Securing WoW

Diablo 3 Beta Phishing Season Begins

2011-09-04T19:59:00.000-07:00

The scammers are out in force with the recent Diablo 3 beta opt-in announcement.

Phishing scams are very common around any Blizzard beta release announcement so it is time to be especially on your guard.

I received the following in my in-box today:

Greetings from Blizzard Entertainment!

We’re gearing up for the forthcoming launch of Diablo III and would like to extend you an invitation toparticipate in the beta test. If you are interested in participating, you need to have a Battle.net account, which you can create on our Battle.net website.

We will flag you for access to the Diablo III beta test when we begin admitting press. You do not need to go through the opt-in process.

To secure your place among the first of Sanctuary’s heroes,Please use the following template below to verify your account and information via email.

* Name:
* Battle.account name:
* Password:
* Country:
* E-mail Address:

Thanks and see you all in the Burning Hells!

The email claims to give you an express beta invite without having to go through the formal opt-in process. Naturally, this is an phishing attempt aimed at getting hold your valuable battle.net account details. The reply email address resolves into a d3-blizzard.com domain which, not-so-surprisingly, is registered in China:

Domain Name: D3-BLIZZARD.COM

   Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.

   Whois Server: grs-whois.hichina.com

   Referral URL: http://www.net.cn

   Name Server: DNS27.HICHINA.COM

   Name Server: DNS28.HICHINA.COM

   Status: ok

   Updated Date: 29-aug-2011

   Creation Date: 29-aug-2011

   Expiration Date: 29-aug-2012

Remember, Blizzard will never ask your for your battle.net password - be wary of any communications that requests this.

Top WoW Phishing Scams for March 2011

2011-04-05T22:20:00.000-07:00

I have established a WoW phishing honeypot and I see a lot of active phishing scams. I thought I would take the time to cover off the top two WoW phishing scams for March :

#1 Titled "Too Many Attempts Warning No.x" - 37% of WoW scams

The most common phishing scam for March comes in the form of a straight text email that warns you that your account has been locked due to too many login attempts. It provides a link to restore your account, but naturally points to a fake battle.net site, where your account details are captured.

-----------------------------------------------------------------------------

Dear customer,

Due to suspicious activity, your Battle.net account has been locked. You tried to login your account too many times (403). We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you follow these steps:

Step 1: Secure Your ComputerIn the event that your computer has been infected with malicious software such as a keylogger or trojan, simply changing your password may not deter future attacks without first ensuring that your computer is free from these programs. Please visit our Account Security website to learn how to secure your computer from unauthorized access.

Step 2: Secure Your E-mail AccountAfter you have secured your computer, check your e-mail filters and rules and look for any e-mail forwarding rules that you did not create. For more information on securing your e-mail account, visit our Support page.

Step 3: Restore access to Your accountWe now provide a secure link for you to verify whether you have taken the appropriate steps to secure the account, your computer, and your email address. Please follow this site to restore the access to your account: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

If you still have questions or concerns after following the steps above, feel free to contact Customer Support at xxxxxxxxxxxxxxxxxxx.

Sincerely,

The Battle.net Account Team

Online Privacy Policy
-----------------------------------------------------------------------------

#2 Titled "Account Change" - 26% of WoW scams

This scam attempts to scare you into thinking that your contact information has been illegally modified and entices you to log in to a fake site to verify your account information.

-----------------------------------------------------------------------------

Hello,
This is an automated notification regarding your Battle.net account. Some or all of your contact information was recently modified through the Account Management website.

*** If you made recent account changes, please disregard this automatic notification.
*** If you did NOT make any changes to your account, we recommend you log in to xxxxxxxxxxxxxxxxxxxx review your account settings.

If you cannot sign into Account Management using the link above, or if unauthorized changes continue to happen, please contact Blizzard Billing & Account Services for further assistance.

Billing & Account Services can be reached at 1-800-59-BLIZZARD (1-800-592-5499 Mon-Fri, 8AM-8PM Pacific Time) or at billing@blizzard.com.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,
The Battle.net Support Team

Blizzard Entertainment

www.blizzard.com/support

Online Privacy Policy

-----------------------------------------------------------------------------

Other active scams including a "7 days free access offer", "investigations on the sale/trade of your game account" and various "compensation" emails. I have also started to see scams for LOTRO and RIFT. You know that you have made it as an MMO when you see active phishing scams - sad, but true.

Learn more about the mechanics of these scams.

Trust Me, I am a Security Pro

2011-03-27T20:04:00.000-07:00

Everyone you talk to seems to have their own special advice on how to avoid having your game account hacked. Unfortunately, there is both good and bad advice given. While I normally blog about the good advice, I decided to take some time and dispel some of the common IT security myths out there.

Myth: You can't get hacked by simply visiting a web site

People often claim that you can't be hacked by just visiting a web site and that you need to download and install something by clicking on it.

This is false. You can indeed pick up a trojan/keylogger simply by browsing to a web site that has malicious content which takes advantage of a vulnerability and, depending on the vulnerability, you may not even know that you have been infected.

Vulnerabilities can be found in the operating system, your browser, your flash player, your media player and in any piece of software that runs on your machine. Many of these vulnerabilities, if exploited, allow remote code execution which can be used to automatically download malicious software without your interaction or knowledge.

Myth: Running Firefox/Mozilla means I am safe

Internet Explorer has traditionally been one of the most exploited browsers, mainly because of its historical prevalence. These days, Firefox is the most popular browser amongst WoW users (44%), with IE (22%) and Chrome (21%) coming next... and the hackers have followed. Many vulnerabilities and exploits have been discovered with Firefox.

Other browsers are not perfect either. For example, a competition at a security conference found that most browsers could be easily compromised with Google's Chrome being the last one standing.

Myth: Run 'noscript' and you will be fine

Noscript is an addon for firefox that allows you to block flash and javascript on web pages. It helps alleviate issues such as flash vulnerabilities that are often announced.

