Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

[subanark]

While your suggestions are pretty good, your "live feed view" explanation seems taken from a movie/imagination. I can think of several other ways to make the user get an error message and give the exploiter (the man in the middle) access, and none of them involve fancy graphics and someone looking on "your" screen.

As said before, this is likely to be a "proof of consept", and I think more sofisticated attacks are yet to come.

Never used remote desktop eh? The hacker doesn't need 30 FPS, 5 will be more than enough. There are other easier ways to do a hack. The one I mentioned has the most hack detection potential.

I may be naive and full of stupidity, but why wont this work?

Client login communication is encrypted, and each user defines its own key. Unless the hacker knows this key, he cannot give the user the impression that something is wrong. Only Blizzard can give this message in a valid format to the client (with the encryption key defined by the user), and an invalid message will spot the attack...

I am sure there are tons of security holes here (since I am no security expert), but at first glance this seems like a secure way of mitigating MitM attacks?

Nope, sorry, can't do much against a hacker remotely controlling a hosts computer (or an invisible remote desktop of one).

[Craze]

I may be naive and full of stupidity, but why wont this work?

Client login communication is encrypted, and each user defines its own key. Unless the hacker knows this key, he cannot give the user the impression that something is wrong. Only Blizzard can give this message in a valid format to the client (with the encryption key defined by the user), and an invalid message will spot the attack...

I am sure there are tons of security holes here (since I am no security expert), but at first glance this seems like a secure way of mitigating MitM attacks?

What "own key" are you talking about?
A user with an authenticator already has 2 "own keys". 1 is his password and one is the random clock in the authenticator.
The way this hack works is that it just reads keystrokes in real time, changes the code you put in and send that to the server. In which case the server responds with an error telling you the code is wrong.

[Craze]

Never used remote desktop eh? The hacker doesn't need 30 FPS, 5 will be more than enough. There are other easier ways to do a hack. The one I mentioned has the most hack detection potential.
Nope, sorry, can't do much against a hacker remotely controlling a hosts computer (or an invisible remote desktop of one).

Why would you want a video feed tho?
There's no reason why you would need to do things from the victims IP.

[kvitso]

What "own key" are you talking about?
A user with an authenticator already has 2 "own keys". 1 is his password and one is the random clock in the authenticator.
The way this hack works is that it just reads keystrokes in real time, changes the code you put in and send that to the server. In which case the server responds with an error telling you the code is wrong.

The "own key" is a encryption key defined when the account in created... But of course (as indicated in my original post), the hacker don't have to bother about how the reply message is created or what it means, he can just log on with false credentials to get such a response generated (and re-send to the client)...

[Pumps]

I never considered keylogging a hack. I mean basically someone is downloading something bad onto there computer. Its not the the keylogger forced its way on there.

Yes it is. You can't expect everybody in the world to be computer experts. Often the malware exploit bugs and bad programming in the software people use.

[Craze]

The "own key" is a encryption key defined when the account in created... But of course (as indicated in my original post), the hacker don't have to bother about how the reply message is created or what it means, he can just log on with false credentials to get such a response generated (and re-send to the client)...

The biggest problem with security is just allowing everyone to login from anywhere on any machine.
If you want to make this more secure you'd need to make either of these things unique. Be it with a token on the machine the user is using or limiting the account to only connect from a certain IP.
Of course this would make things way to complicated.
Encryption wouldn't really help if the attacker can just read your keystrokes.

What blizzard could do is check if a succesful login occurs from a different IP right after a failed login. This would make things a whole lot more complicated.

[aethros]

yeah no system, not even authenticator, is entirely 100% dumbproof, but if you are not a fool, you should never get hacked even without the authenticator. 4 simple tricks

change your password often.
dont open emails, attachments from people you are unsure of.
dont go to websites you are unsure of.
dont download files you are unsure of.

when all those fail, best bet is to use a virus protection client and the authenticator.

[anyaka21]

Never been hacked in wow 4 years now
Dont use a authenticator
basic common sense will always keep you safe n secure

I'd say pretty much everyone says this....until they get hacked. As has been responded too, tons of software avail and on computers, java, flash, etc... have and probably will again have vulnerabilities that can and will be exploited.

An authenticator is just another level of protection.


Also add to those that say it's unlikely because of a small window of opportunity, and while true, and someone can correct me if I'm wrong here. They may not have to log into WoW, just log into battle.net, or your wow account and do damage that way and then be able to get control of your account. then you won't be able to log back in, but I could be wrong here.

[soapy]

Wolrdofraids has more info

http://www.worldofraids.com/topic/15...c524f70d937c61


this might be a lil cleche' but they have good info and mmo-champ does not right now.

