Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

[Vasz]

After all the "get an authenticator and your account will be safe" I've seen on the forums, I can only laugh and say it's well deserved.

Greed and stupidity rule in WoW. You either get the virus from "free gold/lvling" emails, or from random people asking for ALL your account details.

I had an email from PayPal 3 days ago telling me my account had been hacked and i needed to log in to change my details. As i had not used it in 5 years, it bought up flags. My girlfriend recived an email telling her that her HSBC account had been hacked, and to fill in ALL her personal information (driver licence and passport numbers)... she isnt even with that bank.

I delete EVERYTHING in my email thats not from my friends. If its so bad, then they can send it to me via the post. I only deal with my bank in a BANK, and if i get threats to close my account, i just go in an take a copy of the email.

[Craze]

I believe this hack is created as a proof of concept thing and not really a way to obtain accounts simply because the window to use it is to small.

Lets assume the hacker intercepts the authenticator code. Now he has 30 seconds to use it.
Sure he can log in but what happens to the player?

If he creates a new code and logs in the hacker will be booted because an account can't be active from 2 different instances of the game.
After entering a new code 3-4 times he realizes something is wrong and goes to change his password. Even if he needs to click the "reset password" button it shouldn't take more than 5 minutes to get that setup and login(booting the other guy on the account).

So from the moment the hackers gets the login details he has about 30 seconds(password doesn't get changed) to 5 minutes (player resets pass through email).
So that's 5 minutes to find your main characters and the characters on which you have gold. If you're anything like me and have a ton of characters he'll spend a good deal of that time relogging. So overall, while he could get lucky and log your main with all your gold, i think it's save to say that 5 minutes is not a whole lot of time and lots of things can mess it up. Making it overall not a profitable thing to do.

Of course there's also the ppl that think something is wrong on blizzards end and go do something else and try to login later just to find their account has been emptied.

So the main difference here is that the hacker has to be online at the same time as you. And because most of us play during peak hours he'll need quite a team to be able to keep up with all the stolen codes.

Looking at things with this in mind i stand by what i said at the start of this post. Proof of concept hack but it won't be a huge problem because of to much random things.
The only thing that i can see right now that would make authenticators useless would be a program that could break the algorithm after collecting a lot of code from a single user. But i highly doubt we'll ever see this.

[Ryoushii]

Greed and stupidity rule in WoW. You either get the virus from "free gold/lvling" emails, or from random people asking for ALL your account details.

You serious? 'Cause you couldn't be more wrong.

[Dairystyle]

Actually, some people arrogant enough to say "I don't need an authenticator" are just wise enough not to need one.

Authenticator is meant for the masses, not for everyone.
It's not a necessity, merely an insurance policy.

Not really. As several people pointed out, they've been hacked from going to "safe, secure" sites because the sites were compromised from a flash exploit or through cross-server scripting or any number of other vulnerabilities that no one can anticipate. I'm very cautious about what I do on my system (FF, noscript, adblock, anti virus, anti malware etc) and I'm better secured than the average joe with my internet safety but I'm not about to pretend that more security is redundant or that I'm safe because I don't visit gold farmers or use shady software.

Hackers are always looking for a loophole or security vulnerability and they aren't exactly the first ones to go telling the vendor about the exploit or notify the anti malware businesses about it. It's only a matter of time before they find a way past your defenses so you must always be building them up, reinforcing and keeping your guard up. It only takes one little tiny chink in the armor for them to pierce your security and take everything.

And, as it's been repeatedly said, just because it hasn't happened yet doesn't mean it won't happen to you. No one expects to be hacked until they find out it's already happened.

[Typhron]

You serious? 'Cause you couldn't be more wrong.

After my account got hacked (Stupid paladin is stupid?) a few weeks ago I couldn't agree more with Ryoushii here. And the only way you'd actually find this out is if those hackers you throw common sense at make you their bitch. Not everyone falls for the obvious scams, but it doesn't make them (said keyloggers, hackers, etcetera) any less threatening. To ruin your day/week all they need is 3 hours at most.

There is no perfect solution to this, you can only make it more difficult for hackers to get into accounts.

Consider:
If you are infected, when you start up wow, the real version of wow starts up in the background where you cannot see it and a fake version that gives you error messages when you try and login is shown to you. Every key stroke and mouse move go to both the real and fake one. When you try and log into the real one, the fake one gives you an error message while the real one sends a video feed to the hacker who then does bad things™, all while coming from your IP. As an alternative, the hacker could let you play the game when you log in, but intercept the exit command, and instead goes back to realm select screen. After a certain amount of time (hopefully when your asleep) he logs in and does all those bad things™.