Noscript is a very good idea in concept but it breaks most web sites, especially modern web sites that require flash and javascript (which is nearly all of them). This is the traditional trade-off you get with security. Noscript provides some excellent protection but you will not get the full functionality from web sites without extensive whitelisting.

Myth: I run a Mac and Macs don't get malware

Yes they do - just not as much malware as what Windows users can expect.

However, you can still get phished. Given that many of the account hacks are a result of phishing attacks, Mac users need to remember that they are just as vulnerable to these as any other user.

Myth: Pick up free anti-virus software and you will be right

Honestly, you get what you pay for. As someone that comes from the anti-virus industry, I know the investment required to produce a top-quality anti-virus solution. Free AV is good, but paid-for AV is better. It ultimately comes down to your tolerance of risk and whether you are prepared to pay for better protection. You can see a list of AV products and their ratings at avtest.org.

Myth: I have an Authenticator therefore I am protected 100%

No security will provide 100% protection. Whenever you hear someone say that something is 100% secure then don't believe a word of it.

The authenticator recently fell victim to some malware that intercepted the authenticator's code and sent it off to the hacker. But don't despair - the authenticator is still one of the best prevention mechanisms you can buy.

I don't have an authenticator, I don't run AV, I don't have a firewall and I have never been hacked.

You should go and buy yourself a lottery ticket. Seriously, you are very lucky.

As discussed earlier, you can get infected simply by surfing a page that features some malformed objects designed to exploit a vulnerability in some piece of software on your PC.

But you avoid bad sites such as hack sites or porn sites, right?

Well, even the good sites get hacked to become a source of malware. This is becoming a much more common method of malware propagation.

Visit our 10 Easy WoW Security Steps post to learn more about securing your WoW account.

Blizzard Adds Dial-in Authenticator

2010-11-11T20:50:00.000-08:00

Blizzard has announced a new security service for US players called the Dial-In Authenticator.

"Similar to the Battle.net Authenticator and Mobile Authenticator application, the Battle.net Dial-in Authenticator is an optional tool that provides an additional layer of security against unauthorized account access. The Battle.net Dial-in Authenticator is not a physical token or application run on a mobile device, however. Instead, it is a free opt-in service that will actively monitor an account and request additional authorization from the user when a potentially unauthorized login attempt occurs."

The service asks you to nominate a phone and a PIN. When your account is accessed from a different IP address it will ask you to authenticate by dialling a US toll-free number from your nominated phone and entering your PIN and a single-use security code. The service is optional and best of all, it is free.

This is a good addition to the security arsenal, especially for those users that move around a lot and don't have a hardware authenticator. Remember that good security is made up of several layers of protection, and this offers yet another layer.

More information can be found at the official Battle.net Dial-in Authenticator FAQ.

Guild Ranks To Include Authenticators

2010-09-19T21:19:00.000-07:00

Image courtesy of WoW Insider

The latest news from the Cataclysm beta program, via WoW Insider, is that guild masters have the option tp set guild ranks to require the player to have an authenticator on their account.

The obvious use for this is to have the guild master set this on any guild rank that has guild bank access. This will help reduce the chance of the guild bank being stripped in the event of an account compromise.

However, guild masters can go further by mandating that all of their raiders, and even all of their members, have an authenticator. Too often we see raiding disrupted when key players have had their accounts hacked. Just imagine the inconvenience when a progression raid gets cancelled because the main tank is waiting for his/her account to be restored after a hack.

This is a great initiative by Blizzard and will surely give people one less excuse for players to adopt this technology.

Some of the more common excuses for people not having an authenticator include:

"I don't have a credit card" or "They don't deliver to my country" - download the free authenticator app for your mobile phone or ask a guild mate to purchase one for you and mail it to you
"I am too smart/cautious to get hacked" or "I have never been hacked" - Vulnerabilities in your operating system and applications can very easily result in you downloading a keylogger by simply visiting a legitimate web site that may have been compromised. For well-written exploits, no user interaction is required to become infected - you just need to visit a compromised web site. Your game login and password is then shipped off to the bad guys. See the recent Adobe example. Additionally, common passwords can be attacked by automated processes - you don't even need a keylogger on your system to fall victim.
"I own a Mac" - Yes, you are less likely to pick up a keylogger since most are written for Windows however, owning a Mac won't stop you falling for phishing attacks.
"I pay for this service, authenticators should be free" - I doubt that Blizzard are making any real revenue on a product that sells for $6.50 - they are just aiming to recover costs. Think of the amount of money you have paid for your subscription to date, and then ask yourself if it is worth the extra $6.50 to reduce the chance of all your hard work being compromised.
"It is inconvenient to type in the code" - the extra ten seconds required to login is a small price to pay for the extra security that it provides.
"Authenticators have been hacked" - well, it was not the authenticator that was hacked, it was more that a keylogger picked up the authenticator code and, in real time, shipped it off to the bad guys. This was a fairly sophisticated attack and required people power to do the real time processing. Keep in mind that security is never 100% and that the authenticator is just making it more difficult for the bad guys to get into your account. An authenticator is still a very effective tool in your security arsenal.
"I don't care, Blizzard can restore my account after a few days" - if you are in a raiding guild then the delay in reporting and restoring your account may mean you miss out on raiding, potentially impacting your entire raid group. This may even put your guild membership at risk if this happens regularly.

Check out Ten Easy Steps to Securing WoW for more security tips.

Adobe Announces New Flash Vulnerability

2010-09-16T18:34:00.000-07:00

Adobe Systems has recently disclosed a vulnerability in their Flash Player 10.1.82.76 for Windows, Mac, Linux and Solaris. The vulnerability allows the execution of code from a specially crafted PDF or Flash file. Adobe mention that they have seen this being actively exploited.

Put simply, this type of vulnerability could see you become infected with a keylogger simply by browsing a web site that has been compromised. We have seen WoW keyloggers installed via this type of Adobe vulnerability before in June and February.

Adobe has not released a patch for this as yet, but plan to have something available during the week of September 27.

You can reduce the chance of becoming subject to this attack by patching your flash player as soon as a patch is released and by running a PDF/flash blocker such as noscript in the meantime.

