140

Believe me, I never expected to ever write a title like that on a Stack Exchange site either!

Yesterday evening I got a call from my mother. She is quite tech savvy and generally knows her way around spam and viruses. However, yesterday she was startled: she got an email from Facebook thanking her for her purchase of 40 dollars worth of poker chips in the Facebook game TexasHoldEm. She was ultimately sure she had never done a purchase like that, but she was worried she had lost money one way or another.

The email seemed genuine. Logo, text, sender, and links all pointed to genuine Facebook resources. I decided to take a look and followed the link to the 'receipt'. A payment overview at Facebook.com opened and everything was documented as the email had stated: her account had acquired 40 dollars worth of poker chips in the app (game) TexasHoldEm. Surprisingly, though, those chips were paid with a PayPal-account registered to an email address we have never heard of:

givenName.LastNameNumber@web.de

This is odd for two reasons: we live in Belgium, but have no relation, friends, family or otherwise, in Germany. Second we know no one by that name either.

At first I thought it may have been an error on that person's side, or that it is simply possible to 'donate' chips to someone else's Facebook account. But this would allow app developers to spam people who had never used their app with free gifts, so this seemed unlikely.

I then checked her account's recent activity, more specifically the 'recent sessions' tab. To my surprise there was indeed an active session in Düsseldorf, Germany. As a panic attack, I immediately ended that session. Unfortunately that also hid the information about that session. For me this meant only one thing: her account must have been hacked, as she hasn't been to Germany and there is no way there could be an active - poker-playing - Facebook instance there.

In light of this, I urged her to immediately change her password. After that, Facebook seems smart enough to know you made the change because you thought something was wrong: it proposed to go through her recent app activity and post and possibly deleting strange behaviour. Indeed, the app TexasHoldEm had been used, and there had been four posts (of the app on her behalf) that she had been playing the game - going back one whole week.

As a conclusion I would think that someone hacked my mother's account, played poker on it and paid for chips him/herself and ... That's it. Maybe I am getting old, but isn't this weird behaviour?

Why would a hacker do this: hack some one's account, buy poker chips with their own PayPal account, and play the game? And how can I better protect myself against such 'attacks'?

The poker chips were for Zynga's Poker game on Facebook. As has been mentioned in the comments, you cannot withdraw won money from this game. This is valuable - and intriguing - information which makes understanding the hacker's motives even harder.

Community
  • 1
Bram Vanroy
  • 991
  • 2
  • 6
  • 9
  • 25
    "Düsseldorf" in the same sentence as "Belgium" and "money" very much sounds like "Moroccan terrorists laundering money". Even more so with the strange "playing poker and giving money" stuff. Talk with police, just to be sure it doesn't fall back onto you. – Damon Apr 14 '16 at 11:06
  • 39
    For me, the most obvious solution is that they were using your mother's account as a money mule for a stolen paypal account. At some point, they'd "lose" that money to another player who's almost certainly the hacker. The trick would be proving who the baddie is when she's lost ten lots of $40 to 20 players, 19 of whom are real people who were uninvolved in the hack. – Richard Apr 14 '16 at 15:12
  • 2
    @Fiksdal - Given that the OP has clarified that this is an online game and not a poker site, it invalidates my comment. There's no money *changing hands* so the most likely explanation becomes that it's either a way of testing cards (to see whether they're active) or some kind of elaborate hoax to allow the fraudster to beat their friends at poker. – Richard Apr 15 '16 at 10:54
  • 5
    You seem to have started from the assumption that the Paypal account is the hacker's real/legitimate account, however I see no basis for that assumption. It seems at least as plausible that the Paypal account was _also_ hacked/hijacked, and by directing funds into your mother's hacked Facebook account the hacker has created a bit of a smokescreen. If their goal is to maliciously deplete funds from the victim's Paypal account (due to a personal grudge, for instance), that could be all the reason they need to drop $40 into your mother's Facebook account. – aroth Apr 19 '16 at 01:51
  • @aroth Quite the hassle though, to have revenge on someone: hack someone else's account and then drop values in it? – Bram Vanroy Apr 19 '16 at 05:38
  • 1
    @BramVanroy - Perhaps, but people can be quite petty. Particularly if you're dealing more with an angsty script-kiddie than a full-fledged hacker. Or it could be a sign of paranoia, as the more money is spread around to innocent accounts, the harder it is to track the hacker down even if they also funnel some funds into a destination that they actually have access to. But it's all speculation. Have you tried contacting the address on the Paypal account? – aroth Apr 19 '16 at 06:21
  • The hacker was seeing if the hack works or not. That's my short-best answer. –  Apr 19 '16 at 10:00

