Man in the middle attacks circumventing authenticators
by Alex Ziebart 
Feb 28th 2010 at 12:24PM
This is not the only report of this that we've seen, but it is the first time that a Blizzard representative has openly acknowledged that there is something afoot. For a full account of what happened, check the thread on the EU Technical Support forums. To sum up: There is a piece of malware (emcor.dll is what is being reported at the moment) that is being used as a hijacking tool to facilitate Man-in-the-Middle attacks on users.
Kropaclus After looking into this, it has been escalated, but it is a Man in the Middle attack.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
This is still perpetrated by key loggers, and no method is always 100% secure.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
This is still perpetrated by key loggers, and no method is always 100% secure.
To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.
Because the hacker is only receiving the data as it is transmitted, they are not able to log in more than once unless you are repeatedly broadcasting your authenticator code. They cannot change your account information. They are only in your account until they log off or are disconnected. The password is still your password. They are unable to remove or replace the authenticator. Removing the authenticator would require at least three different authenticator codes from you. One to log in to account management, and two for the actual removal. The chances of this happening are incredibly, obscenely low.
This security breach is unfortunate, but keep in mind that it's far more difficult to do than the keylogging we've suffered for the last few years. Hackers that used keyloggers could theoretically gather thousands of user names and passwords every day and get around to them at their leisure. Your account information could be stolen today, but it might not be used until two weeks later when the hacker needs to fulfill an order. In the case of a Man in the Middle attack like the ones we're seeing now, that can't be done. Authenticator codes need to be used within 30 seconds or they expire. A Man in the Middle attack needs to be done in real time with a large amount of timing and accuracy. This sort of attack is possible, but we don't expect it will happen as frequently as basic keylogging.
What can you do about this type of attack? The same thing you can do about any attack. Keep your virus scanning software up to date (and update regularly, as this exploit is very new.) Scan regularly. Practice safe surfing. Read the thread in the technical support forums on this issue very closely, remember the warning signs. If you run into anything unusual, do not repeatedly try to log in. Play it safe and run a virus scan. Your authenticator is still protecting you against a vast majority of hacking and keylogging methods, it is certainly not money wasted and you shouldn't remove it in a fit of frustration.
Blizzard is very much aware of the issue and are actively looking for a solution.
Edit: This is a PC only attack, at the moment. Mac users are immune to this particular virus, however they are not immune in general. Mac users must practice the same security methods as PC users.
Filed under: Account Security
Reader Comments (Page 1 of 11)
ROB13 Feb 28th 2010 12:30PM
Ruu Roh.
Will NOTHING stop these hackers? If a ferocious monstrous Core Hound doesn't faze them...I don't know what will.
Razortooth Feb 28th 2010 1:03PM
Greed is the root of all evil. Reminds me of the John Lenin song "Imagine"
splodesondeath Feb 28th 2010 1:14PM
@ Razortooth
"John Lenin" made me chuckle.
Zalvi24 Feb 28th 2010 2:49PM
so let me get this straight, this man in the middle "thing" only works if im trying to log to WoW and enter my authentication code? so it doesnt work if im not log or if im already logged?
McCombs Feb 28th 2010 3:03PM
Greed is Good.
peter_vutov Feb 28th 2010 3:10PM
I don't understand it also. You can't have 2 people logged in at the same time, so basically if they try to use my authenticator code they have to kick me out of the account or not let me log in, which means that I will automatically be alerted of the hacking and just relog (possibly from a different PC) to kick them out. So..how?
Finnicks Feb 28th 2010 3:57PM
@peter_vutov
You attempt to log in, inputting your authenticator code. This malware redirects the information to the hacker so they can log into your account right now.
Meanwhile, the hacker's server responds to make your client think you put in the wrong information. You never even get through to Blizzard's authentication servers.
You will continue to get "Incorrect information" errors until you locate and remove the malware, which is more than enough time for an efficient hacker to clean you out.
QQinsider Feb 28th 2010 4:04PM
"Will NOTHING stop these hackers?"
While people are stupid enough to let this kind of malware on to their computers?
No.
Sehvekah Feb 28th 2010 4:08PM
@peter
The way this attack works, *you* never log in in the first place. The scumware alters how your computer handles your internet traffic and actively searches for those packets that would contain your login information. When it detects that WoW's trying to send them out, it *intercepts* them, sending them to a different computer entirely which then sends the log in info, letting whoever is at that computer log in to your account. *You* never log in, in fact you'll just keep getting an "unable to connect" error, rather than something more specific.
Repetitious, I know, but I really wanna drive that point home. If it worked some other way, there's a chance you could bump off whoever's hijacking your stuff, *and they don't ever want you to have that chance.*
Also, if they're stealing your WoW info, they're probably stealing anything else they can(even if they don't directly deal in identity theft, the way these places operate they likely know someone who does, and will happily sell *them* anything else they happen to pick up). Just so you don't go getting a false sense of security from this, or anything.