You can find more information on this at the Adobe Security Advisory site.

Blizzard steps up password education

2010-08-08T20:52:00.000-07:00

Blizzard has stepped up its security education program, with a big emphasis on password security. Via both a game login message and a recent blue post, Blizzard stresses the importance of having a different password for your World Of Warcraft game account and making sure that your password is a strong one.

BORNAKK: We have been helping players deal with account theft for years now, and unfortunately, roughly a third of players make a very basic security mistake: using the same password for all of their security needs.

If you are serious about protecting your account and your personal security, your Battle.net password should be different from your email account password -- or other personal passwords for that matter!

No one wants account thieves rooting around in their personal email, address book, and contact lists. Too often we see thieves breaking in to this information because their target has used the same password across multiple types of accounts. Not only can this give thieves access to your account, it can lead to compromises far outside of Battle.net as well.

It’s immensely important that everyone use separate passwords for separate applications, including games. Secure passwords have both numeric and alphabetical values, and are usually at least 10 characters in length.

Now this is very sound advice and is something that I have been highlighting for quite some time. One third of hacks being a result of using the same password across multiple sites and applications, such as email and fan sites, is a fairly alarming statistic. This suggests that there are a lot of 3rd party systems out there that are being hacked to farm WoW user accounts and passwords.

Also note that WoW does not impose restrictions on password attempts so dictionary attacks are also a real possibility on your account. This is a great reason for selecting a strong, complex password.

Oddly enough, Bornakk does not mention the use of an authenticator. The Blizzard authenticator is a great security mechanism and something that every WoW gamer should possess.

You can read more on choosing secure passwords and dictionary attacks on your WoW account here.

ESRB mistakenly releases player email addresses

2010-07-12T19:15:00.000-07:00

Many people have asked me how the bad guys get hold of our battle.net login id's - the same bad guys that inundate us with WoW phishing emails and do dictionary attacks on our battle.net logins.

The team at wow.com have published an article on how the Entertainment Software Rating Board (ESRB) managed to mistakenly release almost 1000 email addresses of wow players that wrote to them to complain about Blizzard's plan to use real names on the official wow forums.

This email list is a gold mine to the bad guys, especially where these email addresses match up with battle.net ID's. There is little doubt that these 1000 email addresses will end up on WoW phishing lists and that they may also be targets for WoW dictionary attacks.

If you recently wrote to ESRB and you used the same email address as your battle.net ID then please consider changing your battle.net ID to a new, unique email address.

You can read more about the mess-up at Wow.com

Patch Your Flash!

2010-06-07T17:41:00.000-07:00

Blizzard has released an advisory warning all players to update their Adobe Flash Player. Adobe Flash Player 10.0.45.2 has a vulnerability that may allow an attacker to take control of your machine.

LUCYTR: A critical vulnerability has been discovered in Adobe Flash Player 10.0.45.2 and Adobe Reader/Acrobat 9.x, and could potentially be used to target World of Warcraft players and accounts. The newest available version of Adobe Flash 10.1, Release Candidate 7 (available at http://labs.adobe.com/technologies/flashplayer10/), does not appear to contain this vulnerability, and we recommend that everyone upgrade their Flash player as soon as possible. Earlier versions of Adobe Reader and Acrobat, specifically version 8.x, do not appear to contain this vulnerability, either.

Adobe reports that it has seen evidence of this vulnerability already being exploited.

Although the technical details are still sketchy, it is likely to require a specially crafted flash or PDF file to trigger the vulnerability. We have seen this type of attack on Adobe flash before - where you can be infected by a keylogger/trojan by simply visiting a legitimate web page that renders this malicious code or redirects to a malicious site containing the code.

Unfortunately, Adobe don't seem to have this fix on their auto-update system so be sure to visit Adobe's Security Page and patch your machine with v10.1 today.

Phishers Ramp Up Their WoW Assault

2010-06-03T01:30:00.000-07:00

Phishers have begun targeting the remote auction house and cataclysm betas in the latest wave of WoW account phishing spam.

In the first example, unsuspecting users receive an email promoting the features and benefits of the remote auction house and invite them to participate in the beta by clicking on a download now link. The link takes them to a fake battle.net login site where their game details are captured.

A sample email is shown below:

A second type of phishing email is targeting the Cataclysm beta opt-in. Users are sent an email reminding them to update their system specifications to be eligible for a beta invite by logging into battle.net. Naturally, the battle.net link is a fake site designed to collect your account credentials:

Be wary of any email that pretends to come from Blizzard and check the URL of any linked site before entering your account credentials. Visit our anatomy of a phishing site post for information on how to spot phishing emails and better protect your game account.

Let us know if you have received emails scams like these.

Suffer mortals, as your pathetic password betrays you!

2010-05-30T20:33:00.000-07:00

One of the things we often don't put much thought into is password selection. Usually it is a loved-one's name or an easily remembered string of characters. Unfortunately, a poor choice of password can dramatically increase the chance of your game account being hacked.

In an analysis performed by Imperva of 32 million leaked passwords from rockyou.com, it was found that nearly 50% of passwords consist of people's names, slang words, dictionary words or trivial passwords. The study estimates that if a hacker used the top 5000 passwords in a dictionary attack, it would take, on average, only 111 attempts to break into a given account.

World of Warcraft does not have an account or IP address lockout after any number of bad password attempts. This gives the bad guys an opportunity to dictionary attack your account.

Assuming that the WoW account password frequency distribution is similar and that a hacker could try a password every 2 seconds - it would take an average of only 3.7 minutes to hack an account.

Obviously the time required to hack your account is going to vary based on the strength of your game password so choosing an uncommon and complex password is key. The report lists the following as the most commonly used passwords:

123456
12345
123456789
password
iloveyou
princess
rockyou (or 'warcraft' in our case)
1234567
12345678
abc123

Other common passwords include monkey, qwerty, 654321 and first names of people.

How can you better protect your WoW account?

