How misspelling might get you keylogged
by Robin Torres 
May 1st 2008 at 9:00AM
I don't use many AddOns when I play. Cartographer, Auctioneer and Gatherer are pretty much it. I've tried tarting my UI up with some of the fancier mods, but I always come back to my minimalist setup. Because I don't use many, I don't have to upgrade very often and I always neglect to bookmark the appropriate download sites. I'm also a believer in convenience, so I make full use of my Firefox address bar to do my "searches". Firefox will either bring up a Google search for whatever I type in or it will bring up the closest webpage to what I have typed.
Recently, I was looking for an upgrade and I mistyped the name in my address bar. Firefox cheerily brought up the website that matched what I typed. It was a site that listed a few WoW UIs as well as some popular WoW searches. I closed the window, typed what I wanted into my handy dandy Search Box (which is honestly just as convenient) and went on my merry way. I proceeded to play some WoW that night and logged into City of Heroes for a bit as well.
The next morning, my virus program informed me that a Trojan had taken residence on my machine for the purpose of recording my keystrokes. Nice. After I double-checked that the evil program had been removed, I immediately changed my passwords for the games I had played. Happily no damage had been done -- nor do I think I was really at risk. Because of that convenience thing, I let my usernames be saved as often as possible so that the keylogger wouldn't have actually known to what username to link my newly stolen passwords.
At first I blamed the AddOns since that was the only new thing I had downloaded. But then I retraced my steps and remembered the mistyping. That is what makes this whole thing so sinister. I had to think hard to remember I had visited the fake UI site for a few seconds because who remembers the typos one makes while searching?
Earlier this month, Vox pointed out on the forums that there is a keylogging site Warcraftsmovies.com (DON'T GO!) that is taking advantage of misspelling Warcraftmovies.com (that one is OK). Blizzard poster Vrakthris requests that anyone who comes across these sites please report them on their official webform. I would report the one that got me, but I don't remember which one it is and, honestly, I'm scared to go and look for it.
These criminals are clever. They create domain names that are misspellings of commonly searched WoW-related terms and then put "content" on there so that it looks like a semi-respectable place. If you don't get taken there automatically, the sites will still show up looking like valid sites in a Google search. And unless you have your browser setup so that it won't run scripts automatically, just loading the site will load the program onto your computer.
We've said this before, but these are the best ways to keep your account safe:
- Don't buy from gold sellers and power levelers.
- Don't share your account info with anyone.
- Don't download from shady sources.
- Do keep your anti-virus/anti-spyware tools up to date.
- Do change your password regularly.
Filed under: Add-Ons, Analysis / Opinion, Forums, Account Security
Reader Comments (Page 1 of 2)
Ilnara May 1st 2008 9:19AM
Moral of the story : Should have installed AdBlock Plus and No Script AddOns for Firefox. Thus, those 'sneaky' java scripts can't run at all even if you do happen upon a keylogger embedded site. (Firefox without these addons might as well be IE, and thus doesn't do anything for your security)
Ophelos May 1st 2008 10:01AM
Should really put down IE at all, Since firefox does have just as many exploits as IE has no matter how many firefox addons you got to try and keep you save when browsering the internet.
but anyways.
My rule when browsering or searching for something online, try and use good browsering habits, like going to sites you trust, and once you come across a site you trust just book mark it.
Also clean your cookies, internet history, temp internet files, etc at least once a week..
Don't install more then one anti-spyware an anti-virus software because they well cancel each other out and you won't have the security that you should have. I also recommand having a hardware firewall. aka router
Ahoni May 1st 2008 11:16AM
Ophelos said...
"Also clean your cookies, internet history, temp internet files, etc at least once a week.."
Nice useless advice. This will do NOTHING to prevent malicious software from attacking your computer. Cookies CANNOT harm your computer. Cookies are text files. They are not scripts. Internet history and temp internet history should be deleted ONLY if you are interested in hiding what you have done on a computer. It will do NOTHING to prevent malicious software from infesting your computer.
"Don't install more then one anti-spyware an anti-virus software because they well cancel each other out and you won't have the security that you should have."
Really? They cancel each other out. So if I install Norton and McAfee I end up with no protection? What about McAfee and Trend Micro, do they "cancel each other out"? I certainly wouldn't recommend installing more than one anti-virus program, or more than one firewall. If you have two of those, they will interfere with each other, and you are asking for trouble, but they won't "cancel each other out."
Some anti-spyware programs do not play well together. Mostly this is due to their quarantine procedures. If I use Spybot Search and Destroy (a good free tool) and it quarantines a suspect program, a second spyware scan with, say, Adaware, will not know that the Spybot quarantined something, and will give a 2nd hit for the same problem.
I would fully recommend running AT LEAST two anti-spyware scanners. I have yet to see one that finds everything.
Tekkub May 1st 2008 1:48PM
*snicker* A router is NOT a hardware firewall. Home routers are usually actually a NAT, which gives the nice side effect of essentially being an inbound firewall... but it is still not a firewall. A true firewall can block outbound connections as well.
