Thursday, November 11, 2010

Blizzard Adds Dial-in Authenticator

Blizzard has announced a new security service for US players called the Dial-In Authenticator.

"Similar to the Battle.net Authenticator and Mobile Authenticator application, the Battle.net Dial-in Authenticator is an optional tool that provides an additional layer of security against unauthorized account access. The Battle.net Dial-in Authenticator is not a physical token or application run on a mobile device, however. Instead, it is a free opt-in service that will actively monitor an account and request additional authorization from the user when a potentially unauthorized login attempt occurs."

The service asks you to nominate a phone and a PIN.  When your account is accessed from a different IP address it will ask you to authenticate by dialling a US toll-free number from your nominated phone and entering your PIN and a single-use security code.  The service is optional and best of all, it is free.

This is a good addition to the security arsenal, especially for those users that move around a lot and don't have a hardware authenticator. Remember that good security is made up of several layers of protection, and this offers yet another layer.

More information can be found at the official Battle.net Dial-in Authenticator FAQ.

Sunday, September 19, 2010

Guild Ranks To Include Authenticators

Image courtesy of WoW Insider

The latest news from the Cataclysm beta program, via WoW Insider, is that guild masters have the option tp set guild ranks to require the player to have an authenticator on their account.

The obvious use for this is to have the guild master set this on any guild rank that has guild bank access. This will help reduce the chance of the guild bank being stripped in the event of an account compromise.

However, guild masters can go further by mandating that all of their raiders, and even all of their members, have an authenticator.  Too often we see raiding disrupted when key players have had their accounts hacked.  Just imagine the inconvenience when a progression raid gets cancelled because the main tank is waiting for his/her account to be restored after a hack.

This is a great initiative by Blizzard and will surely give people one less excuse for players to adopt this technology.

Some of the more common excuses for people not having an authenticator include:
  1. "I don't have a credit card" or "They don't deliver to my country" - download the free authenticator app for your mobile phone or ask a guild mate to purchase one for you and mail it to you
  2. "I am too smart/cautious to get hacked" or "I have never been hacked" - Vulnerabilities in your operating system and applications can very easily result in you downloading a keylogger by simply visiting a legitimate web site that may have been compromised.  For well-written exploits, no user interaction is required to become infected - you just need to visit a compromised web site.  Your game login and password is then shipped off to the bad guys.  See the recent Adobe example. Additionally, common passwords can be attacked by automated processes - you don't even need a keylogger on your system to fall victim.
  3. "I own a Mac" - Yes, you are less likely to pick up a keylogger since most are written for Windows however, owning a Mac won't stop you falling for phishing attacks.
  4. "I pay for this service, authenticators should be free" - I doubt that Blizzard are making any real revenue on a product that sells for $6.50 - they are just aiming to recover costs.  Think of the amount of money you have paid for your subscription to date, and then ask yourself if it is worth the extra $6.50 to reduce the chance of all your hard work being compromised.
  5. "It is inconvenient to type in the code" - the extra ten seconds required to login is a small price to pay for the extra security that it provides.
  6. "Authenticators have been hacked" - well, it was not the authenticator that was hacked, it was more that a keylogger picked up the authenticator code and, in real time, shipped it off to the bad guys.  This was a fairly sophisticated attack and required people power to do the real time processing.  Keep in mind that security is never 100% and that the authenticator is just making it more difficult for the bad guys to get into your account.  An authenticator is still a very effective tool in your security arsenal.
  7. "I don't care, Blizzard can restore my account after a few days" - if you are in a raiding guild then the delay in reporting and restoring your account may mean you miss out on raiding, potentially impacting your entire raid group.  This may even put your guild membership at risk if this happens regularly.
Check out Ten Easy Steps to Securing WoW for more security tips.

Thursday, September 16, 2010

Adobe Announces New Flash Vulnerability

Adobe Systems has recently disclosed a vulnerability in their Flash Player 10.1.82.76 for Windows, Mac, Linux and Solaris. The vulnerability allows the execution of code from a specially crafted PDF or Flash file. Adobe mention that they have seen this being actively exploited.

Put simply, this type of vulnerability could see you become infected with a keylogger simply by browsing a web site that has been compromised. We have seen WoW keyloggers installed via this type of Adobe vulnerability before in June and February.

Adobe has not released a patch for this as yet, but plan to have something available during the week of September 27.

