It has been brought to our attention that Blizzard's technical support department is currently handling a security exploit that is, in a limited capacity, circumventing authenticators. Before we get into the details, please do not panic. This does not make authenticators worthless, and it is not yet a widespread problem. Do not remove your authenticator because of this, and do not base your decision on whether or not to buy an authenticator off of this. They are still very useful, and your account is much safer with an authenticator than it is without one.
This is not the only report of this that we've seen, but it is the first time that a Blizzard representative has openly acknowledged that there is something afoot. For a full account of what happened, check the thread on the EU Technical Support forums. To sum up: There is a piece of malware (emcor.dll is what is being reported at the moment) that is being used as a hijacking tool to facilitate Man-in-the-Middle attacks on users.
To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.
Because the hacker is only receiving the data as it is transmitted, they are not able to log in more than once unless you are repeatedly broadcasting your authenticator code. They cannot change your account information. They are only in your account until they log off or are disconnected. The password is still your password. They are unable to remove or replace the authenticator. Removing the authenticator would require at least three different authenticator codes from you. One to log in to account management, and two for the actual removal. The chances of this happening are incredibly, obscenely low.
If you don't scrub the malware from your computer, they can hijack your account again the next time you try to log in, but the same rules apply. The damage done is limited and temporary. Make sure you do a virus/malware scan to make sure you don't get hijacked a second time, just like you would do with any keylogger.
This security breach is unfortunate, but keep in mind that it's far more difficult to do than the keylogging we've suffered for the last few years. Hackers that used keyloggers could theoretically gather thousands of user names and passwords every day and get around to them at their leisure. Your account information could be stolen today, but it might not be used until two weeks later when the hacker needs to fulfill an order. In the case of a Man in the Middle attack like the ones we're seeing now, that can't be done. Authenticator codes need to be used within 30 seconds or they expire. A Man in the Middle attack needs to be done in real time with a large amount of timing and accuracy. This sort of attack is possible, but we don't expect it will happen as frequently as basic keylogging.
What can you do about this type of attack? The same thing you can do about any attack. Keep your virus scanning software up to date (and update regularly, as this exploit is very new.) Scan regularly. Practice safe surfing. Read the thread in the technical support forums on this issue very closely, remember the warning signs. If you run into anything unusual, do not repeatedly try to log in. Play it safe and run a virus scan. Your authenticator is still protecting you against a vast majority of hacking and keylogging methods, it is certainly not money wasted and you shouldn't remove it in a fit of frustration.
Blizzard is very much aware of the issue and are actively looking for a solution.
Edit: This is a PC only attack, at the moment. Mac users are immune to this particular virus, however they are not immune in general. Mac users must practice the same security methods as PC users.
Filed under: Account Security