And as for running two virus scanners... that'll bog down your system quite nicely. Hope you aren't picky about your FPS.
Adding layers and layers of virus scanners won't help much... the best defense is that thing in your head, use it!
Verified Insanity May 1st 2008 7:10PM
Hey, you forgot SiteAdvisor, which will tell you if the site's malicious in the first place!
andy May 1st 2008 9:19AM
a good way to avoid keyloggers from ads is to use ad-blocking software. i use firefox with adblock plus and noscript. i also use linux, which helps me avoid windows-based viruses/loggers. i know, most people don't want to switch to linux just to avoid that stuff, but it does help. the firefox + plugins/extensions thing is a very easy switch to make, and firefox 3 is coming soon!
math May 1st 2008 9:23AM
McAfee SiteAdvisor is a nice addon that runs in Firefox. When I google different sites it shows what is safe and what is not...GET IT
Percinho May 1st 2008 9:25AM
Also, don't use the firefox address field itself for searches, use the small search box to the right. The main one takes you straight to the "I feel Lucky" website, the smaller one returns a search results page that would pick up your mis-spelling.
Dave May 1st 2008 9:31AM
problem solved.. i use that all the time
FireStar May 1st 2008 9:36AM
I use the noscript sure, but I also will only download mods from One site, curse gaming. OBViously, there's still risk involved...and i'm not saying there isn't. But it's like little kids...the more crap they touch the better chance they have of getting sick. Also, i use the curse application to update my mods for me, so i don't need to worry about being out of date or anything like that. I imagine that curse does virus checks and keylog checks when people update addons on their site, but don't quote me on it. Anyway to check?
Silverrealm May 1st 2008 9:36AM
So you can't report it cause you don't remember what site it was?
Uh... you know browser 'History' is very useful for this. Unless you set your browser to clear all cache after closing...
Just look through the History items and see if any ring a bell.
AVOID clicking on them and going back to that site.
PJ May 1st 2008 9:37AM
Yeah, install addblock and be unable to use most sites - including some honest wow sites which have been hacked in the past.
"Because of that convenience thing, I let my usernames be saved as often as possible so that the keylogger wouldn't have actually known to what username to link my newly stolen passwords."
So they can program software to hide on your machine and record and relay your keyboard presses, but not read the text box where your login is - yeah right.
Ilnara May 1st 2008 9:58AM
PJ Said : Yeah, install addblock and be unable to use most sites - including some honest wow sites which have been hacked in the past.
No measure of security is going to help you if you don't learn how to use it effectively.
Hurode May 1st 2008 11:39AM
I use Adblock and I have never been denied entry to a site because of it. I'm not saying that such sites don't exist, but as a general rule they aren't worth visiting.
Matt May 1st 2008 11:58AM
"Yeah, install addblock and be unable to use most sites - including some honest wow sites which have been hacked in the past."
Properly configured, Adblock won't stop you using anything.
"So they can program software to hide on your machine and record and relay your keyboard presses, but not read the text box where your login is - yeah right."
Yeah. Right.
It's easy to intercept keystrokes coming in from a keyboard but difficult to create some software that would scan the screen and recognise exactly where it needs to look, and recognise the characters that are in that area of the screen - which are often masked with asterisks anyway.
It's not a problem that you seem have no idea how technology of this nature works. It's hardly a requisite. But it does make you sound like an idiot when you use your position of ingorance to launch sarcastic attacks against people who are ultimately better informed than you.
Dan May 1st 2008 12:22PM
"It's easy to intercept keystrokes coming in from a keyboard but difficult to create some software that would scan the screen and recognise exactly where it needs to look, and recognise the characters that are in that area of the screen - which are often masked with asterisks anyway."
Your right, except that that's not the way it's done, what they do is to read the right memory block, which is about as easy to do as reading the keystrokes.
Kristian Cee May 1st 2008 9:44AM
Even if you flush your history, there are these awesome things called 'bookmarks' that you could make.
RichM May 1st 2008 9:46AM
"Happily no damage had been done -- nor do I think I was really at risk. Because of that convenience thing, I let my usernames be saved as often as possible so that the keylogger wouldn't have actually known to what username to link my newly stolen passwords."
Unfortunately keyloggers don't just log your keystrokes, some actually grab your internet browser traffic too (or anything transmitted over port 80 etc).
Passwords sent by your browser are not encrypted and are sent over the internet in plain text format, the only place they are encrypted is in the database of the website you are using.
notcoding May 1st 2008 9:55AM
"Passwords sent by your browser are not encrypted and are sent over the internet in plain text format, the only place they are encrypted is in the database of the website you are using."
Except for the vast majority of places where they aren't in the clear. Anytime a page uses SSL - it goes out encrypted. That is, any address that starts with "https:"
This doesn't keyloggers or trojans from grabbing data in another way, but simply sniffing the packets as they go out generally doesn't work.
Aigarius May 1st 2008 10:01AM
Just use Linux. Try the new Ubuntu - it is easy and userfrendly.