First, buy yourself an authenticator and add another layer of security to your account. A dictionary attack is largely rendered useless with the addition of a hardware token.

Second, if you don't have an authenticator or wish to be more secure then choose a strong password. Strong passwords contain numeric and non-standard characters and do not have any strings that contain dictionary words. They should be at 12-14 characters in length. However, don't bother too much with upper and lower case characters since the battle.net authentication service does not differentiate between upper/lower case. An example of strong WoW password would be something like "sdm#6wua2pa9jk".

If you have trouble remembering a strong password (and most of us will) then try to create something similar from a memorable saying. For example, Professor Putricide's "Bad news everyone! I don't think I'm going to make it" becomes "bne!idtig2mi" as your password. Such a password will be close to impossible to dictionary attack and will take a long time to brute force attack. Don't share this password with anyone and don't use this password on any other service - keep it unique to WoW only.

Finally, create a unique email address as your battle.net login. Hackers need to be able to guess or steal your username so making this complex will certainly hinder their efforts.

Update: If you want to read more about hackers stealing account usernames and passwords, check out the Symantec article where they recently discovered 44 million stolen gaming credentials.

A little bit of effort with your password selection will make hacking your precious account significantly more difficult... and don't forget to get yourself an authenticator.

MMO-Champion hacked

2010-05-21T17:25:00.000-07:00

The team at the popular WoW fan site MMO-champion have announced that their site was recently hacked. What happened here and how can you best protect yourself against malicious code on legitimate web pages?

The malicious code was Gumblar - a malicious piece of javascript that was placed on their pages.

How did the malicious code get there?

This is a question that has not been answered by the web site owners. However, it is likely to be one of the following causes:

The mmo-champion.com site was hacked and the code was manually planted there by the attacker. There are multiple ways this could have happened, but one common way is via SQL-Injection.
One of their admins was infected on their own PC and their FTP login details were used by the malware to log in to the mmo-champion.com web servers and automatically infect their files.

Hackers often target legitimate web sites, especially high traffic sites, so that they get the widest exposure to their malware.

What is the malicious code designed to do?

According to a Gumbar Q&A, the malicious code redirects a user to a malicious web site that contains specially crafted PDF or flash files that automatically infect your machine if you do not have your Adobe flash player patched. The malware that it installs can redirect your google searches and replace search results with links to malicious sites. It also harvests FTP information from your machine so that it can try to automatically inject code on other web servers. Finally, it can open a back door so that your machine can be controlled remotely.

Could I have been infected from MMO-champion?

The team at mmo-champion claim that the malicious code was only on their site for 30 mins before it was detected, shut down and subsequently cleaned.

If you browsed the site in that time, you probably would have noticed an attempt to redirect your browser to another web site. Many browsers have in-built blocking mechanisms so you may have seen a big red message on your browser advising you that you are about to visit a malicious web site. If you proceeded, and the malicious web site was online at the time, then you would have been exposed to malicious pdf or flash files. If, and only if, your Adobe flash player was not patched, then these malicious files may have automatically executed. If you were running up-to-date and mainstream antivirus products then it should have been detected and stopped at this stage.

The short answer is, you may have been infected but you would have needed to have no antivirus (or poor antivirus), no recent patching of your Adobe flash player and would have needed to visit the site in the 30 mins when the code was there.

If you think your machine is infected then try this free web-based scanner - Housecall

Does it steal my WoW account info?

No, but if you were infected then you still need to clean it off your machine since it may compromise any FTP sites that you might visit, install a backdoor and your search engine results may be replaced with malicious sites. This is not the type of malware that you want on your PC.

Would the firefox 'noscript' add-on help?

Probably, although if you are a regular mmo-champion visitor then you would have been likely to nominate their site as a trusted site in noscript - resulting in noscript having no effect. Noscript is a great security measure, but it breaks a lot of sites. It is the old security vs usability trade-off.

What can I do to protect myself against these attacks?

Make sure your software is fully patched - this includes your operating system (OS), browser, flash player, javascript, etc. Most people just worry about patching their OS, but there are many other avenues for exploiting software vulnerabilities on your PC.
Make sure you run reputable anti-virus on your system - and make sure it is always updated.
Don't ignore your browser when it tells you that the site you are about to go to is potentially dangerous.
Get yourself an authenticator. Even though this malware is not written to steal WoW information, the next one might be. An authenticator is a last line of defense, and may prove to be your savior should all else fail.

Finally, don't assume you can't get infected by malware without user interaction - you can! You can pick up malware simply by visiting a web page and you won't even know it is happening. This is why you need several defense mechanisms in your security arsenal.

Beware 2010 Arena Tournament scams

2010-04-25T15:28:00.000-07:00

Scammers are increasing their efforts with the recent announcement of the 2010 Arena Tournament. I am starting to see phishing emails that tell you all about the new arena tournament and provides you with a convenient "Register Now" link. This link takes you to a fake login page and steals any details that you enter.

The fake login page will capture your username and password. The site then redirects you to the genuine US battle.net login page and tournament registration. Like an ATM skimming device attack, the user rarely detects that a scam has taken place until their account is stripped.

An example of these emails:

Want to learn more about how to spot phishing scams? Check out our post covering the anatomy of a WoW phishing site.

WoW Phishing Domain Compendium

2010-04-21T23:38:00.000-07:00

World of Warcraft phishing scams are becoming commonplace these days. I wrote an article last year which covered the anatomy of a WoW phishing site.

To give you some idea on how widespread the issue is, I have put together a collection of the known illegal phishing domains seen so far this year. This list is largely based on a WoW spam honeypot that I have established and further supplemented by tips from players.

Warning - do not visit these sites! They are included here to help educate gamers on what to look for with regards to phishing URL's. Some are still active and may feature malware/keyloggers. I have purposely mangled the URL so that you don't accidently click on the sites. If you feel tempted then stop reading now - you have been warned.

