Online Poker Hole Card Compromise

In the past we have discussed what you can do to protect yourself while playing online poker.  This time I want to give you an example of why it is important to heed that advice.  I will outline a potential attack that malicious users could launch to attempt to view your hole cards while playing online poker.  Note this is not an attack against the poker software but rather directed at the users and their computers.  While the poker software may have vulnerabilities that could be exploited, it is often easier to attack the user.  Everything described in this article is not new and is well known to the information security professionals, but perhaps not so much to the online poker community. The attack described below targets a user by offering  him a malicious link that will then exploit a vulnerability on his system.

The primary tool that will be used in this attack is Dave Kennedy’s excellent Social Engineer Toolkit (SET).  It is an open-source Python-driven tool aimed at penetration testing in conjunction with Social Engineering.  SET also integrates with Metasploit, an open-source penetration testing framework.

Before moving on it is important to remember that the techniques described in this article could cause privacy violations depending on the jurisdiction where the system resides.  Attempt these activities only on systems for which you have obtained a written permission from the owner, or on systems that you control.

To demonstrate this attack we set up a test environment that included two computer systems.  First, we have the attacker’s system running Linux.

The attacker’s IP address is  We then have the victim’s system running Windows 7.  The victim’s IP address is

The first step in the attack is launching SET and configuring the malicious site that the user will be tricked into visiting.  We do this through the Social-Engineering Attacks option.

For this example, we will select the Java Applet Attack Method as shown in the figure below.  As I was writing this article, a 0-day (a vulnerability that has no known patch) Java exploit has been floating around the Internet.  While in this case we target a Java vulnerability, any vulnerability (weak password, missing patch) that can be exploited could be used to view the victim’s desktop and hole cards.

In the figure below we configure the attack, providing the attacker’s IP address and the site we want to clone.  In order to make this targeted toward a poker player, we select Two-Plus-Two (the site is just cloned, not attacked).

For the next step we select the payload.  In this example, we select a meterpreter reverse TCP connection payload that is encoded through ShellCodeExec to help with antivirus evasion.  The payload is what gets executed on the victim’s system.

SET then starts Metasploit, and in the figure below you can see the attacker’s IP address has started the payload handler and is waiting for a connection from the victim.

Now we need to get the victim to click on our malicious link.  In this example, we have simplified this task and the victim simply enters the attacker’s IP address into his browser.  In real life you would obfuscate the IP address to make it look like something inconspicuous; perhaps a message in a forum, a targeted email, or even a tweet.  The possibilities are endless and using phishing and social engineering techniques it is not difficult to get users to click on a link.

In the figure above the victim clicks on the link and what looks like Two-Plus-Two’s website appears, remember we cloned this site earlier.  A dialogue box then pops up asking the user if they want to run this “secure java applet”.  Of course a responsible and knowledgeable user will select “Cancel”. In this trap, however, clicking on either “Cancel” or “Run” will have the same result - it runs, and the attacker receives a connection from the victim as seen in the figure below.

Let’s go ahead and interact with this connection and show the IP address to verify that the attacker has access to the victims system.

As seen in the figure above the attacker now has access to the victim’s system.  The victim then starts playing in a poker tournament as shown in the figure below.  Once again, we are not attacking the site, but rather the user.

What is nice about having a meterpreter shell is that you can perform all types of post-exploitation magic.  We could dump the password file, escalate privileges, or pivot to another system on the network.  However, we are interested in seeing the victims hole cards and cheating him.  In the figure below we run screenspy which will take a screenshot of the victim’s desktop every 5 seconds and display it on the attacker’s system in their Firefox web browser.


Now the attacker can see the victim’s hole cards and play perfectly (victim is on the left and attacker on the right in the screenshot below).  The connection that is made from the victim to the attacker is on a standard TCP port and the meterpreter session is undetectable to most users and most antivirus.  Once exploited, the attacker could easily make this connection persistent so that even when the victim powers off and restarts the connection is re-established.

Since this attack is not very sophisticated, it can be executed by many users with a little practice.  In order to prevent attacks similar to this one follow the advice outlined in my previous posts on securing your computer.  In my opinion, this attack illustrates one of the major differences between playing poker online versus doing it in a traditional brick and mortar poker room.  While you still have to worry about angle shooting and cheating in traditional poker, you are not concerned about somebody “hacking” your system and viewing your cards.  Remember, do not click on random links and “Don’t gamble with security!”©