Sunday, February 28, 2010

Authenticator hack - is your account still safe?

The big security news of the weekend is that Blizzard has confirmed a man-in-the-middle attack that is being used to hack accounts that are using an authenticator.

Let me state up front that this is not a reason to throw your authenticator away nor should it be an excuse for not getting one. The authenticator is a very sound device - but it is, and will always be, just one of many security mechanisms that you should use to help secure your account. It is what us IT security guys call "layered security" - more on this in a moment.

The attack itself requires a keylogger/trojan. The keylogger, once installed on your system, logs your game user name, password AND authenticator code. It proceeds to post this information off to a rogue server so that the attacker can use this information in near real-time to access your game account. In the meantime, it sends an incorrect code to the battle.net authentication server from your machine - resulting in an "incorrect login" type message from the game. It does this so that you don't consume the one-time-use code that the authenticator provides.

Now it was only a matter of time before we saw this kind of attack. More and more people have been using authenticators. In a survey of over 90 gamers at securingwow.blogspot.com, 84% of them claim to have an authenticator attached to their game account. This tells us that more and more people are now running with an authenticator - reducing the pool size of "easy" victims.

The bad guys are now being forced to step up the sophistication of their attacks and have started targeting those with authenticators. We are bound to see many more keyloggers with this capability in the near future. Additionally, phishing attacks will also begin to operate in the same fashion - asking you to type in your authentication code, along with your other game account details, posting the info off to the attacker - who uses them in real time - leaving you with a "system unavailable" message and a soon-to-be-stripped game account. If we don't have these mechanisms in WoW phishing sites already then I can assure you that they are not far away.

So how do you prevent it from happening? It all comes down to minimizing the chance of being infected with a keylogger in the first place. One of the many tenets of IT Security is that "no sercurity system is 100% effective". Anyone that tells you otherwise does not know what they are preaching or they are trying to sell you some snake-oil. In this case, we can't rely on authenticators to be the only defense mechansim - here are ten simple steps you can do to reduce the chance of your game account being compromised:
  1. Don't share your game password with anyone and pick a password that is not easily guessed
  2. Don't use the same password for subscribing to fan sites
  3. Keep your operating system, browser and other software (especially Adobe Flash) fully patched - start with Windows Update
  4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
  5. Don't click on email attachments, especially when you don't know the sender
  6. Don't download and run executable files from web pages
  7. Don't enter your game password into any web site other than the official game sites
  8. Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised
  9. Be very suspicious if an addon requires some form of install package to be run
  10. Invest in a Blizzard authenticator or install the Battlenet authenticator application on your phone
Try to follow all of these recommendations - not just one or two points.

In this specific case, the keylogger was reportedly delivered via a fake site for the Wowmatrix addon manager. The site was created to look and feel like wowmatrix.com but, instead of downloading and installing the addon manager, the keylogger was installed instead. Our recommendations #6 and #9 talk about being "very suspicious" of add-ons that require an installer to run and avoid running executable files from web sites.

The bottom line is that keyloggers and phishing sites are here to stay. Don't rely on your authenticator to protect you 100% of the time - but don't throw it out either. It still forms a very strong part of your layered defense against the bad guys.

Post a comment - we would like to hear from you if you have fallen victim to this attack.

14 comments:

  1. hey polar
    im a officer in the Knights who say Nee on aman'thul and we are having a rash of account hacks happening at the mom...........in the last couple of weeks 12 accounts have been compromised
    including our GM and he is an IT profesional and he stripped the bank 18k gold and a lot of enchant mats.ok none of them had authenticators attached to their accounts,and some of them use there computers for work uses and run virus scans on a daily basis,it is starting to happen toooooo often now to be keyloggers or phishing sites we seem to think that possibly there has been an exploit that has been found and advertised in the black hat community

    ReplyDelete
  2. Ive never purchased Authenticator? oddly, i was disconnected, logged back in, then 10min later disconnected again. but this time when i tried to log in, Authenticator popped up after i but my email and password in Now I'm stuck out? I havent called blizz yet about this, which I soon will do?

    ReplyDelete
  3. @Anonymous#1 - not sure about a black hat community exploit, but it could equally be that a web site that your 12 players access may have had their username(email address)/password database hacked - and it just so happens that these 12 players use the same password on that site that they do in-game. This is a great reason why you should have a different in-game password to that which you use anywhere else. Maybe they should all spend $6.50 and buy an authenticator too.

    @anon#2 - it is common for hackers to put an authenticator on your account after you have been compromised. I recommend contacting Blizzard asap to get back in to your account and check to make sure everything is still in one piece.

    ReplyDelete
  4. Personally, I think if it was an exploit, more then likely there would be a FAR larger hack outbreak, most likely resulting in an emergency update from Blizzard. I've followed those blog security guidelines with everything I do and I've never once had any of my accounts hacked. Not facebook, not wow, not e-mail, not anything. Often times people said they did everything that they should... but 99% of the time I usually discover they didn't update their virus defs for a week... or they didn't feel like installing OS updates the day they came out. Or they have a password with their first or last name in it. Even if you run full scans - if you don't follow ALL the guidelines... you're going to get hacked eventually.

