Authenticator hack - is your account still safe?

The big security news of the weekend is that Blizzard has confirmed a man-in-the-middle attack that is being used to hack accounts that are using an authenticator.

Let me state up front that this is not a reason to throw your authenticator away nor should it be an excuse for not getting one. The authenticator is a very sound device - but it is, and will always be, just one of many security mechanisms that you should use to help secure your account. It is what us IT security guys call "layered security" - more on this in a moment.

The attack itself requires a keylogger/trojan. The keylogger, once installed on your system, logs your game user name, password AND authenticator code. It proceeds to post this information off to a rogue server so that the attacker can use this information in near real-time to access your game account. In the meantime, it sends an incorrect code to the battle.net authentication server from your machine - resulting in an "incorrect login" type message from the game. It does this so that you don't consume the one-time-use code that the authenticator provides.

Now it was only a matter of time before we saw this kind of attack. More and more people have been using authenticators. In a survey of over 90 gamers at securingwow.blogspot.com, 84% of them claim to have an authenticator attached to their game account. This tells us that more and more people are now running with an authenticator - reducing the pool size of "easy" victims.

The bad guys are now being forced to step up the sophistication of their attacks and have started targeting those with authenticators. We are bound to see many more keyloggers with this capability in the near future. Additionally, phishing attacks will also begin to operate in the same fashion - asking you to type in your authentication code, along with your other game account details, posting the info off to the attacker - who uses them in real time - leaving you with a "system unavailable" message and a soon-to-be-stripped game account. If we don't have these mechanisms in WoW phishing sites already then I can assure you that they are not far away.

So how do you prevent it from happening? It all comes down to minimizing the chance of being infected with a keylogger in the first place. One of the many tenets of IT Security is that "no sercurity system is 100% effective". Anyone that tells you otherwise does not know what they are preaching or they are trying to sell you some snake-oil. In this case, we can't rely on authenticators to be the only defense mechansim - here are ten simple steps you can do to reduce the chance of your game account being compromised:

1. Don't share your game password with anyone and pick a password that is not easily guessed
   
2. Don't use the same password for subscribing to fan sites
   
3. Keep your operating system, browser and other software (especially Adobe Flash) fully patched - start with Windows Update
   
4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
   
5. Don't click on email attachments, especially when you don't know the sender
6. Don't download and run executable files from web pages
7. Don't enter your game password into any web site other than the official game sites
8. Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised
9. Be very suspicious if an addon requires some form of install package to be run
   
10. Invest in a Blizzard authenticator or install the Battlenet authenticator application on your phone

Try to follow all of these recommendations - not just one or two points.

In this specific case, the keylogger was reportedly delivered via a fake site for the Wowmatrix addon manager. The site was created to look and feel like wowmatrix.com but, instead of downloading and installing the addon manager, the keylogger was installed instead. Our recommendations #6 and #9 talk about being "very suspicious" of add-ons that require an installer to run and avoid running executable files from web sites.

The bottom line is that keyloggers and phishing sites are here to stay. Don't rely on your authenticator to protect you 100% of the time - but don't throw it out either. It still forms a very strong part of your layered defense against the bad guys.

Post a comment - we would like to hear from you if you have fallen victim to this attack.

Protecting Your WoW Account: Ten Easy Steps

You invest a lot of time leveling your characters so don't leave yourself exposed to the disappointment and frustration of account compromise.

Let's explore the common hacking methods of the bad guys and introduce some simple and easy steps on how to help prevent character loss and down time.

How do WoW accounts get hacked?

The keylogger

Keyloggers or keystroke loggers are covert pieces of software that sit in memory, logging your keystrokes when you enter the game or when you enter the Blizzard account or forum web sites. The keylogger then sends this information out to the bad guys. Many people wrongly believe that keyloggers only look for your password when you enter the game, but more commonly than not, they intercept it when you enter the Blizzard forums or account pages on the official web site.

Keyloggers are often included in the functionality of malware called "Trojans". Trojans are pieces of software that are designed to look like legitimate software but have backdoors for malicious functions.

Reputable antivirus software will detect keyloggers as soon as they attempt to install themselves and will often identify them as trojans. There are plenty of good, free antivirus products out there but if you sometimes get what you pay for. In fact, there are many scam products out there that appear to be antivirus products which are actually keyloggers themselves. I recommend sticking with the major commercial antivirus vendors such as Symantec, McAfee, Trend Micro, Sophos, AVG and Kaspersky. If you think you might have a keylogger then most of these vendors have a free online scan that you can use to check your system - in fact, it is best to try a couple of these free scans to be sure.