WoW Phishing Domain List

http_://www.accountmanagement-worldofwarcraft.net

http_://www.wor1dcfwarcraft.com
http_://www.worldrofwarcraft.net
http_://www.wor1dofwancreft.com
http_://www.wor1dofwancrvft.com
http_://www.wor1dofwororaft.com
http_://www.worldofwarcrarrft.com
http_://we-io8.worldofwarcraftftc.com
http_://www.worldofwacacraft.com

http_://www.worldofwarcraft-accountadmin-battle.net
http_://www.worldofwarcraft-account-athonticate-account-authonticate.com
http_://www.worldofwarcraftaccount-billing.com
http_://www.worldofwarcraft-account-checkwarning.com
http_://www.worldofwarcraftaccountsecurity.com
http_://www.worldofwarcraft-instruction-account.com
http_://www.worldofwarcraft-certification-account.com
http_://www.worldofwarcraft-supports-account.com
http_://www.worldofwarcraft-subscription-security.com
http_://www.worldofwarcraft-account-investigate.com
http_://www.worldofwarcraft-account-authorization.com
http_://www.worldofwarcraft-account-authontisate.com
http_://www.worldofwarcraft-account-inspect.com
http_://www.worldofwarcraft-account.com
http_://www.worldofwarcrauft-account.com
http_://www.worldofwxarcraft-test.com
http_://www.worldofwarcrcft-test.com
http_://www.worldofwarcruaft-account.com
http_://www.worldofwariraft-manage.com
http_://www.worldofwarcranft-login.com
http_://www.worldofwarcraft-battles-account.com
http_://www.worldofwarcraft-login-admin.com
http_://www.worldofwarcraft-security-billing.com
http_://www.worldofwarcraft-account.info
http_://www.worldofwarcraft-battle-admin.net
http://www.worldofwarcraft-account-authoriration.com/

http_://www.wowaccountmobilephone.com

http_://www.management-adminis-blizzard.com

http_://www.battlenetaccount.com
http_://battle.arena-award-management.com

http_://www.blizzard-feedback.net
http_://www.blizzard-forums.com
http_://www.blizzardaccount-management.com
http_://www.blizzard-account-login-management.com
http_://www.blizzardaccount-billreview.com
http_://www.blizzardaccount-support.com
http_://www.blizzardbattle-management.net
http_://www.blizzardbattle-bill.net
http_://www.blizzardhosting.net

http://www.us-battle-blizzard.net/
http://www.info-battle.net/
http://www.security-accounts-blizzard.com/
http://battle.tournament-administration.com/
http://www.management-ccount-blizzard.com/

These domains are constantly changing - as one is shut down or blocked, another appears. As you can see, there are a lot of variations.

These URL's are usually associated with a spam email telling you that your WoW account has been suspended. The email asks you to click on a link (which may be disguised as a valid game site URL) which takes you to these malicious URL's to phish for your game details. The link could also arrive as an in-game mail or whisper.

As always, don't click on links in emails that appear to come from Blizzard and don't believe the random in-game whispers that tell you that you have won a rare spectral tiger or that your account has been suspended and that you immediately need to log in in to unlock it.

For more information on how to look out for phishing attempts visit the official Battle.net security site and our top 10 security steps article.

If you see any other fake WoW phishing domains then report them to polar at guildox dot com

Kicking Goals in the World of Warcraft

2010-03-15T22:03:00.000-07:00

Is a member of your family or close friend crazy about a game called World of Warcraft? Do they lock themselves in their room, playing the game for hours and refusing to take phone calls or talk to you? It's time to investigate this seemingly strange behavior by drawing parallels to the universal sport of soccer/football.

What is the World of Warcraft?

World of Warcraft (WoW) is a highly popular multi-player online game with over 11 million subscribers. Unlike traditional stand-alone computer games, online games feature interaction with hundreds and sometimes thousands of other real human players. In WoW, these players form 'raid groups' of up to 25 players to tackle an in-game dungeon.

What exactly is a WoW raid group?

Think of a raid group as a soccer team and think of an dungeon as a series of matches where the team plays against computer controlled opponents, also known as "bosses". The raid group works as a team to win these matches - there is a nominated raid leader (the coach and captain) who gives instructions and coordinates the team. The team consists of attackers (DPS members) which are assigned to attack and damage the boss and defenders (tanks and healers) which aim to distract the boss and heal up the team so that the attackers can do their job. Each team member is assigned a specific role and, like any sporting match, all players need to be present for the full game time and perform their assigned duties to the best of their ability. Many raid groups also have reserve players that sit on the bench, waiting to be called in to replace players.

Team members will communicate with each other via a microphone and headphones connected to the PC - you may see your partner sporting a very ugly set of headphones, looking something like a submarine commander. This is the equivalent of the on field communication that happens between players, the captain and the coach.

Each of the matches takes typically between 5-10 mins. During this time, there is no way to pause the game - all raiding takes place in real time. After each match, the raid leader will analyse the performance of the team, make adjustments and then re-engage until the "boss" is defeated - just like any good soccer coach.

A full raid session may consist of many boss kills and can easily go for several hours. Raids are typically scheduled at specific times each week.

So why won't they come and have dinner when they are called?

Players are required to be present for the full duration of the raid. Like any sporting match, you cannot just leave the game whenever you decide. Many of the matches require all members of the raid to play at their best - any single member that steps away from a match and goes 'away from keyboard - AFK' without pre-warning the raid leader will very likely cause the match to be lost - upsetting the other 24 players in the raid.

Why can't I talk to them for 5 mins during a raid?

Players will either be participating in the match or will be listening to the raid leader, taking instructions before the next match. Either way, the player needs to give the raid his/her full attention.

It is best to wait for a "bio" break to speak with them. Bio breaks are scheduled breaks where the player can get a coffee or visit the bathroom.

What happens when all of the bosses are defeated?

This only occurs for the very elite teams and only for certain periods of the year. The creators of WoW are constantly adding new bosses and content to the game to keep players entertained. Most raiding groups always have something bigger to aim for.

I asked them to go out this weekend but they claim they are rostered. What's the deal?