The best Blizzard can do is limit the amount of damage a hacker can do:
1. Any item you have equipped for 2 or more hours (or gemed/enchanted/ect) cannot be sold or disenchanted.
2. All soul bound equipment that is destroyed can be recovered from any vendor up to 1 week later.
3. Have an option to require entering your authenticator code whenever you make a large transaction (trade/mail money to another character on a different account, or by AH purchases). When you enter your authenticator code you can make additional transactions for up to 15 minutes later (as long as you stay logged in).
4. Guild bank protection. When turned on, money and selected tabs withdraws require approval from another officer (who has been in the guild for a few days). To turn the protection off, the guild leader must either wait 1 day, or get approval from another officer.

These are all good suggestions, honestly. Anything that delays the damage done that's hard-coded into the game can/will lessen the damage done when people are hacked.

PS: You can take a course in Hacking in College. Education is awesome.

[Noddie]

There is no perfect solution to this, you can only make it more difficult for hackers to get into accounts.

Consider:
If you are infected, when you start up wow, the real version of wow starts up in the background where you cannot see it and a fake version that gives you error messages when you try and login is shown to you. Every key stroke and mouse move go to both the real and fake one. When you try and log into the real one, the fake one gives you an error message while the real one sends a video feed to the hacker who then does bad things™, all while coming from your IP. As an alternative, the hacker could let you play the game when you log in, but intercept the exit command, and instead goes back to realm select screen. After a certain amount of time (hopefully when your asleep) he logs in and does all those bad things™.

While your suggestions are pretty good, your "live feed view" explanation seems taken from a movie/imagination. I can think of several other ways to make the user get an error message and give the exploiter (the man in the middle) access, and none of them involve fancy graphics and someone looking on "your" screen.

As said before, this is likely to be a "proof of consept", and I think more sofisticated attacks are yet to come.

[twinkleblur]

pardon my language but what sick fuck decided he couldnt get a real job and needed to hack peoples game so he can make money? this is rediculus.. i swear if i ever get hacked im gonna quit this game because i cant apperantly be in control of my own account it needs to be in there system and there system is clearly flawed.

[nomananeeded]

To all you nubs crying about the deathchargers, why should death knights be special. Not all classes have a mount. pallies, locks, and dks until the argent tourney gave out chargers. Now its just dk's and locks , but why should u guys be special? If they keep deathchargers unique to dks, then get rid of the tourney chargers people have and give all other classes a mount. you guys whining about fairness. sounds fair to me.

[Nerph-]

I stand corrected that Authenticated accounts are 99% secure. You may quite me on this.

I was wrong

Yet it's still safer to have one then to not have one... but still, wasn't expecting a virus/keylogger able to steal authenticated accounts to arrive so soon.

:s

[krynis]

I never considered keylogging a hack. I mean basically someone is downloading something bad onto there computer. Its not the the keylogger forced its way on there. Someone was stupid and careless so they got a keylogger and now someone has there authenticator whatever. Its nice that Bliz is aware of this and helping people out but you'd have to be beyond stupid to download something like this...

I suggest you read about java vulnerabilities and try to say that again (although using noscript can help with that)

[Bossmonkey]

I stand corrected that Authenticated accounts are 99% secure. You may quite me on this.

I was wrong

Yet it's still safer to have one then to not have one... but still, wasn't expecting a virus/keylogger able to steal authenticated accounts to arrive so soon.

:s

Soon? I was expecting something like this long ago.

[Deleted]

God truly exists!

When i had my usual paranoia about security issues, they loled at me and said "buy authenticator". Now i can laugh at those people who got "hacked" and where using Authenticators.

*Nelson style* HA HA!

Ach, that felt great...

[Craze]

pardon my language but what sick fuck decided he couldnt get a real job and needed to hack peoples game so he can make money? this is rediculus.. i swear if i ever get hacked im gonna quit this game because i cant apperantly be in control of my own account it needs to be in there system and there system is clearly flawed.

This hack probably doesn't have anything to do with making money from your account.
As i said before it's most likely a proof of concept.

As for hacking / cracking and even the groups that upload movies it's more about being the first to do it. A huge part of this community does it just because they like breaking something or competing to release a movie first. It usually doesn't have a lot to do with making money.
It's about thinking outside the box. You have something that is supposed to do this and you want to see if you can make it do something that it isn't supposed to do. You'll find that most hacked accounts get hacked by using very simple tools that have been used for years. Think about phishing sites. The whispers you get ingame that you won a spectral tiger and you get a code to enter on some website.
The chance you'll ever get hacked is relatively small if you can see through whispers and emails like this.

As for the guy saying that keylogging isn't really hacking. I have to agree to some extend.
Because you're not actually breaking anything. Everything works as it's intended. (yes this means the keylogger as well)
Keyloggers belong in the spyware category together with tracking cookies and such.
Sure you could argue about the deployment of keyloggers but in my experience it's probably save to say that the majority of keyloggers are installed after you consciously downloaded a file that was infected.

About the people laughing at this saying authenticators do fuck all. They help a lot because they limit the window in which an account can be comprised by a lot.
I explained this on the previous page.

[Second]

*jumping on the "hacker expert" bandwagon*
about bloody time Blizzard implements some rootkit into launcher and/or wow.exe

[Yojimbo]

authenticators help alot, also a side note maybe Bliz will come out with a two-way authenticators, that might help even more but not who knows.