Avan Feb 28th 2010 4:10PM
The article says you need to use the code within 30 seconds before it expires. So, press the button on your authenticator. Count to 25, then input the code. The attacker now only has up to 5 seconds to use your code, depending on how long it takes you to input it.
This method isn't going to prevent these attacks entirely, just minimize them further.
DarkWalker Feb 28th 2010 7:35PM
The inputting code on the cracker's end is probably automated, so it should actually take less time than you take to simply press enter.
If they are intercepting the code as it is typed, and not as it is sent over the network, they can effectively be logging before the true owner presses enter.
Besides, the authenticator code is valid for at least 45 seconds. I've never intentionally measured it, but I can still use the previous code when the time bar for the next one is at the middle.
QQinsider Feb 28th 2010 7:15PM
Ahh, I got down-rated. I guess people just don't like being told that they're just as responsible for their own computer security as they are for their bank account and everything else. If you get hacked it's your fault, it's not hard to use a computer safely on the internet, you just couldn't be bothered to learn.
Mr. Tastix Feb 28th 2010 9:00PM
@Avan: Yes, you could do that, but you would still not be able to get in anyway. You could try logging in a million times and EVERY TIME WOULD FAIL.
RogueJedi86 Feb 28th 2010 11:34PM
I just thought of another good way to do it to make it impossible to hack even with a trojan. Make you have to put in a unique authenticator code twice: once when you login, then again at character select. Since you would have to get to the character select screen to input the second code, and logging to that point would kick anyone else on your account, and an authenticator # can't be used twice, there is no way for the hacker to get and use the second authenticator code.
Logging out would invalidate his first code, and you'd have to use each code to get to the next step, and there's no way a trojan can trick you into thinking you're at character select when you're not.
pinkysan Mar 9th 2010 7:43AM
Security is not easy and as long as we have the valuable stuff hackers want, they won't stop.
So it's important to understand what the authenticator does and does not do for you. Like in that Seinfeld episode, Seinfeld got robbed even though he has the most secure locks on his front door because Kramer forget to close it.
-- The authenticator (multi-factor authentication) protects you from "replay attack", where the bad guys can no longer take their time to hack you two weeks later.
----> They need to take both your password and your auth-code to pretend to be you for a short time. Or they have to physically steal your authenticator.
-- To defend against man-in-the-middle attacks, you need SSL or other end point authentication. Basically SSL protects your data *AFTER* leaving your computer and it promises the data will be unreadable in transist and truely reach it's intended destination unaltered before it can be read.
----> They need to get into your computer to mess with your data BEFORE it leaves the computer.
The good news is that adding an authenticator raise the bar for the hackers to steal your account. But they can still do it if you are not careful... Like even if Kramer remember to close the door, he still has to turn the lock for it to work most effectively.
Additionally, all of these protections are not reliable if the bad guys have malware IN THE COMPUTER. They can literally do anything they want. They can even alter your WoW client itself to connect to them instead of Blizzard to login. It's like locking the front door doesn't really protect you from the thief who's already inside the house.
So we still need to be vigilant about it even with the authenticator.
Worcester Mar 12th 2010 7:35PM
Before downrating McCombs, please make sure you know the reference. I wouldn't be surprised if that line isn't uttered by some Goblin in Azeroth.
Magma Feb 28th 2010 12:31PM
Authenticators can only do so much if you are completely careless otherwise
Neirin Mar 1st 2010 3:53AM
My justification for my authenticator is similar to explanations of how to escape from a bear - you don't have to be the most secure, you just have to be more secure than the millions of other people who are easier and more profitable to hack.
rawrawrawr Mar 1st 2010 7:48AM
Wait, bears are hacking WoW accounts now? OH GOD
Darkseid Mar 1st 2010 9:25AM
"Authenticators can only do so much if you are completely careless otherwise"
And this is what many of us here said when the "omg I gotta get an Authenticator right now!!!!" craze kicked off a couple months ago.
We simply said, if your careless(aka stupid), then your account will still be hacked. Simply put, technology is no substitute for common sense.
The reaction? Flaming, down voting, stupid Mac vs. PC arguements, and even more stupid MADE UP stories about about how people took every precaution, but some hacker still got them by "hacking his buddies wife's account, pretending to be her when his buddy logged on, and tricking him into giving her full guild bank access"...
...seriously, I still can't believe that someone expected us to believe that story....anyway...
The bottom line is, there were two sides to this. People who said authenticators are great and would protect us all and those who said authenticators are useful as another security measure, but not the end all.
I guess we have a winner to that debate from the article a couple months back...