You can reduce the chance of becoming subject to this attack by patching your flash player as soon as a patch is released and by running a PDF/flash blocker such as noscript in the meantime.

You can find more information on this at the Adobe Security Advisory site.

Sunday, August 8, 2010

Blizzard steps up password education

Blizzard has stepped up its security education program, with a big emphasis on password security. Via both a game login message and a recent blue post, Blizzard stresses the importance of having a different password for your World Of Warcraft game account and making sure that your password is a strong one.


BORNAKK: We have been helping players deal with account theft for years now, and unfortunately, roughly a third of players make a very basic security mistake: using the same password for all of their security needs.

If you are serious about protecting your account and your personal security, your Battle.net password should be different from your email account password -- or other personal passwords for that matter!

No one wants account thieves rooting around in their personal email, address book, and contact lists. Too often we see thieves breaking in to this information because their target has used the same password across multiple types of accounts. Not only can this give thieves access to your account, it can lead to compromises far outside of Battle.net as well.

It’s immensely important that everyone use separate passwords for separate applications, including games. Secure passwords have both numeric and alphabetical values, and are usually at least 10 characters in length. 

Now this is very sound advice and is something that I have been highlighting for quite some time.  One third of hacks being a result of using the same password across multiple sites and applications, such as email and fan sites, is a fairly alarming statistic.  This suggests that there are a lot of 3rd party systems out there that are being hacked to farm WoW user accounts and passwords.

Also note that WoW does not impose restrictions on password attempts so dictionary attacks are also a real possibility on your account.  This is a great reason for selecting a strong, complex password.

Oddly enough, Bornakk does not mention the use of an authenticator. The Blizzard authenticator is a great security mechanism and something that every WoW gamer should possess.

You can read more on choosing secure passwords and dictionary attacks on your WoW account here.

Monday, July 12, 2010

ESRB mistakenly releases player email addresses

Many people have asked me how the bad guys get hold of our battle.net login id's - the same bad guys that inundate us with WoW phishing emails and do dictionary attacks on our battle.net logins.

The team at wow.com have published an article on how the Entertainment Software Rating Board (ESRB) managed to mistakenly release almost 1000 email addresses of wow players that wrote to them to complain about Blizzard's plan to use real names on the official wow forums.

This email list is a gold mine to the bad guys, especially where these email addresses match up with battle.net ID's.  There is little doubt that these 1000 email addresses will end up on WoW phishing lists and that they may also be targets for WoW dictionary attacks.

If you recently wrote to ESRB and you used the same email address as your battle.net ID then please consider changing your battle.net ID to a new, unique email address.

You can read more about the mess-up at Wow.com

Monday, June 7, 2010

Patch Your Flash!

Blizzard has released an advisory warning all players to update their Adobe Flash Player.  Adobe Flash Player 10.0.45.2 has a vulnerability that may allow an attacker to take control of your machine.

LUCYTR: A critical vulnerability has been discovered in Adobe Flash Player 10.0.45.2 and Adobe Reader/Acrobat 9.x, and could potentially be used to target World of Warcraft players and accounts. The newest available version of Adobe Flash 10.1, Release Candidate 7 (available at http://labs.adobe.com/technologies/flashplayer10/), does not appear to contain this vulnerability, and we recommend that everyone upgrade their Flash player as soon as possible. Earlier versions of Adobe Reader and Acrobat, specifically version 8.x, do not appear to contain this vulnerability, either. 
Adobe reports that it has seen evidence of this vulnerability already being exploited.

Although the technical details are still sketchy, it is likely to require a specially crafted flash or PDF file to trigger the vulnerability.  We have seen this type of attack on Adobe flash before - where you can be infected by a keylogger/trojan by simply visiting a legitimate web page that renders this malicious code or redirects to a malicious site containing the code.

Unfortunately, Adobe don't seem to have this fix on their auto-update system so be sure to visit Adobe's Security Page and patch your machine with v10.1 today.

Thursday, June 3, 2010

Phishers Ramp Up Their WoW Assault

Phishers have begun targeting the remote auction house and cataclysm betas in the latest wave of WoW account phishing spam.

In the first example, unsuspecting users receive an email promoting the features and benefits of the remote auction house and invite them to participate in the beta by clicking on a download now link. The link takes them to a fake battle.net login site where their game details are captured.