This hack probably doesn't have anything to do with making money from your account.
As i said before it's most likely a proof of concept.

As for hacking / cracking and even the groups that upload movies it's more about being the first to do it. A huge part of this community does it just because they like breaking something or competing to release a movie first. It usually doesn't have a lot to do with making money.
It's about thinking outside the box. You have something that is supposed to do this and you want to see if you can make it do something that it isn't supposed to do. You'll find that most hacked accounts get hacked by using very simple tools that have been used for years. Think about phishing sites. The whispers you get ingame that you won a spectral tiger and you get a code to enter on some website.
The chance you'll ever get hacked is relatively small if you can see through whispers and emails like this.

As for the guy saying that keylogging isn't really hacking. I have to agree to some extend.
Because you're not actually breaking anything. Everything works as it's intended. (yes this means the keylogger as well)
Keyloggers belong in the spyware category together with tracking cookies and such.
Sure you could argue about the deployment of keyloggers but in my experience it's probably save to say that the majority of keyloggers are installed after you consciously downloaded a file that was infected.

About the people laughing at this saying authenticators do fuck all. They help a lot because they limit the window in which an account can be comprised by a lot.
I explained this on the previous page.

I would say this is true. Alot of hackers that are good (meaning they are good at what they do. Which might be programing and so on) want to be known as the best. Like wow players they want to have a world first and so on. The same goes for hackers. But also hackers do get jobs for company's they hack and so on. Some times about money some times not. Who can guess. But the person who did this virus is a msart person or they just know how to work with a system to do what they want which is still smart. I would like to talk to them. Since I am taking computer forensics classes.

[Supercool]

I'm glad to see a few people arguing against the "common sense" misinformation brought on by the self-righteous. There is no silver bullet when it comes to safety. Redundant and updated security measures are always your best bet. Get an authenticator, get a good antivirus, get a script blocker for your browser, keep everything up to date, and run regular checks.

But even these things will not make you 100% safe, because no such thing exists. As long as two computers need to communicate information, there will be those diligently searching for new ways to intercept, read, and possibly tamper with that information. The most you can do is minimize your risk.

My house has never been broken into in 20 years, and yet I wouldn't say I was burglar-proof.

[kathor]

I may be naive and full of stupidity, but why wont this work?

Client login communication is encrypted, and each user defines its own key. Unless the hacker knows this key, he cannot give the user the impression that something is wrong. Only Blizzard can give this message in a valid format to the client (with the encryption key defined by the user), and an invalid message will spot the attack...

I am sure there are tons of security holes here (since I am no security expert), but at first glance this seems like a secure way of mitigating MitM attacks?

edit:
after thinking about this for one minute, I realised why this will not work, and that I indeed is naive and stupid... ><

[subanark]

While your suggestions are pretty good, your "live feed view" explanation seems taken from a movie/imagination. I can think of several other ways to make the user get an error message and give the exploiter (the man in the middle) access, and none of them involve fancy graphics and someone looking on "your" screen.

As said before, this is likely to be a "proof of consept", and I think more sofisticated attacks are yet to come.

Never used remote desktop eh? The hacker doesn't need 30 FPS, 5 will be more than enough. There are other easier ways to do a hack. The one I mentioned has the most hack detection potential.

I may be naive and full of stupidity, but why wont this work?

Client login communication is encrypted, and each user defines its own key. Unless the hacker knows this key, he cannot give the user the impression that something is wrong. Only Blizzard can give this message in a valid format to the client (with the encryption key defined by the user), and an invalid message will spot the attack...

I am sure there are tons of security holes here (since I am no security expert), but at first glance this seems like a secure way of mitigating MitM attacks?

Nope, sorry, can't do much against a hacker remotely controlling a hosts computer (or an invisible remote desktop of one).

[Craze]

I may be naive and full of stupidity, but why wont this work?

Client login communication is encrypted, and each user defines its own key. Unless the hacker knows this key, he cannot give the user the impression that something is wrong. Only Blizzard can give this message in a valid format to the client (with the encryption key defined by the user), and an invalid message will spot the attack...

I am sure there are tons of security holes here (since I am no security expert), but at first glance this seems like a secure way of mitigating MitM attacks?

What "own key" are you talking about?
A user with an authenticator already has 2 "own keys". 1 is his password and one is the random clock in the authenticator.
The way this hack works is that it just reads keystrokes in real time, changes the code you put in and send that to the server. In which case the server responds with an error telling you the code is wrong.

[Craze]

Never used remote desktop eh? The hacker doesn't need 30 FPS, 5 will be more than enough. There are other easier ways to do a hack. The one I mentioned has the most hack detection potential.
Nope, sorry, can't do much against a hacker remotely controlling a hosts computer (or an invisible remote desktop of one).

Why would you want a video feed tho?
There's no reason why you would need to do things from the victims IP.