7 Answers7

170

I interpret your question as:

What's the motivation for someone to use an alien Facebook account to play poker and stock it with chips?

It's not that strange if you think about it this way:

As poker is a game where knowledge about the dealt cards gives you a significant edge in the game, you'd like to use sock puppets at a table to know more about the card distribution.

Thus, using sock puppets that are valid, active - real - Facebook accounts are the only way to gather more information without being spotted easily by heuristics.

Düsseldorf is where one of the big data centers in Germany is located, so there is a good chance that session was held by a bot on a server, not a real person.

Using two or three such bots on a table that are connected gives them a significant statistical edge to beat the other - real - players.

This (collusion) is probably illegal in most poker games and thus real accounts are used to make detection hard. Also, that's probably not the attacker's real name, their mail address and/or PayPal account.

It is probably the account of another victim of identity theft.

In the light of the other answer, I assume that Facebook handles the legal things when you marked the activities as fraudulent.

Update for modified question:

As there seems to be no real money gains involved in this poker game instance, there is another valid reason to use your mom's account:

Because it offers anonymity. If the stolen PayPal account owner tracks the usage down, it'll be your mom as a suspect, not the actual hacker.

Using real, alien Facebook accounts offers another layer of protection with respect to law enforcement.

There still remains the question of how the account was taken over. There are questions here that might answer that.

If your mom does do password reuse, you might educate her about the implications and urge her to change all passwords and use different, strong ones for all accounts.

This would be a good time to introduce her to the famous xkcd about diceware and/or a password manager, as David suggested in the comments.

Also, as S.L. Barth suggests in the comments, using two-factor authentication wherever possible is a good call in any case.

Peter Mortensen
  • 877
  • 5
  • 10
Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • 12
    If this is the Zynga Facebook poker I am familiar with, the money won/lost is not real. You can buy play money chips with real money, closer to buying things in Farmville or Clash of Clans than actual poker, but there's nothing to be won in the actual game or any way to withdraw the money. – bd33 Apr 14 '16 at 19:15
  • Ahhh, So it is. – Nathan Cooper Apr 15 '16 at 12:01
  • 3
    @bd33: If I was a hacker with the brilliant idea how to win at poker, I might try my idea out on Facebook poker where it doesn't cost me money if I get it wrong. I'd practice for a week or two for free before risking real money. – gnasher729 Apr 16 '16 at 16:27
  • @bd33 http://blog.games.com/2012/07/30/zynga-online-gambling-2013/ seems to indicate they do offer real gambling which explains the 40 dollars in the context of this answer. Given the real gambling I do want to note to the OP that in some countries online gambling is only legal by certified casino's and I believe that is the case for Belgium. – Selenog Apr 18 '16 at 14:08
  • Why didn't the hacker prevent the mom from accessing the real account (by changing the password, recovery phone + email address, etc.) so she couldn't lock the hacker out? – genealogyxie Jun 21 '16 at 02:35
  • 1
    Because that would indicate something is wrong to the legitimate user, @genealogyxie. Keeping the compromise undetected is often desirable. – Tobi Nary Jun 21 '16 at 04:53
  • @SmokeDispenser then why didn't the hacker disable email notifications for Zynga Poker? – genealogyxie Jun 21 '16 at 05:55
64

To me it seems as if someone is doing fraud from your account.