A sample email is shown below:

























A second type of phishing email is targeting the Cataclysm beta opt-in. Users are sent an email reminding them to update their system specifications to be eligible for a beta invite by logging into battle.net. Naturally, the battle.net link is a fake site designed to collect your account credentials:






















Be wary of any email that pretends to come from Blizzard and check the URL of any linked site before entering your account credentials. Visit our anatomy of a phishing site post for information on how to spot phishing emails and better protect your game account.

Let us know if you have received emails scams like these.

Sunday, May 30, 2010

Suffer mortals, as your pathetic password betrays you!

One of the things we often don't put much thought into is password selection. Usually it is a loved-one's name or an easily remembered string of characters. Unfortunately, a poor choice of password can dramatically increase the chance of your game account being hacked.

In an analysis performed by Imperva of 32 million leaked passwords from rockyou.com, it was found that nearly 50% of passwords consist of people's names, slang words, dictionary words or trivial passwords. The study estimates that if a hacker used the top 5000 passwords in a dictionary attack, it would take, on average, only 111 attempts to break into a given account.

World of Warcraft does not have an account or IP address lockout after any number of bad password attempts. This gives the bad guys an opportunity to dictionary attack your account.

Assuming that the WoW account password frequency distribution is similar and that a hacker could try a password every 2 seconds - it would take an average of only 3.7 minutes to hack an account.

Obviously the time required to hack your account is going to vary based on the strength of your game password so choosing an uncommon and complex password is key. The report lists the following as the most commonly used passwords:
  1. 123456
  2. 12345
  3. 123456789
  4. password
  5. iloveyou
  6. princess
  7. rockyou (or 'warcraft' in our case)
  8. 1234567
  9. 12345678
  10. abc123
Other common passwords include monkey, qwerty, 654321 and first names of people.

How can you better protect your WoW account?

First, buy yourself an authenticator and add another layer of security to your account. A dictionary attack is largely rendered useless with the addition of a hardware token.

Second, if you don't have an authenticator or wish to be more secure then choose a strong password. Strong passwords contain numeric and non-standard characters and do not have any strings that contain dictionary words. They should be at 12-14 characters in length. However, don't bother too much with upper and lower case characters since the battle.net authentication service does not differentiate between upper/lower case. An example of strong WoW password would be something like "sdm#6wua2pa9jk".

If you have trouble remembering a strong password (and most of us will) then try to create something similar from a memorable saying. For example, Professor Putricide's "Bad news everyone! I don't think I'm going to make it" becomes "bne!idtig2mi" as your password. Such a password will be close to impossible to dictionary attack and will take a long time to brute force attack. Don't share this password with anyone and don't use this password on any other service - keep it unique to WoW only.

Finally, create a unique email address as your battle.net login. Hackers need to be able to guess or steal your username so making this complex will certainly hinder their efforts.

Update: If you want to read more about hackers stealing account usernames and passwords, check out the Symantec article where they recently discovered 44 million stolen gaming credentials.

A little bit of effort with your password selection will make hacking your precious account significantly more difficult... and don't forget to get yourself an authenticator.

Friday, May 21, 2010

MMO-Champion hacked

The team at the popular WoW fan site MMO-champion have announced that their site was recently hacked. What happened here and how can you best protect yourself against malicious code on legitimate web pages?

The malicious code was Gumblar - a malicious piece of javascript that was placed on their pages.

How did the malicious code get there?

This is a question that has not been answered by the web site owners. However, it is likely to be one of the following causes:
  1. The mmo-champion.com site was hacked and the code was manually planted there by the attacker. There are multiple ways this could have happened, but one common way is via SQL-Injection.
  2. One of their admins was infected on their own PC and their FTP login details were used by the malware to log in to the mmo-champion.com web servers and automatically infect their files.
Hackers often target legitimate web sites, especially high traffic sites, so that they get the widest exposure to their malware.

What is the malicious code designed to do?

According to a Gumbar Q&A, the malicious code redirects a user to a malicious web site that contains specially crafted PDF or flash files that automatically infect your machine if you do not have your Adobe flash player patched. The malware that it installs can redirect your google searches and replace search results with links to malicious sites. It also harvests FTP information from your machine so that it can try to automatically inject code on other web servers. Finally, it can open a back door so that your machine can be controlled remotely.

