Your Christmas gift could be hacking your WoW account
by Daniel Whitcomb 
Feb 17th 2008 at 2:30AM
A lot of geeks found a digital photo frame under the tree this year. Seems like a good idea, I'm sure a lot of us have a pretty large collection of digital photographs stored on memory cards and flash drives that we just haven't quite gotten around to printing for display.
Unfortunately, certain frames sold at Best Buy, Target, Costco and Sam's Club come with an extra undocumented feature, in that they have a nasty little bug that's being dubbed Mocmex. The bug can burrow its way into your computer, latch itself in, and sniff out account information. It doesn't seem to affect Linux or Macs, at least not in its current form, but right now there doesn't seem to be a single manufacturer or frame type that's infected, so the origin of the bug hasn't been nailed down.
If you think you've got one of the infected picture frames, Massively recommends contacting the SANS institute and calling the store where the frame was purchased. You can check their story for the contact information.
The upside of this, I suppose, is that if the farmers are starting to branch into using peripherals to steal our accounts, they may be getting pretty desperate. The downside is, when we have people who practice safe web browsing and keep a clean computer getting bitten, like our Amanda Dean for example, we could be in some trouble. With any luck, all the major virus programs will have a cure for Mocmex and programs like it soon. In the meantime, it looks like we'll have to be extra careful about what we install on our computers, and make sure our anti-virus programs and firewalls are up to date.
Filed under: Bugs, News items, Economy, Hardware
Reader Comments (Page 1 of 1)
Felwrathe Feb 17th 2008 4:02AM
Well that's.....completely random.
I was hacked very recently and my account is suspended for another 48 hours or so. But, no picture frame in my house.
In fact, there was reportedly no spyware hours before the hack occured [I check every couple days] and I had done nothing but play WoW since the scan.
It COULD possibly have been an addon updated through wowace, but I highly doubt that. But then the only other logical explanation is that I was hacked from INGAME, which is also highly unlikely.
Note: The hack also locks you out of worldofwarcraft.com, so you're unable to change passwords. Very nasty, if you get caught when customer service isn't around [like I did] and don't have an extra computer with internet around [like I did].
Typical Dire Maul business. Came back with my main in DM, respec'd, with stuff I don't own up for auction, yet none of my gold was touched. Strange.
Felwrathe Feb 17th 2008 4:02AM
Oh, and the account suspension comes about a day after the hack occurs. They'll send you an email with the following:
"Access to this account has been temporarily disabled for exploitation of the World of Warcraft economy or for being associated to accounts which have been closed for intended exploitation. Based on a review of the information presented, this World of Warcraft account has been given a final warning and a 72 hour account suspension, in addition to any previous warnings issued. Until the suspension has been lifted, the account will not be accessible. Please note that Blizzard Entertainment will be unable to provide further information regarding the specific time an account will become accessible again."
They'll also change your password. So... if anyone gets this, good luck.
Verit Feb 18th 2008 3:53PM
The fact that worldofwarcraft.com is blocked and you were unable to detect the hack via spyware scanner suggests either a) its a virus or b) its a spyware app using a rootkit. Most spyware scanners don't even look in kernel space, and more and more hacks are moving there to escape detection.
What these are - basically are kernel level drivers (programs that sit at ring 0). Applications living there are really hard to find, because you can take advantage of memory cloaking, and filesystem cloaking and other tricks to escape detection - even from well heard of virus scanners. Its also where at lot of WoW hacks sit to escape detection from Warden (like Wow Glider - which is a rootkit).
The attack vector for these things can come from anywhere - not just wow related software. Everyone of these things I've found on people's machines - they swore up and down they've never downloaded anything and installed anything etc. In most cases a lot of these viruses/spyware apps came attached from another app that came over a p2p network, or some website.
Removing and detecting them can be quite tricky - I'd suggest starting with the rootkit revealer - this will show you if you are affected or not, based on the results you can research what you have and how to take action.
Charlie Feb 17th 2008 4:02AM
You must be a west coaster.
Anyways, does the virus in the picture frames specifically target wow? or is it just a general virus. For such a big thing to happen to the frames, its kind of small scale to target just wow don't you think?
@Felwrathe: The scanner could have missed it. The definitions for keyloggers are prolly out of date, just because they dont actually to anything "against the law" in the strictest sense by selling all your stuff. Because in fact the ownership begins and ends with blizzard. Nothing "real" is stolen.
Oh and anyone else wonder how you "lose" an account? That error message confuses me.
P.S. yay for having a mac =D.
Daniel Whitcomb Feb 17th 2008 4:48AM
Hey Charlie,
Yes, I am a West Coaster, and yes, it is a more general virus, although according to Massively, it seems to actually specifically try to target MMORPG Accounts. Apparently the market for gold and/or hacked accounts must be that big!