They load your FB with money (from a stolen credit card). Lose at poker so the money goes to another FB account. Withdraw that with an anonymous prepaid credit card. There are lots of different ways of doing carding (fraud).

I'd contact FB and maybe the police as you might get a loud knock on the door due to fraud being done from your FB account.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
k1308517
  • 1,272
  • 14
  • 27
  • 39
    +1 this is a technique for money laudering "where did you get so much money ?" "I won it at online poker, you can check" (of course, other players were purposely loosing) – Offirmo Apr 14 '16 at 10:03
  • 2
    @Offirmo True aside from fraud it could be someone trying to disguise where their drug money came from, but this seems too complicated for a street banger, and not advanced enough for a professional (especially when using Bitcoin casinos with exchange services to launder money is easier). So I stick to believing this is fraud. – k1308517 Apr 14 '16 at 13:39
  • 3
    OP has said that this is Zynga poker. No real money changes hands – Richard Apr 15 '16 at 10:55
  • 8
    @Richard Every online game economy, pretty much, has a way to get real money out of it - by collecting a lot of fake money and then selling it to other gamesplayers at a fraction of the 'official' cost for that fake money. – Joe Apr 15 '16 at 16:45
  • @Joe - Except that you can't monetise an account in this way (at least not easily) without it becoming immediately apparent to the buyer that they've bought a stolen FB account. The point of gold-farming is that you do it on a blank account, not one that's in regular use. – Richard Apr 15 '16 at 17:19
  • @Richard In a poker game, you don't need to exchange the account itself. You can simply play a no limit hand, bet a huge amount, and then fold. (Note: I'm not suggesting doing this, or intending to offer advice as to how to cheat at games. Don't do it!) – Joe Apr 15 '16 at 17:20
  • @Joe - Indeed, but how do you get the money back out? With Zynga Poker, the answer is that you can't. You're not buying money, you're buying in-game money that can't be exchanged back again. – Richard Apr 15 '16 at 17:37
  • 6
    @Richard The person 'buying' money from you send you a check or paypals you money, in exchange for the in-game money you gifted to them. This happens all the time in games like this (against TOS, of course). – Joe Apr 15 '16 at 17:38
  • @Joe In theory this could work if there's a vibrant secondary market for in-game money, but the transaction costs would be astronomical. I don't know anything about Zynga Poker, but I'll call its currency ZyngaDollars (Z$). You pay US$40 for Z$40 using your victim's account, and donk off that Z$40 in poker to your confederate's account. Now they have Z$40 that they can't cash out. Surely no one's going to offer US$40, or even US$39.90, to get ZyngaDollars from some shady character when they could just buy them directly from Zynga, right? – CynicallyNaive Apr 17 '16 at 05:11
  • Never mind that, although many poker sites sell play money currency for real money and do a have a secondary black market, I'm dubious that this secondary market could really be big enough to make this worth the effort to set up. How many people are willing to pay real money to play Zynga Poker? Unlike Farmville, they can go to dozens more play money poker sites if they've run out of play money chips. – CynicallyNaive Apr 17 '16 at 05:15
  • 3
    @CynicallyNaive You're clearly not naive enough :) It doesn't take all that many people from a ratio perspective - if millions of people play the game, and a few thousand pay real money to these people, that's enough. I play some FTP games where I'm shocked that they offer things for $100 or more - and then find out that's because a fair number of people actually buy them. – Joe Apr 18 '16 at 04:04
  • @Joe - I remember trying an FTP strategy game, basically a Starcraft clone, a few years back. It had a random lottery that you could hit once per hour or pay like $1 for 5 chances at. It announced the names of players who had won the big prizes in it (the forums estimated you had less than a 1/10,000 chance of getting any such prize) on chat. When they launched a new server, I moved my account to it. Over the first few weeks, I watched as player after player hit those jackpots about 10 times each -- these players must have spent >> $1000s each on that game over a handful of weeks. – Jules Apr 19 '16 at 05:28
33

OP has clarified that this is Zynga Poker, in which no real money changes hands.