Could I have been infected from MMO-champion?

The team at mmo-champion claim that the malicious code was only on their site for 30 mins before it was detected, shut down and subsequently cleaned.

If you browsed the site in that time, you probably would have noticed an attempt to redirect your browser to another web site. Many browsers have in-built blocking mechanisms so you may have seen a big red message on your browser advising you that you are about to visit a malicious web site. If you proceeded, and the malicious web site was online at the time, then you would have been exposed to malicious pdf or flash files. If, and only if, your Adobe flash player was not patched, then these malicious files may have automatically executed. If you were running up-to-date and mainstream antivirus products then it should have been detected and stopped at this stage.

The short answer is, you may have been infected but you would have needed to have no antivirus (or poor antivirus), no recent patching of your Adobe flash player and would have needed to visit the site in the 30 mins when the code was there.

If you think your machine is infected then try this free web-based scanner - Housecall

Does it steal my WoW account info?

No, but if you were infected then you still need to clean it off your machine since it may compromise any FTP sites that you might visit, install a backdoor and your search engine results may be replaced with malicious sites. This is not the type of malware that you want on your PC.

Would the firefox 'noscript' add-on help?

Probably, although if you are a regular mmo-champion visitor then you would have been likely to nominate their site as a trusted site in noscript - resulting in noscript having no effect. Noscript is a great security measure, but it breaks a lot of sites. It is the old security vs usability trade-off.

What can I do to protect myself against these attacks?
  1. Make sure your software is fully patched - this includes your operating system (OS), browser, flash player, javascript, etc. Most people just worry about patching their OS, but there are many other avenues for exploiting software vulnerabilities on your PC.
  2. Make sure you run reputable anti-virus on your system - and make sure it is always updated.
  3. Don't ignore your browser when it tells you that the site you are about to go to is potentially dangerous.
  4. Get yourself an authenticator. Even though this malware is not written to steal WoW information, the next one might be. An authenticator is a last line of defense, and may prove to be your savior should all else fail.
Finally, don't assume you can't get infected by malware without user interaction - you can! You can pick up malware simply by visiting a web page and you won't even know it is happening. This is why you need several defense mechanisms in your security arsenal.


Sunday, April 25, 2010

Beware 2010 Arena Tournament scams

Scammers are increasing their efforts with the recent announcement of the 2010 Arena Tournament. I am starting to see phishing emails that tell you all about the new arena tournament and provides you with a convenient "Register Now" link. This link takes you to a fake login page and steals any details that you enter.

The fake login page will capture your username and password. The site then redirects you to the genuine US battle.net login page and tournament registration. Like an ATM skimming device attack, the user rarely detects that a scam has taken place until their account is stripped.

An example of these emails:

























Want to learn more about how to spot phishing scams? Check out our post covering the anatomy of a WoW phishing site.

Wednesday, April 21, 2010

WoW Phishing Domain Compendium

World of Warcraft phishing scams are becoming commonplace these days. I wrote an article last year which covered the anatomy of a WoW phishing site.

To give you some idea on how widespread the issue is, I have put together a collection of the known illegal phishing domains seen so far this year. This list is largely based on a WoW spam honeypot that I have established and further supplemented by tips from players.

Warning - do not visit these sites! They are included here to help educate gamers on what to look for with regards to phishing URL's. Some are still active and may feature malware/keyloggers. I have purposely mangled the URL so that you don't accidently click on the sites. If you feel tempted then stop reading now - you have been warned.

WoW Phishing Domain List

http_://www.accountmanagement-worldofwarcraft.net

http_://www.wor1dcfwarcraft.com
http_://www.worldrofwarcraft.net
http_://www.wor1dofwancreft.com
http_://www.wor1dofwancrvft.com
http_://www.wor1dofwororaft.com
http_://www.worldofwarcrarrft.com
http_://we-io8.worldofwarcraftftc.com
http_://www.worldofwacacraft.com