Just like your weekend soccer games, players announce their availability to play typically 1-2 weeks ahead of the scheduled raid. A team roster is usually published by the raid leader a few days before the raid. Players that made themselves available and subsequently get rostered are expected to play.

Why bother raiding - it's just a computer game? Why don't they go outside and kick a ball instead?

The real thrill of raiding is the feeling of progression, team work and accomplishment - just like the feeling you get after winning a sporting final.

Each completed boss encounter awards the group with several items of equipment, otherwise known as 'loot'. This loot comes in the form of items that the player can wear and may be a new piece of armor, weapon or other similar item. Loot items increase the power of individual players and are highly sought after. Winning loot in a raid is a significant achievement - very similar to that sporting trophy you display with pride on the mantle piece.

So if I have to engage in conversation with my WoW gamer, what should I be asking?

Stun your WoW gamer by asking them any of the following questions:

What role do you play in WoW raids? A tank, healer or DPS? Why did you chose that role?
What new loot did you get from your raid today? Show me your character.
What boss are you currently working on? How did you go?
Your dinner is almost ready, when can you take your next extended bio break?

Ask these and your fellow raider is bound to be most impressed with your understanding of their gaming world.

Finally, just remember that calling your WoW player for dinner or asking them to do chores in the middle of the raid is likely to be met with some serious resistance. Would David Beckham or Ronaldo leave the field mid-game to put the trash out? At least wait for half-time.

Update: Keylogger websites shut down

2010-03-01T18:13:00.000-08:00

The main infection source of the recent anti-authenticator keylogger/trojan appears to have been shut down. The main places of infection - the fake site wowmatrixf._com and other associated fake addon sites, including cursea._com and deadlybossmodss._com - are no longer online. (Victims were lured to these fake sites via Google advertisements)

We can breathe a sigh of relief but don't become complacent. This trojan/keylogger is likely to spring up somewhere else. Be cautious of what you download and execute from any web site. Addons should not require an installer package to execute. Be very suspicious of anything that asks you to "run a program". Follow our 10 Easy Steps to increase protection.

If you notice that these fake sites pop up in another spot then let us know.

Authenticator hack - is your account still safe?

2010-02-28T18:18:00.000-08:00

The big security news of the weekend is that Blizzard has confirmed a man-in-the-middle attack that is being used to hack accounts that are using an authenticator.

Let me state up front that this is not a reason to throw your authenticator away nor should it be an excuse for not getting one. The authenticator is a very sound device - but it is, and will always be, just one of many security mechanisms that you should use to help secure your account. It is what us IT security guys call "layered security" - more on this in a moment.

The attack itself requires a keylogger/trojan. The keylogger, once installed on your system, logs your game user name, password AND authenticator code. It proceeds to post this information off to a rogue server so that the attacker can use this information in near real-time to access your game account. In the meantime, it sends an incorrect code to the battle.net authentication server from your machine - resulting in an "incorrect login" type message from the game. It does this so that you don't consume the one-time-use code that the authenticator provides.

Now it was only a matter of time before we saw this kind of attack. More and more people have been using authenticators. In a survey of over 90 gamers at securingwow.blogspot.com, 84% of them claim to have an authenticator attached to their game account. This tells us that more and more people are now running with an authenticator - reducing the pool size of "easy" victims.

The bad guys are now being forced to step up the sophistication of their attacks and have started targeting those with authenticators. We are bound to see many more keyloggers with this capability in the near future. Additionally, phishing attacks will also begin to operate in the same fashion - asking you to type in your authentication code, along with your other game account details, posting the info off to the attacker - who uses them in real time - leaving you with a "system unavailable" message and a soon-to-be-stripped game account. If we don't have these mechanisms in WoW phishing sites already then I can assure you that they are not far away.

So how do you prevent it from happening? It all comes down to minimizing the chance of being infected with a keylogger in the first place. One of the many tenets of IT Security is that "no sercurity system is 100% effective". Anyone that tells you otherwise does not know what they are preaching or they are trying to sell you some snake-oil. In this case, we can't rely on authenticators to be the only defense mechansim - here are ten simple steps you can do to reduce the chance of your game account being compromised:

Don't share your game password with anyone and pick a password that is not easily guessed
Don't use the same password for subscribing to fan sites
Keep your operating system, browser and other software (especially Adobe Flash) fully patched - start with Windows Update
Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
Don't click on email attachments, especially when you don't know the sender
Don't download and run executable files from web pages
Don't enter your game password into any web site other than the official game sites
Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised
Be very suspicious if an addon requires some form of install package to be run
Invest in a Blizzard authenticator or install the Battlenet authenticator application on your phone

Try to follow all of these recommendations - not just one or two points.

In this specific case, the keylogger was reportedly delivered via a fake site for the Wowmatrix addon manager. The site was created to look and feel like wowmatrix.com but, instead of downloading and installing the addon manager, the keylogger was installed instead. Our recommendations #6 and #9 talk about being "very suspicious" of add-ons that require an installer to run and avoid running executable files from web sites.

The bottom line is that keyloggers and phishing sites are here to stay. Don't rely on your authenticator to protect you 100% of the time - but don't throw it out either. It still forms a very strong part of your layered defense against the bad guys.

Post a comment - we would like to hear from you if you have fallen victim to this attack.

Adobe Flash Vulnerability Fix

2010-02-12T14:47:00.000-08:00

Adobe has released a patch for the latest Flash vulnerability. Adobe Flash is used by the majority of browsers to display dynamic content on web pages. This vulnerability can potentially lead to automatic keylogger downloads by visiting a web site that has a specially crafted flash file embedded in its pages. This is known as a 'drive-by download' - one in which malware can be downloaded and installed without you knowing.

While I am yet to see this specific vulnerability exploited, it is only a matter of time before it is. I have seen previous Flash vulnerabilities exploited to download keyloggers from popular WoW fan sites.

So - play it safe - visit the official Adobe Flash download site and update your flash player.

Be sure to visit our 10 Easy Steps page to further protect your WoW account.