Also note that some newly developed keyloggers may not be detected by antivirus software so don't rely on it 100%.

But how did you get the keylogger in the first place? There are several ways that you can pick one of these up:

1. You opened an email attachment that launched this software on your machine.
2. You downloaded and launched the software thinking it was something else. For example, you may have been browsing a web site that prompted you to download a "codec" to watch a video. You excitedly clicked on the download and then the "run" button, only to find that the video still did not play. In the background, you just installed a keylogger.
3. Your browser or some browser application such as Flash was not patched for a certain vulnerability and you browsed a page that automatically launched and installed the keylogger.
4. You downloaded what you thought was an addon, that strangely asked you to run some installation package.
   

The common theme here is that to install a keylogger you generally have to be tricked into running some form of installation process.

Don't think you are perfectly safe if you have a Mac either. While the Microsoft operating systems have traditionally been the target of most malware, Macs are beginning to increase in popularity for malware writers.

The Blizzard authentication token is a great way to protect against a keylogger. The authenticator helps provide two-factor authentication. Two-factor authentication is far more effective since it requires two pieces of information from two different sources - in this case, something that you know (your regular account password) and something that you have (the authenticator generated password). The added security comes from the fact that the authenticator changes its password every 60 seconds - so even if the keylogger captures the authenticator password it is only valid for a very short time.

If you have a iPhone then you can pick up the free Blizzard Battlenet Authenticator application from the iStore.

The phishing site

Phishing is the process of using deceptive methods to acquire sensitive information, in this case your game account details.

For example, you saw a notice in trade chat or received a whisper saying that you have won a competition to win a spectral tiger mount. All you have to do is visit a web site and type in a special redemption code. You go to the site, it looks legitimate, you enter the code and it then asks you for your account name and password so that the tiger mount can be mailed to your character. STOP! This is a phishing site with one aim - to get you to type in your username and password so they can log in to your game account.

A similar ploy is the email that reads "Official email from Blizzard. Your account has been suspended. Click here to confirm your details and unlock your account". Again, you click on the link in the email and it looks like a legitimate Blizzard site... but it is nothing but a scam.

It often takes a trained eye to spot a fake web site. Be extra cautious when any site asks you for your account details. I know of only three sites that should ever require your game password - worldofwarcraft.com, blizzard.com and battle.net. If the URL is anything other than these then it is highly likely to be a phishing site that you are visiting.

Again, the Blizzard authenticator provides great protection here since phished authenticator passwords are only valid for a very, very short time.

The insider

You have shared your account password with a friend or a leveling service. You never changed your password and now your friend is no longer a friend or the leveling service had other intentions. The solution here is - don't share your username/password with anyone. Choose a password that can't be easily guessed by your friends and enemies.

The fan site

Be sure to use a different login/password combination when you subscribe to any Blizzard fan sites. There are hundreds of fan sites and not all are reputable. Even reputable fan sites with username/password databases are a gold mine for successful hackers.

The Ten Steps - Don't become a statistic

Here are ten simple steps you can do to reduce the chance of your account being compromised:

1. Don't share your game password with anyone and pick a password that is not easily guessed
   
2. Don't use the same password for subscribing to fan sites
   
3. Keep your operating system, browser and other software fully patched - start with Windows Update
   
4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
   
5. Don't click on email attachments, especially when you don't know the sender
6. Don't download and run executable files from random web pages
7. Don't enter your game password into any web site other than the official game sites
8. Don't enter your game password into a legitimate Blizzard web site from a PC that may be compromised
9. Be very suspicious if an addon requires some form of install package to be run
   
10. Invest in a Blizzard authenticator or install the Battlenet Authenticator application on your iPhone
    

Remember, security is never 100% guaranteed and there will always be opportunities for your account to be compromised. I have touched on the more common methods in this post. The important message here is to make it as difficult as possible for the bad guys. Out of all the advice, the hardware authenticator is one of the simplest, inexpensive and most effective steps you can take to avoid becoming a hack statistic. Pick one up from the Blizzard store today.

Update: You can also purchase this as an application for many mobile phones at mobile.blizzard.com.