http_://www.worldofwarcraft-accountadmin-battle.net
http_://www.worldofwarcraft-account-athonticate-account-authonticate.com
http_://www.worldofwarcraftaccount-billing.com
http_://www.worldofwarcraft-account-checkwarning.com
http_://www.worldofwarcraftaccountsecurity.com
http_://www.worldofwarcraft-instruction-account.com
http_://www.worldofwarcraft-certification-account.com
http_://www.worldofwarcraft-supports-account.com
http_://www.worldofwarcraft-subscription-security.com
http_://www.worldofwarcraft-account-investigate.com
http_://www.worldofwarcraft-account-authorization.com
http_://www.worldofwarcraft-account-authontisate.com
http_://www.worldofwarcraft-account-inspect.com
http_://www.worldofwarcraft-account.com
http_://www.worldofwarcrauft-account.com
http_://www.worldofwxarcraft-test.com
http_://www.worldofwarcrcft-test.com
http_://www.worldofwarcruaft-account.com
http_://www.worldofwariraft-manage.com
http_://www.worldofwarcranft-login.com
http_://www.worldofwarcraft-battles-account.com
http_://www.worldofwarcraft-login-admin.com
http_://www.worldofwarcraft-security-billing.com
http_://www.worldofwarcraft-account.info
http_://www.worldofwarcraft-battle-admin.net
http://www.worldofwarcraft-account-authoriration.com/

http_://www.wowaccountmobilephone.com

http_://www.management-adminis-blizzard.com

http_://www.battlenetaccount.com
http_://battle.arena-award-management.com

http_://www.blizzard-feedback.net
http_://www.blizzard-forums.com
http_://www.blizzardaccount-management.com
http_://www.blizzard-account-login-management.com
http_://www.blizzardaccount-billreview.com
http_://www.blizzardaccount-support.com
http_://www.blizzardbattle-management.net
http_://www.blizzardbattle-bill.net
http_://www.blizzardhosting.net

http://www.us-battle-blizzard.net/
http://www.info-battle.net/
http://www.security-accounts-blizzard.com/
http://battle.tournament-administration.com/
http://www.management-ccount-blizzard.com/

These domains are constantly changing - as one is shut down or blocked, another appears. As you can see, there are a lot of variations.

These URL's are usually associated with a spam email telling you that your WoW account has been suspended. The email asks you to click on a link (which may be disguised as a valid game site URL) which takes you to these malicious URL's to phish for your game details. The link could also arrive as an in-game mail or whisper.

As always, don't click on links in emails that appear to come from Blizzard and don't believe the random in-game whispers that tell you that you have won a rare spectral tiger or that your account has been suspended and that you immediately need to log in in to unlock it.

For more information on how to look out for phishing attempts visit the official Battle.net security site and our top 10 security steps article.

If you see any other fake WoW phishing domains then report them to polar at guildox dot com

Monday, March 15, 2010

Kicking Goals in the World of Warcraft

Is a member of your family or close friend crazy about a game called World of Warcraft? Do they lock themselves in their room, playing the game for hours and refusing to take phone calls or talk to you? It's time to investigate this seemingly strange behavior by drawing parallels to the universal sport of soccer/football.

What is the World of Warcraft?

World of Warcraft (WoW) is a highly popular multi-player online game with over 11 million subscribers. Unlike traditional stand-alone computer games, online games feature interaction with hundreds and sometimes thousands of other real human players. In WoW, these players form 'raid groups' of up to 25 players to tackle an in-game dungeon.

What exactly is a WoW raid group?

Think of a raid group as a soccer team and think of an dungeon as a series of matches where the team plays against computer controlled opponents, also known as "bosses". The raid group works as a team to win these matches - there is a nominated raid leader (the coach and captain) who gives instructions and coordinates the team. The team consists of attackers (DPS members) which are assigned to attack and damage the boss and defenders (tanks and healers) which aim to distract the boss and heal up the team so that the attackers can do their job. Each team member is assigned a specific role and, like any sporting match, all players need to be present for the full game time and perform their assigned duties to the best of their ability. Many raid groups also have reserve players that sit on the bench, waiting to be called in to replace players.

Team members will communicate with each other via a microphone and headphones connected to the PC - you may see your partner sporting a very ugly set of headphones, looking something like a submarine commander. This is the equivalent of the on field communication that happens between players, the captain and the coach.

Each of the matches takes typically between 5-10 mins. During this time, there is no way to pause the game - all raiding takes place in real time. After each match, the raid leader will analyse the performance of the team, make adjustments and then re-engage until the "boss" is defeated - just like any good soccer coach.

A full raid session may consist of many boss kills and can easily go for several hours. Raids are typically scheduled at specific times each week.

So why won't they come and have dinner when they are called?