Blizzard Launches Battle.Net Security Site

2010-01-29T17:45:00.000-08:00

Blizzard has launched their official security awareness page offering helpful advice on what you can do to safeguard your computer, how to spot scams, info on the adverse effects of buying gold, and tried-and-true methods to help prevent account compromises.

The specifically provide:

A Security Checklist - covering preventative measures that you should be taking
Type of Account Thefts - listing the common methods used to hack accounts
Advice on what to do if you get hacked

Be sure to check it out at http://us.battle.net/security/

As always, having a Blizzard Authenticator is one of the best methods of hack prevention.

The Armory Phishing Scam

2010-01-15T16:39:00.000-08:00

The new and improved wowarmory has brought with it opportunity for scammers seeking to trick you into disclosing your wow game passwords. Check out the full coverage at wow.com on this latest scam:

http://www.wow.com/2010/01/15/beware-of-wow-armory-phishing-scams/

As always, never enter your game username/password into a site that is not "blizzard.com" or "worldofwarcraft.com" and get yourself an authenticator today!

If you have had a close encounter with a wow phishing scam then post and comment and let us know about it.

Beware of Cataclysm Phishing Scams

2010-01-12T18:04:00.000-08:00

With the recent announcement of the Catalysm alpha, users are warned not to fall victim to phishing scams.

Be aware that if you receive an email inviting you to join the Cataclysm testing cycle then it will most likely be a scam. Cataclysm open beta does not exist as yet.

Do not enter your game username and password into any sites that may link from any email claiming to be an official Blizzard invite to Cataclysm.

If you see a Cataclysm phishing scam then feel free to share your comments on it.

Latest phishing scam

2009-12-11T03:03:00.001-08:00

The latest phishing scam is an email titled "Battle.net Account – Password Change Notice" telling you that your password has been changed and if you did not make the change then you should visit the blizzard FAQ at a URL of:

http_://www.worldofwarcrarrft.net/

Spot the scam? I hope so (emphasis added).

This is a traditional wow phishing scam.

New phishing scam

2009-10-01T04:37:00.000-07:00

You receive an in-game whisper promising a new mount by visiting:

http://www.blizzus-wow.com/

This is a scam phishing site designed to steal your account information. In fact, it appears to be the very same set of pages that are discussed in my previous blog about how to identify WoW phishing sites.

The Anatomy of a WoW Phishing Site

2009-09-16T17:32:00.000-07:00

Password stealing via a bogus phishing site is a common tactic for those wanting to break into your WoW account. Let's explore the workings of an illegal WoW phishing site and give you some tips on how to spot such fakes. Note that the phishing site discussed here is no longer online.

The Bait

You receive an in-game whisper or mail telling you that you are eligible to trial an all-new mount. All you have to do to claim this mount is to register on an "official" site and the mount will be sent to your account. The message contains the URL of a site to visit - in this case it is "http://www.blizzard-forums.com". Eagerly, you race off to claim your special mount.

The Hook

You enter the URL to your browser and you get the following site:

You enter your account name and password, hit submit and are taken through to the following page:

They are now asking for my email address and they want to confirm my account's secret question and answer. You enter the required information and hit submit. You finish on the following success screen:

Application Successful! You just need to wait for your mount to arrive in my in-game mail - but it never does. However, next time you log in to the game you find that all of your characters have been stripped of their worldly possessions, you have no gold and your guild's bank has been raided.

You have been the unfortunate victim of a phishing attack!

Where did I go wrong?

How could you have prevented falling for such a trick?

Phishing is a form of social engineering - a tactic used by the bad guys to lure in unsuspecting victims to steal personal information - in this case your account login details.

The first part of this attack was to offer something that was highly desirable - in this case the promise of a new, special, in-game mount. Other attacks use the promise of special access to beta new expansion content or tell you your account has been locked as a result of a hack and you need to follow certain steps to unlock it. It can come as an in-game whisper, an in-game mail or a regular email.

Rule#1: Be highly suspicious of anything that is offered for free or anything email that claims your account has been compromised

Next, you were given the URL of something that turned out to be a phishing site. But how can you tell if it is official or not?

The two sites, one bogus and one legitimate:

Spot the difference? No?

It is extremely difficult to spot the difference. It is very easy for an attacker to copy the images, layout and text of the legitimate site - and do it perfectly.

However, there are key things to look for in the URLs. The official Blizzard site is a secured SSL site, with the URL prefixed with "https://". The site is also part of the battle.net domain (in this case us.battle.net):

The bogus phishing site has no SSL, no "https://" and is not part of a battle.net, worldofwarcraft.com or blizzard.com domain:

In fact, looking up the blizzard-forums.com domain ownership, it was found to be owned by an individual in Shanghai, China.

The real irony is that the official Blizzard warning is still shown on the bogus phishing site:

Rule#2: Do not type your game account username/password into any web site other than worldofwarcraft.com (wow-europe.com), blizzard.com and battle.net.

Rule#3: Check for a secured "https:" session on such sites when entering your username/password - while not a 100% guarantee of legitimacy, phishing sites generally don't bother with digital certificates and https.

Some other things that could tip a user off with this example were:

1. Nothing happened if you clicked on any of the language options on the first page - the bad guys were a bit lazy and could not be bothered writing the multi-language support for the site. They were obviously only targeting the english speaking community.

2. Many of the links on the subsequent pages were incomplete and broken.

3. Entering a dummy username and password still allowed you to progress to the subsequent "success" pages - there was obviously no way to check the username/password combination.

4. There was extremely poor grammar on many of the subsequent pages.

Final words

A word of warning regarding the URL - I recently saw a similar phishing attack that cleverly used the URL of "www.promotion-battle.net". At a glance it looks like a battle.net domain but it is not. The domain is promotion-battle.net and this domain is definitely not an official website.

Rule#4: Just because the letters battle.net or worldofwarcraft.com or blizzard.com appear somewhere in the URL does not make it an official site.

Official login sites should have the format:

https://[prefix].battle.net/...
or
https://[prefix].worldofwarcraft.com/...
or
https://[prefix].wow-europe.com/...
or
https://[prefix].blizzard.com/...