Daniel
Josef Feb 17th 2008 7:43AM
There is not so much of this in other countries, I have not heard of anyone getting their account hacked on the GB servers :/
LORD Mar 29th 2008 7:56AM
LLL
Aaron Feb 17th 2008 11:09AM
wtf's a digital photo frame? :p never heard of anything like this in the UK.
A bit of googling shows it shows photos from your camera's memory card, no access to a PC is needed. = hmm?
Krystalle Voecks Feb 18th 2008 7:26AM
You can connect them to your PC to load images people have emailed you, things you snag off flickr, facebook, etc. You can load it either way. It's when you're connecting to a windows-based PC that you get in trouble. Although some people have reported that using the memory card in the computer after you've had it in the frame nets the same result. (I have a card reader in both of my laptops, luckily, one's Linux-based, so I know which one will be in use anytime someone's asking me for pictures on their card!)
peaglemancer Feb 18th 2008 9:47AM
@Aaron
Stop acting like Britain is free of digital tackiness. A quick trip to your local Dixon's will reveal the crapulence of digital photo are alive and well in the motherland.
Zeplar Feb 17th 2008 11:16AM
If a virus that advanced is targeted at MMO's, hey, maybe the government'll go and decide to shut down all the gold trading, being paranoid about a national security crisis. Blizzard would definitely thank them!
jinx Feb 17th 2008 12:03PM
For more info on the infected frames check out this article http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/02/15/BU47V0VOH.DTL&type=tech I found linked on Fark.com.
Hotball Feb 17th 2008 1:57PM
@5:
It's more common than you think, at least in Taiwan. Several of my guild mates had their accounts hacked. Suspected reasons range from keyloggers installed in internet cafes to possible trojan horse infections. Fortunately, most can have their accounts and important equipments restored, but in most cases money and materials (motes, for example) are gone.
The problem is so serious that the publisher in Taiwan is now providing an optional two tier authorization system. You can register a phone number with your account, and you have to dial a toll-free number before logging in. The server does not pick up the phone so there's no telephone charge, but the server can see your phone number through caller ID and then activate your account for about 2 minutes.
Dakaramor Feb 17th 2008 3:20PM
If you have the Insignia photo frame from Best Buy take the frame and your PC to the store you got it from. You shouldn't need a receipt. The Geek Squad there will get rid of the virus from your frame and do an Advanced Diagnostic and Repair on your computer, getting rid of that and any other viruses/spyware/adware on your pc for no cost.
Kitteh, Twilights Hammer EU Feb 17th 2008 3:40PM
Hotball, thats a very nice idea with the system (so good im thinking of other uses for it already ^^) would be ncie to see it rolled out elsewhere. If the information wasnt recorded on the usual blizzard sources (eg you sent an email with ur number or something) that would be pretty much bulletproof.
hotball Feb 17th 2008 10:07PM
To my understanding, you only need to use their web site to enable the system. However, once enabled, any changes (phone number, or disabling the system) will require a copy of your national ID card for proof of identity. So it should be very hard for a hacker to change the phone number with your password alone.
Of course, there are downsides too. For example, sometimes the server can be quite busy, although the game server can be busy too :) If you lost your mobile phone it can be quite a nuisance to change the phone number, etc. Another problem is that if you travel to other countries (and you want to play WOW there) you won't be able to use the system and will have to temporarily disable it. This is also a problem for Hong Kong players since they can't use the system (I have a guild mate who lives in Hong Kong and has his account hacked).
Some online games in Taiwan use IC cards for two tier authorization. The IC card has a digital signature system so it's impossible to copy the card by reading from it. However, this system is more expensive and if you want to play the game on other computers you'll have to bring the card reader with you, and you may have to install drivers for it.
Verit Feb 18th 2008 4:04PM
Why not just have Blizzard (or whoever) distribute OTP (one time password, or one time pad) tokens. We use these where I work when I sign in - basically you hit a button and a 6 digit password comes up that you append to your normal password.
Every time you log in - you do this - that way even if there was a key logger installed on the machine it wouldn't know what the password was because its new each time you log in.
Check it out > http://en.wikipedia.org/wiki/One_time_pad
liquid circuit Feb 17th 2008 4:04PM
FUD FTL
Acronyms FTW!
(sorry, just sick of the sensationalism of WoW hacking; all reports are anecdotal at best... show me some statistics if you want to convince me of its prevalence).
Avonturier Feb 18th 2008 4:50AM
Is this something you'd be protected from if you run windows xp in a limited user account?
Verit Feb 18th 2008 3:57PM
Possibly - if you installed an app with a virus attached as Admin - you're still screwed - because then it got in anyhow.
If you attach the photo frame and don't run any of the software that came with it - the virus would then have to either run as user (as risk possible detection) or violate windows security to install itself.