’ cards on the online poker sites, making it possible to cheat players with infected computers.
The Silicon Republic reports that the malware masquerades as benign installers for various programs, such as Daemon Tools or mTorrent. In some cases security specialists found that the spyware was loaded onto the victim’s system through poker-related programs such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, and others.
Once installed, the Odlanor malware is used to create screenshots of the players’ action, which are then sent to the attacker’s computer, revealing the hands and player ID of the victim. The operators allow players to search for specific IDs, inadvertently making the attacker’s job easier.
Eset says it is unsure whether the perpetrator then plays the games manually or in some remotely automated way, but as of September 16 researchers have confirmed that ‘several hundred’ users’ computers have been infected.
‘We have observed several versions of the malware in the wild, the earliest ones from March 2015,’ said Robert Lipovsky, Senior Malware Researcher at Eset. “According to Eset LiveGrid telemetry, the largest number of detections comes from Eastern European countries – several of the victims were located in the Czech Republic, Poland and Hungary.”
Eset says that what is a growing cause for concern is that newer versions of the malware have general-purpose data-stealing functionality added.
These are running a version of NirSoft WebBrowserPassView, embedded in the Oldanor trojan. The company detected the tool (Win32/PSWTool.WebBrowserPassView.B), which it said is a legitimate, “albeit potentially unsafe application, capable of extracting passwords from various web browsers”.