Where [prefix] can be 'www' or 'US' or 'EU' or similar.

We have covered the main things to watch out for with regards to bogus phishing sites. There are other, more advanced phishing techniques including DNS hijacking and cross-site scripting that are beyond the scope of this article but are worthy reading topics for those that wish to know more.

If you ever have any doubt about a site that asks for your game username/password then contact http://blizzard.com - manually type the URL and don't follow links from the suspect site - and ask them if the suspect site is real.

Grab yourself a Blizzard authenticator (or phone application) and add another layer of protection to these kinds of attacks - if the bad guys get hold of your username and password then it is of little use to them without your hardware authenticator.

10-steps to better WoW acount security

Protecting Your WoW Account: Ten Easy Steps

2009-07-19T16:28:00.000-07:00

You invest a lot of time leveling your characters so don't leave yourself exposed to the disappointment and frustration of account compromise.

Let's explore the common hacking methods of the bad guys and introduce some simple and easy steps on how to help prevent character loss and down time.

How do WoW accounts get hacked?

The keylogger

Keyloggers or keystroke loggers are covert pieces of software that sit in memory, logging your keystrokes when you enter the game or when you enter the Blizzard account or forum web sites. The keylogger then sends this information out to the bad guys. Many people wrongly believe that keyloggers only look for your password when you enter the game, but more commonly than not, they intercept it when you enter the Blizzard forums or account pages on the official web site.

Keyloggers are often included in the functionality of malware called "Trojans". Trojans are pieces of software that are designed to look like legitimate software but have backdoors for malicious functions.

Reputable antivirus software will detect keyloggers as soon as they attempt to install themselves and will often identify them as trojans. There are plenty of good, free antivirus products out there but if you sometimes get what you pay for. In fact, there are many scam products out there that appear to be antivirus products which are actually keyloggers themselves. I recommend sticking with the major commercial antivirus vendors such as Symantec, McAfee, Trend Micro, Sophos, AVG and Kaspersky. If you think you might have a keylogger then most of these vendors have a free online scan that you can use to check your system - in fact, it is best to try a couple of these free scans to be sure.

Also note that some newly developed keyloggers may not be detected by antivirus software so don't rely on it 100%.

But how did you get the keylogger in the first place? There are several ways that you can pick one of these up:

You opened an email attachment that launched this software on your machine.
You downloaded and launched the software thinking it was something else. For example, you may have been browsing a web site that prompted you to download a "codec" to watch a video. You excitedly clicked on the download and then the "run" button, only to find that the video still did not play. In the background, you just installed a keylogger.
Your browser or some browser application such as Flash was not patched for a certain vulnerability and you browsed a page that automatically launched and installed the keylogger.
You downloaded what you thought was an addon, that strangely asked you to run some installation package.

The common theme here is that to install a keylogger you generally have to be tricked into running some form of installation process.

Don't think you are perfectly safe if you have a Mac either. While the Microsoft operating systems have traditionally been the target of most malware, Macs are beginning to increase in popularity for malware writers.

The Blizzard authentication token is a great way to protect against a keylogger. The authenticator helps provide two-factor authentication. Two-factor authentication is far more effective since it requires two pieces of information from two different sources - in this case, something that you know (your regular account password) and something that you have (the authenticator generated password). The added security comes from the fact that the authenticator changes its password every 60 seconds - so even if the keylogger captures the authenticator password it is only valid for a very short time.

If you have a iPhone then you can pick up the free Blizzard Battlenet Authenticator application from the iStore.

The phishing site

Phishing is the process of using deceptive methods to acquire sensitive information, in this case your game account details.

For example, you saw a notice in trade chat or received a whisper saying that you have won a competition to win a spectral tiger mount. All you have to do is visit a web site and type in a special redemption code. You go to the site, it looks legitimate, you enter the code and it then asks you for your account name and password so that the tiger mount can be mailed to your character. STOP! This is a phishing site with one aim - to get you to type in your username and password so they can log in to your game account.

A similar ploy is the email that reads "Official email from Blizzard. Your account has been suspended. Click here to confirm your details and unlock your account". Again, you click on the link in the email and it looks like a legitimate Blizzard site... but it is nothing but a scam.

It often takes a trained eye to spot a fake web site. Be extra cautious when any site asks you for your account details. I know of only three sites that should ever require your game password - worldofwarcraft.com, blizzard.com and battle.net. If the URL is anything other than these then it is highly likely to be a phishing site that you are visiting.

Again, the Blizzard authenticator provides great protection here since phished authenticator passwords are only valid for a very, very short time.

The insider

You have shared your account password with a friend or a leveling service. You never changed your password and now your friend is no longer a friend or the leveling service had other intentions. The solution here is - don't share your username/password with anyone. Choose a password that can't be easily guessed by your friends and enemies.

Also, be sure to use a different login/password combination when you subscribe to Blizzard fan sites. There are hundreds of fan sites and not all are reputable. Even reputable fan sites with username/password databases are a gold mine for successful hackers.

The Ten Steps - Don't become a statistic

Here are ten simple steps you can do to reduce the chance of your account being compromised:

Don't share your game password with anyone and pick a password that is not easily guessed
Don't use the same password for subscribing to fan sites
Keep your operating system, browser and other software fully patched - start with Windows Update
Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
Don't click on email attachments, especially when you don't know the sender
Don't download and run executable files from web pages
Don't enter your game password into any web site other than the official game sites
Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised
Be very suspicious if an addon requires some form of install package to be run
Invest in a Blizzard authenticator or install the Battlenet Authenticator application on your iPhone

Remember, security is never 100% guaranteed and there will always be opportunities for your account to be compromised. I have touched on the more common methods in this post. The important message here is to make it as difficult as possible for the bad guys. Out of all the advice, the hardware authenticator is one of the simplest, inexpensive and most effective steps you can take to avoid becoming a hack statistic. Pick one up from the Blizzard store today.

Update: You can also purchase this as an application for many mobile phones at mobile.blizzard.com.