[Ogychu]

Quick note:

Trojan != Virus

A trojan acts like normal software while allowing unauthorized access to a computer (hence the name Trojan Horse).

A virus is a self-replicating program that corrupts already present files.

A worm is self-sufficient, self-replicating malware.

[TobiasX]

yeah no system, not even authenticator, is entirely 100% dumbproof, but if you are not a fool, you should never get hacked even without the authenticator. 4 simple tricks

change your password often.
dont open emails, attachments from people you are unsure of.
dont go to websites you are unsure of.
dont download files you are unsure of.

when all those fail, best bet is to use a virus protection client and the authenticator.

You're very unlikely to be hacked, but you'll never be hackproof as long as you're connected to the internet and using the connection (so sending data to someone or getting data from someone). It's impossible.
No website is 100% safe.
No file is 100% safe.
No password is 100% safe.
No login details are 100% safe.
No antivirus is 100% safe.
No security measures are 100% safe besides unplugging your computer from the internet and never connecting it again.
All you can do is your best to protect yourself and accept that there is always a risk when using the internet.

*sigh*

Someone earlier also mentioned some security company that would be out of business if certain security measures weren't 100% reliable. I'd be very surprised if their licensing agreement (the thing you skip and click "I Accept" to) had a disclaimer saying that they were not 100% reliable. If they seriously didn't then somebody would've sued them into oblivion already.

[Ceromus]

That was a long 12 pages of text.

As people have already mentioned rest assured there is no way to be 100% safe from a virus. Currently google chrome is safest browser and firefox without security plugins is probably the most insecure. Just thought id throw that out there.

Anyway last I tested the keys do not die after 30 seconds. They last about 15minutes. You can generate a new key every 30 seconds and if you use a key then all keys created after it become invalid until you generate another key. Did that make sense?

Also I would not consider this as a man in the middle attack and I don't think most people would classify this as one either.

EDIT: Disregard my request for a copy of the virus. I found it.

[Olderonous]

10/10

fixed

[stupid11]

Simple solution: whenever Blizzard receives a failed login request to your authenticator account, it changes your authenticator number.

That way when the Trojan intercepts your login info and authenticator number, it's useless b/c Blizz trashed that number due to the failed login attempt sent from your computer.

[legendblack]

is to bad ... i play for 2 year and haket 1 time , now .. in PVP 2v2 or Icc10 disconect 389215876185826438721 time .... and save or lost point so ... ani questions !!! for what !!! .

[Bergenia]

Simple solution: whenever Blizzard receives a failed login request to your authenticator account, it changes your authenticator number.

That way when the Trojan intercepts your login info and authenticator number, it's useless b/c Blizz trashed that number due to the failed login attempt sent from your computer.

That's not how it works. Blizzard won't trash it because they never received your login and so it never failed on their end.

[Bluevomit]

I ran a search on my computer for "emcor" and it found three files. wbemcore.dll , wbemcore.lo_ & wbemcore (notepad file)

wondering if i should delete it, not sure tho because i dont wanna fuck up my computer and it isnt exactly "emcor.dll" what do you guys think?.

[Herecius]

I think it's hilarious that people will go to such extreme lengths to get past the authenticator with this method just to get into a WoW account... when banks use the same authenticator tech to protect vaults.

[stupid11]

That's not how it works. Blizzard won't trash it because they never received your login and so it never failed on their end.

The way Boub explained it, the trojan has to send a fake token code to blizz instead of the real one. They don't receive what you typed, but I was under the impression that they did receive SOMETHING.

If they don't, that seems detectable through Warden or something similar (if they still use Warden), because the WoW client itself would have to be hacked so as not to send out a login request.

[Masyws]

I am wildly offended by the use of "ass" in this announcement. Please keep in mind that this is a game for ages 12 and up. WHY WON'T ANYONE THINK OF THE CHILDREN?!

I lol'd

Quite a shame that they're givin away dk mounts ... But its a bit early to talk, better wait to see what u have to do to get it and what are the requisite

Simple solution: whenever Blizzard receives a failed login request to your authenticator account, it changes your authenticator number.

That way when the Trojan intercepts your login info and authenticator number, it's useless b/c Blizz trashed that number due to the failed login attempt sent from your computer.

That's not how it works. Blizzard won't trash it because they never received your login and so it never failed on their end.

Ez way to do this is allowing ur login page to send via another channel the info at blizzard that the person failed at login so blizz could authomaticly invalidate the number and disconnect the current session ...

No cookies for ninjas