That being the case, the most likely reasons for a fraudster to put money into your mother's account is that this scamp has acquired/purchased a block of PayPal account details and is systematically testing them to see if they work by hacking into Facebook accounts and using those as mules to test whether the PayPal accounts have been frozen.

By verifying these accounts, he can gain a dramatic return on his investment. A thousand untested PayPal accounts culled from a 'data dump' might retail for a just a few dollars whereas a block of ten "proven active" PayPal accounts will sell for as much as $10-15 apiece, or even more if the account contains money and assuming he's logging in from a relatively secure location (such as an internet café), his chances of being captured range from slim to none.

Community
  • 1
Richard
  • 939
  • 6
  • 9
  • 3
    Maybe a silly question, but what is the value of *proven active* PayPal accounts? Why would someone pay money for an account, if you can create an account yourself for free? – Bram Vanroy Apr 15 '16 at 13:22
  • 4
    @BramVanroy - The hardest part of money laundering is turning electronic cash into something you can actually access before the authorities can seize it (or worse, track you down). Criminals love paypal accounts because you can pay money into them from stolen credit cards, then use that money to buy goods or forward that money to onward accounts. Do that enough times and you buy yourself time to access that money (through cash-machines or by posting saleable items to post-office boxes) and you can make a decent living. – Richard Apr 15 '16 at 13:32
  • 4
    @BramVanroy - It's also worth mentioning that if someone has linked their credit card (or worse, their business accounts) to a paypal account, the thief may be able to siphon off hundreds or even thousands out of their account before they ever notice something is amiss. – Richard Apr 15 '16 at 13:33
8

It's also entirely possible that the entire thing is a confidence scam. In this type of scam, someone gives you some money to let people engage in high-risk behavior (e.g. gambling), and the victim plays increasingly high-risk bets until, at some point, the other players at the victim's table (in reality, an assistant or bot ('shills'?) of the con artist) runs the table, taking all of the original money back plus some amount of the victim's own in the process. Usually, this type of scam will go until the victim finally runs out of money or they decide to quit (usually after they've lost far too much money).

phyrfox
  • 5,724
  • 20
  • 24
1

The first answer that pops to my head is money laundering. The hacker would just transfer the cash to their facebook account via playing extremely bad. I think, the reason why the 3rd party account needed to be hacked is Germany's gambling legislation. As far as I know, Germany has strict gambling regulations. It's probably forbidden by law to play particularly at Zynga (having no licence), so they needed an account outside Germany to do that. And why would they need to choose exactly Zynga? They thought it would be unnoticeable, because noone actually uses Facebook for gambling. The other factor is that Zynga is the only poker game that has an own contract with PayPal. PayPal usually doesn't allow anyone to use their API for gambling websites - and they needed money exactly to PayPal, because an unverified account is not linked to identity, and they could easily process the money, either buy bitcoins and continue laundering, or just go shopping on various webshops.

Rápli András
  • 2,124
  • 11
  • 24
  • Zynga poker seems to be without chances for winning actual money from the game. Hence, it does not fall under the regulations of gambling in Germany and is free to play. – Tobi Nary Apr 17 '16 at 19:02
1

So, someone bought a hacked FaceBook account, set up a custom fake PayPal account in the name of the hacked account, gave the hacked account poker chips, and posted ads about their game to FaceBook as that account.

I see two possible reasons to do this.

1) On the face of it, the only entity which benefits from this is Zynga, which gets advertising, and if the victim uses the poker chips and gets hooked, possibly gets another player. It also loses nothing by buying chips from itself.

In the games industry, Zynga is typically rated as close to the bottom of the morality/sleaze scale.

However, there are obviously cheaper, easier ways to achieve this goal, such as just giving random people poker chips in an email blast, or a banner ad. So, I really don't think it's reasonable to try to pin this one on Zynga.

2) That suggests there's another cash flow that we're not taking into account in the first scenario. This suggests "gold farmers". The same people you see saying "Buy WoW gold!" - if there is a market for "twinking" (aka power-leveling, or rapidly leveling up) players, then it makes sense to have a stable of hacked "mules" to automatically play and lose against those players.