    ReplyDelete
  5. I haven't played WoW in so long I cannot remember, and I changed my password before I quit the game.

    All of a sudden, these authenticators come out, and my account which is inactive, gets hacked?

    Which means someone not only got my account username and password which I've never typed into my computer ever...

    ...they also attached an authenticator to my account.

    The only way I even knew about my account being online and getting stripped is because someone I know who still plays told me they saw me online.

    So I log into my un-paid-for account to find myself locked out by an authenticator.

    How in the bloody world did these idiots get ahold of my account?

    I mean for years my account is fine, then all of a sudden these stupid authenticators come out and I get hacked?

    Nice security there blizzard. You can restore my items to a game I don't even play anymore all you want, but how many days will it take you to restore my identity which you compomised?

    ReplyDelete
  6. My account was also apparently hacked sometime during the last week or two (I was on vacation) and an Authenticator placed on it. I tried to call Blizzard and can't even get put on hold. I am told their queue is full. I emailed them and got a reply that they would get back to me but it might be several days.

    Red Dead Redemption, anyone?

    ReplyDelete
  7. Same here... I haven't payed or played since febuary when I got a new PC... The old one has been gadering dust and was never connected. But today I get an email saying my account has been suspended for 72 hours.

    I logged into the account page (after installing WOW) and it seems I refered someone via the refer-a-friend option. Euh... what ?

    I'm a CCSE so I do actualy know how to secure my systems. I'm running a home-grown linux firewall on a seperate machine and my PC has an real time active security suite on it, so I "know" it's not my system. Hell, I get payed for securing networks.

    Something tells me someone has found an exploit or hacked blizzards user database.

    ReplyDelete
  8. Thank god I found these posts, the last few expecially. I have played in over a year and the game wasn't even paid for when I was hacked and a authenticator placed on. I'm so god damn beyond positive that it wasn't lost on my side. This is the only account of any type on any game of any sort EVER to be just plain stolen. Something is deffinetly up, and it's on Blizzards side.

    ReplyDelete
  9. Hi you've missed the number one way they hack. Browsing the web while logging in. I was just doing my standard search for 4.0 rotations and went to a few sites I had not been too... presto. The key logged me with a temporary script. Once my virus checker and malware bytes verified no trojan, I called Blizzard who recommended do not have your browser up on a third party site while logging in. They said this was the biggest hack right now.

    Another point. Blizzard should provide these keys free of charge. They make enough money time to improve security.

    Another point. Do not install addons from anywhere but curse. Anything from rapid share... forget it.

    ReplyDelete
  10. The exact same thing happened to me. Haven't played for months, but last week my husband said someone was on my account in Wintergrasp. I finally got ahold of Bliz on the phone, and they said someone would have had to hack into my e-mail account and knew my secret answer to change the email on battle.net. They said I probably clicked on something suspicious or I had a virus (I did NEITHER). Well, I have 2 security questions on my Yahoo account and never noticed anything suspicious. Not to mention that I got a new hard drive and hadn't logged into WoW since. I think they are afraid to admit that someone hacked into their user database.
    Oh yeah, I'm in IT so I know how to secure my PC. They are full of $hit.

    ReplyDelete
  11. being in i.t. myself, i'd say "wow being hacked" would mean their (wow) servers are under attack, not what everyone else describes as just falling prey to keyloggers installed on their machines. i run wow on xp home with no anti-virus software at all, only windows update and the wow software. haven't had a problem in the 3 years I've played because I don't go to look at wow websites with that computer. only play wow or reboot into linux.

    ReplyDelete
  12. Old article...but surprised at how many of you get hacked quiet easily.

    Only time i been hacked was via running iis 5.0 on 2000 server unpacked (nimda used a unicode hack by buffer overruns). I really never detected this worm until i noticed a second network PC in the house kept catching a virus (because windows opens ports up for netbios).

    Nowadays i running lots layer security and plenty of NAC as well all updated antivirus software and OS patched. Many people do not really know that having an infected PC is just as bad.

    The only other time a friend of mine got a nasty virus was though the legit UT demos on download.com in mid 90's

    Even if wow server is being compromised, i doubt that would have any lasting impact as a company as big as them would apply a correction and restore the database in no time flat (being a true IT we understand disastrous situations).

    ReplyDelete
  13. my account was compromised yesterday and i have contacted blizz. they sent an email to me telling me to send them another email i wanted to use as the account's name. i sent it to them however im not sure if i have done it correctly as i still havent had a reply; could someone who's had the experience please tell me how it went for them?

    ReplyDelete
  14. Here is the official process from Blizzard on what to do:

    http://us.battle.net/en/security/help

    Hope it helps.

    ReplyDelete