Sunday, February 28, 2010

Authenticator hack - is your account still safe?

The big security news of the weekend is that Blizzard has confirmed a man-in-the-middle attack that is being used to hack accounts that are using an authenticator.

Let me state up front that this is not a reason to throw your authenticator away nor should it be an excuse for not getting one. The authenticator is a very sound device - but it is, and will always be, just one of many security mechanisms that you should use to help secure your account. It is what us IT security guys call "layered security" - more on this in a moment.

The attack itself requires a keylogger/trojan. The keylogger, once installed on your system, logs your game user name, password AND authenticator code. It proceeds to post this information off to a rogue server so that the attacker can use this information in near real-time to access your game account. In the meantime, it sends an incorrect code to the authentication server from your machine - resulting in an "incorrect login" type message from the game. It does this so that you don't consume the one-time-use code that the authenticator provides.

Now it was only a matter of time before we saw this kind of attack. More and more people have been using authenticators. In a survey of over 90 gamers at, 84% of them claim to have an authenticator attached to their game account. This tells us that more and more people are now running with an authenticator - reducing the pool size of "easy" victims.

The bad guys are now being forced to step up the sophistication of their attacks and have started targeting those with authenticators. We are bound to see many more keyloggers with this capability in the near future. Additionally, phishing attacks will also begin to operate in the same fashion - asking you to type in your authentication code, along with your other game account details, posting the info off to the attacker - who uses them in real time - leaving you with a "system unavailable" message and a soon-to-be-stripped game account. If we don't have these mechanisms in WoW phishing sites already then I can assure you that they are not far away.

So how do you prevent it from happening? It all comes down to minimizing the chance of being infected with a keylogger in the first place. One of the many tenets of IT Security is that "no sercurity system is 100% effective". Anyone that tells you otherwise does not know what they are preaching or they are trying to sell you some snake-oil. In this case, we can't rely on authenticators to be the only defense mechansim - here are ten simple steps you can do to reduce the chance of your game account being compromised:
  1. Don't share your game password with anyone and pick a password that is not easily guessed
  2. Don't use the same password for subscribing to fan sites
  3. Keep your operating system, browser and other software (especially Adobe Flash) fully patched - start with Windows Update
  4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
  5. Don't click on email attachments, especially when you don't know the sender
  6. Don't download and run executable files from web pages
  7. Don't enter your game password into any web site other than the official game sites
  8. Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised
  9. Be very suspicious if an addon requires some form of install package to be run
  10. Invest in a Blizzard authenticator or install the Battlenet authenticator application on your phone
Try to follow all of these recommendations - not just one or two points.

In this specific case, the keylogger was reportedly delivered via a fake site for the Wowmatrix addon manager. The site was created to look and feel like but, instead of downloading and installing the addon manager, the keylogger was installed instead. Our recommendations #6 and #9 talk about being "very suspicious" of add-ons that require an installer to run and avoid running executable files from web sites.

The bottom line is that keyloggers and phishing sites are here to stay. Don't rely on your authenticator to protect you 100% of the time - but don't throw it out either. It still forms a very strong part of your layered defense against the bad guys.

Post a comment - we would like to hear from you if you have fallen victim to this attack.

Friday, February 12, 2010

Adobe Flash Vulnerability Fix

Adobe has released a patch for the latest Flash vulnerability. Adobe Flash is used by the majority of browsers to display dynamic content on web pages. This vulnerability can potentially lead to automatic keylogger downloads by visiting a web site that has a specially crafted flash file embedded in its pages. This is known as a 'drive-by download' - one in which malware can be downloaded and installed without you knowing.

While I am yet to see this specific vulnerability exploited, it is only a matter of time before it is. I have seen previous Flash vulnerabilities exploited to download keyloggers from popular WoW fan sites.

So - play it safe - visit the official Adobe Flash download site and update your flash player.

Be sure to visit our 10 Easy Steps page to further protect your WoW account.