One strange part of it, in this scenario, is that you'd expect the hacking to be as subtle as possible, so posting ads about the game to facebook is a risk I'd not have expected them to take. But the game may give free chips for doing so, in which case it is likely worth the extra risk of discovery.

Another strange thing is that the game is apparently trivially hackable. You can hack yourself extra credits and suchlike. Why not do that, rather than buy them?

Dewi Morgan
  • 1,340
  • 7
  • 14
0

So let me answer this in two ways: by the addressing the part of the situation that your attention is on (understandably; it's an amusing/interesting little scenario) and then addressing part of the situation where you're/our attention probably should be.

What do I mean by that? Well, what I mean by that is that there are not one but at least two questions here for someone to explore:

1. Why did that hacker do what he or she did with your mom's Facebook account, that (almost certainly stolen) PayPal account, and the playmoney poker game?

2. How did the hacker get your mom's password to begin with?

On the first question, I have to agree with what others have well-said in their answers: there's a good chance it's somebody testing out PayPal accounts to see if they will work or not. Other than that, let me offer a total guess that perhaps someone simply wanted more chips to play with on Zigna poker on Facebook. That sounds like it's almost too absurd a possible motive to lead anybody to break what is almost certainly a plethora of anti-hacking and anti-financial-fraud laws in place across multiple countries. But, well, cyber criminals tend to be like traditional criminals: a few of them are reliably skillful, disciplined, and careful, but many more are often sloppy, impulsive, and overconfident (Of course, a devil's advocate might argue the same is true about a significant minority of security professionals. But that gets us off down a different track.) I find it totally plausible that this could be a case where a brash attacker like that simply came accross your mother's Facebook login credentials, someone else's PayPal account credentials, and decided they wanted some more chips in Zigna poker.

So, in short, the person either wanted to test the activity of a stolen PayPal account, or wanted to get more chips to play with in the poker app without paying $40.

But now we move on to the much more immediately important issue. There are basically three easy ways a bad guy gets someone's password for a prominent web service:

-- He/she finds a set of credentials that have already been exposed by the compromise and dump of another site's password database on the Darknet and tries the same set across many popular internet services. If the user reused the user id and password anywhere else... well, that's why the first rule of choosing a decent password is making it a unique password.

-- He/she got the password from a phishing scam, where the user thinks they are entering their login info into what looks like the actual Facebook login page but is really a very convincing copy at a slightly different URL.

-- He/she manages to get malware installed on a victim's PC that records the victim's password--and quite possibly every password the victim types in--and sends them back to the bad guy.

( On the issue of password database compromises, an attacker can either (a) have simply found a resource on the Darknet where account credentials are sometimes publically released for all the world to see-- and to have stumbled upon some of those known compromised accounts that still happened to work, or (b) more likely the attacker came across the info for those accounts in lists of credentials that he'd or she'd already purchased access to for other, more nefarious purposes. As I intimated above, doing either of those things would be poor op sec/tradecraft on an attacker's part, in my opinion. But a great many hackers make such errors frequently without ever being held to account for them.)

Now, if your mom's password got grabbed by either of those first two methods she would be wise to read some pointers on the selection & management of strong, unique passwords, bone up a little on the basics of what phishing is, and enable two-factor authentication for all the accounts she can. Your basic user security knowledge touch-up that +95 percent of general computer users can benefit from.

If, on the other hand, one of your mom's PCs, her smartphone, or some other device is infected with password-stealing malware, well.......

And since you don't know how the attacker got your mom's password, the prudent, "responsible" thing to do is, of course, to assume that one of her computers (at least one) is infected with malware and act based on that assumption. And since your mom, though at least a little tech savvy, still probably doesn't have enough of a tech comfort level to feel okay about nuking her OS installs from orbit, you, OP, could well find yourself playing a long-distance tech support role.

Ah, the joys of being your family's internal anti-malware tech support. Who doesn't look forward to that? :)

Community
  • 1
mostlyinformed
  • 2,715
  • 16
  • 38