Players are required to be present for the full duration of the raid. Like any sporting match, you cannot just leave the game whenever you decide. Many of the matches require all members of the raid to play at their best - any single member that steps away from a match and goes 'away from keyboard - AFK' without pre-warning the raid leader will very likely cause the match to be lost - upsetting the other 24 players in the raid.

Why can't I talk to them for 5 mins during a raid?

Players will either be participating in the match or will be listening to the raid leader, taking instructions before the next match. Either way, the player needs to give the raid his/her full attention.

It is best to wait for a "bio" break to speak with them. Bio breaks are scheduled breaks where the player can get a coffee or visit the bathroom.

What happens when all of the bosses are defeated
?

This only occurs for the very elite teams and only for certain periods of the year. The creators of WoW are constantly adding new bosses and content to the game to keep players entertained. Most raiding groups always have something bigger to aim for.

I asked them to go out this weekend but they claim they are rostered. What's the deal?

Just like your weekend soccer games, players announce their availability to play typically 1-2 weeks ahead of the scheduled raid. A team roster is usually published by the raid leader a few days before the raid. Players that made themselves available and subsequently get rostered are expected to play.

Why bother raiding - it's just a computer game? Why don't they go outside and kick a ball instead?

The real thrill of raiding is the feeling of progression, team work and accomplishment - just like the feeling you get after winning a sporting final.

Each completed boss encounter awards the group with several items of equipment, otherwise known as 'loot'. This loot comes in the form of items that the player can wear and may be a new piece of armor, weapon or other similar item. Loot items increase the power of individual players and are highly sought after. Winning loot in a raid is a significant achievement - very similar to that sporting trophy you display with pride on the mantle piece.

So if I have to engage in conversation with my WoW gamer, what should I be asking?

Stun your WoW gamer by asking them any of the following questions:
  • What role do you play in WoW raids? A tank, healer or DPS? Why did you chose that role?
  • What new loot did you get from your raid today? Show me your character.
  • What boss are you currently working on? How did you go?
  • Your dinner is almost ready, when can you take your next extended bio break?
Ask these and your fellow raider is bound to be most impressed with your understanding of their gaming world.

Finally, just remember that calling your WoW player for dinner or asking them to do chores in the middle of the raid is likely to be met with some serious resistance. Would David Beckham or Ronaldo leave the field mid-game to put the trash out? At least wait for half-time.

Monday, March 1, 2010

Update: Keylogger websites shut down

The main infection source of the recent anti-authenticator keylogger/trojan appears to have been shut down. The main places of infection - the fake site wowmatrixf._com and other associated fake addon sites, including cursea._com and deadlybossmodss._com - are no longer online. (Victims were lured to these fake sites via Google advertisements)

We can breathe a sigh of relief but don't become complacent. This trojan/keylogger is likely to spring up somewhere else. Be cautious of what you download and execute from any web site. Addons should not require an installer package to execute. Be very suspicious of anything that asks you to "run a program". Follow our 10 Easy Steps to increase protection.

If you notice that these fake sites pop up in another spot then let us know.

Sunday, February 28, 2010

Authenticator hack - is your account still safe?

The big security news of the weekend is that Blizzard has confirmed a man-in-the-middle attack that is being used to hack accounts that are using an authenticator.

Let me state up front that this is not a reason to throw your authenticator away nor should it be an excuse for not getting one. The authenticator is a very sound device - but it is, and will always be, just one of many security mechanisms that you should use to help secure your account. It is what us IT security guys call "layered security" - more on this in a moment.

The attack itself requires a keylogger/trojan. The keylogger, once installed on your system, logs your game user name, password AND authenticator code. It proceeds to post this information off to a rogue server so that the attacker can use this information in near real-time to access your game account. In the meantime, it sends an incorrect code to the battle.net authentication server from your machine - resulting in an "incorrect login" type message from the game. It does this so that you don't consume the one-time-use code that the authenticator provides.

Now it was only a matter of time before we saw this kind of attack. More and more people have been using authenticators. In a survey of over 90 gamers at securingwow.blogspot.com, 84% of them claim to have an authenticator attached to their game account. This tells us that more and more people are now running with an authenticator - reducing the pool size of "easy" victims.

The bad guys are now being forced to step up the sophistication of their attacks and have started targeting those with authenticators. We are bound to see many more keyloggers with this capability in the near future. Additionally, phishing attacks will also begin to operate in the same fashion - asking you to type in your authentication code, along with your other game account details, posting the info off to the attacker - who uses them in real time - leaving you with a "system unavailable" message and a soon-to-be-stripped game account. If we don't have these mechanisms in WoW phishing sites already then I can assure you that they are not far away.

So how do you prevent it from happening? It all comes down to minimizing the chance of being infected with a keylogger in the first place. One of the many tenets of IT Security is that "no sercurity system is 100% effective". Anyone that tells you otherwise does not know what they are preaching or they are trying to sell you some snake-oil. In this case, we can't rely on authenticators to be the only defense mechansim - here are ten simple steps you can do to reduce the chance of your game account being compromised:
  1. Don't share your game password with anyone and pick a password that is not easily guessed
  2. Don't use the same password for subscribing to fan sites
  3. Keep your operating system, browser and other software (especially Adobe Flash) fully patched - start with Windows Update
  4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
  5. Don't click on email attachments, especially when you don't know the sender
  6. Don't download and run executable files from web pages
  7. Don't enter your game password into any web site other than the official game sites
  8. Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised
  9. Be very suspicious if an addon requires some form of install package to be run
  10. Invest in a Blizzard authenticator or install the Battlenet authenticator application on your phone
Try to follow all of these recommendations - not just one or two points.

In this specific case, the keylogger was reportedly delivered via a fake site for the Wowmatrix addon manager. The site was created to look and feel like wowmatrix.com but, instead of downloading and installing the addon manager, the keylogger was installed instead. Our recommendations #6 and #9 talk about being "very suspicious" of add-ons that require an installer to run and avoid running executable files from web sites.

The bottom line is that keyloggers and phishing sites are here to stay. Don't rely on your authenticator to protect you 100% of the time - but don't throw it out either. It still forms a very strong part of your layered defense against the bad guys.

Post a comment - we would like to hear from you if you have fallen victim to this attack.

Friday, February 12, 2010

Adobe Flash Vulnerability Fix

Adobe has released a patch for the latest Flash vulnerability. Adobe Flash is used by the majority of browsers to display dynamic content on web pages. This vulnerability can potentially lead to automatic keylogger downloads by visiting a web site that has a specially crafted flash file embedded in its pages. This is known as a 'drive-by download' - one in which malware can be downloaded and installed without you knowing.

While I am yet to see this specific vulnerability exploited, it is only a matter of time before it is. I have seen previous Flash vulnerabilities exploited to download keyloggers from popular WoW fan sites.

So - play it safe - visit the official Adobe Flash download site and update your flash player.

Be sure to visit our 10 Easy Steps page to further protect your WoW account.

Friday, January 29, 2010

Blizzard Launches Battle.Net Security Site

Blizzard has launched their official security awareness page offering helpful advice on what you can do to safeguard your computer, how to spot scams, info on the adverse effects of buying gold, and tried-and-true methods to help prevent account compromises.

The specifically provide:
  • A Security Checklist - covering preventative measures that you should be taking
  • Type of Account Thefts - listing the common methods used to hack accounts
  • Advice on what to do if you get hacked
Be sure to check it out at http://us.battle.net/security/

As always, having a Blizzard Authenticator is one of the best methods of hack prevention.

Friday, January 15, 2010

The Armory Phishing Scam

The new and improved wowarmory has brought with it opportunity for scammers seeking to trick you into disclosing your wow game passwords. Check out the full coverage at wow.com on this latest scam:

http://www.wow.com/2010/01/15/beware-of-wow-armory-phishing-scams/

As always, never enter your game username/password into a site that is not "blizzard.com" or "worldofwarcraft.com" and get yourself an authenticator today!

If you have had a close encounter with a wow phishing scam then post and comment and let us know about it.

Tuesday, January 12, 2010

Beware of Cataclysm Phishing Scams

With the recent announcement of the Catalysm alpha, users are warned not to fall victim to phishing scams.

Be aware that if you receive an email inviting you to join the Cataclysm testing cycle then it will most likely be a scam. Cataclysm open beta does not exist as yet.

Do not enter your game username and password into any sites that may link from any email claiming to be an official Blizzard invite to Cataclysm.

If you see a Cataclysm phishing scam then feel free to share your comments on it.