PokerStars and Full Tilt Poker users cheated by malware — Eset

17 Sep 2015

A novel piece of malware called Odlanor has been discovered that allows cybercriminals to view users’ cards on online poker sites, making it far easier to pocket the winnings.

Specifically targeting PokerStars and Full Tilt Poker – two of the most popular poker sites around – Odlanor is an interesting way of cheating people out of money online.

It works incredibly simply, installing malware onto computers when users download some other, useful application from illegitimate sources.

Benign installers

It “masquerades as benign installers”, according to Eset, the company that discovered the malware, with general purpose tools like Daemon Tools or mTorrent perfect proxies.

“In other cases, it was loaded onto the victim’s system through various poker-related programs – poker player databases, poker calculators, and so on – such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, and others,” said the company.

It then takes screenshots of what the user is seeing, sending them on to the perpetrator, who tries to join the table that the victim is on.

This is actually made all the easier as the screenshots show everything, the revealed cards and the player’s username (which is searchable). Once they’ve managed to join, it ends in tears for the unsuspecting victim.

Real-time poker cheating

“This happens in real time,” explained Urban Schrott, an IT security analyst at Eset.

“It’s quite a benign trick,” he said of a rather basic way to see what you see, thus revealing cards, “but I guess that’s all that really matters in poker.”

ESET discovered Odlanor in various versions since March this year, with the largest number of detections coming from Russia and Ukraine.

However, it could well be affecting countries in other parts of the world, with ESET’s exposure to the malware greatest in the east as that’s where most of the company’s customers live.

“Online gaming is getting bigger, with live opponents something that is really growing,” warned Schrott, with exposures like this something that most of the public are unlikely to spot.

Hard to spot

Indeed, it takes quite the poker player to spot that someone is rigging the game and, considering the popularity of PokerStars and Full Tilt Poker, there are far more poor players out there then there are high-quality ones.

Somewhat more worrying, though, is that newer versions of the malware have general-purpose data-stealing functionality added.

This is through running a version of NirSoft WebBrowserPassView, embedded in the Oldanor trojan. The company detected the tool (Win32/PSWTool.WebBrowserPassView.B), which it said is a legitimate, “albeit potentially unsafe application, capable of extracting passwords from various web browsers”.

Main image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic