Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsMan in the middle attacks circumventing authenticators
by Alex Ziebart 
Feb 28th 2010 at 12:24PM
This is not the only report of this that we've seen, but it is the first time that a Blizzard representative has openly acknowledged that there is something afoot. For a full account of what happened, check the thread on the EU Technical Support forums. To sum up: There is a piece of malware (emcor.dll is what is being reported at the moment) that is being used as a hijacking tool to facilitate Man-in-the-Middle attacks on users.
Kropaclus After looking into this, it has been escalated, but it is a Man in the Middle attack.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
This is still perpetrated by key loggers, and no method is always 100% secure.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
This is still perpetrated by key loggers, and no method is always 100% secure.
To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.
Because the hacker is only receiving the data as it is transmitted, they are not able to log in more than once unless you are repeatedly broadcasting your authenticator code. They cannot change your account information. They are only in your account until they log off or are disconnected. The password is still your password. They are unable to remove or replace the authenticator. Removing the authenticator would require at least three different authenticator codes from you. One to log in to account management, and two for the actual removal. The chances of this happening are incredibly, obscenely low.
This security breach is unfortunate, but keep in mind that it's far more difficult to do than the keylogging we've suffered for the last few years. Hackers that used keyloggers could theoretically gather thousands of user names and passwords every day and get around to them at their leisure. Your account information could be stolen today, but it might not be used until two weeks later when the hacker needs to fulfill an order. In the case of a Man in the Middle attack like the ones we're seeing now, that can't be done. Authenticator codes need to be used within 30 seconds or they expire. A Man in the Middle attack needs to be done in real time with a large amount of timing and accuracy. This sort of attack is possible, but we don't expect it will happen as frequently as basic keylogging.
What can you do about this type of attack? The same thing you can do about any attack. Keep your virus scanning software up to date (and update regularly, as this exploit is very new.) Scan regularly. Practice safe surfing. Read the thread in the technical support forums on this issue very closely, remember the warning signs. If you run into anything unusual, do not repeatedly try to log in. Play it safe and run a virus scan. Your authenticator is still protecting you against a vast majority of hacking and keylogging methods, it is certainly not money wasted and you shouldn't remove it in a fit of frustration.
Blizzard is very much aware of the issue and are actively looking for a solution.
Edit: This is a PC only attack, at the moment. Mac users are immune to this particular virus, however they are not immune in general. Mac users must practice the same security methods as PC users.
Filed under: Account Security
Reader Comments (Page 3 of 11)
Eddy Feb 28th 2010 12:52PM
...Well, worst idea ever is hyperbole but I'd be kinda irritated.
Saidear Feb 28th 2010 12:54PM
Wouldn't work. Effectively, you are never communicating with Blizzard. You are communicating to the hacker, who communicates to Blizzard. You login, the virus intercepts the info and crashes the client (or fakes a 'could not connect' signal being sent to it) and forwards it to the hacker. At no point does Blizzard actually receive anything from your computer. Hence the name, "Man In The Middle".
However with two-factor authentication, with tokens usable only once in a limited time frame, the damage done is limited. They cannot change account settings, remove the authenticator, or such. The damage is kept to what is possible within a single session. The article has sound advice. I'd like to point out, we don't have sex without condoms, leave our houses unlocked, or put our wallets out in the open unattended. Why would you treat your computer any different?
0wn3d Feb 28th 2010 12:53PM
While I have no clue what the OP is talking about, they could make it so once you use an authenticator code, that specific code is tied to the IP that used it first. Then they would need to be on your network to be able to use the authenticator code that they stole. It wouldn't really be an inconvenience because I don't think many people login from two different IPs within 20 seconds.
Galf Feb 28th 2010 12:54PM
@ophelos, I don't think you quite get what perderedeus is suggesting.
He's suggesting when your login information is sent, it sends the originating IP address. For example, when you log in it will send the following :
Username, Password, Authenticator (if applicable), Login IP : A.B.C.D
For a set amount of time (say, when the authenticator number expires) logins from an IP other than A.B.C.D would be rejected.
If the MIM keylogger attempts to login from IP W.X.Y.Z while this block is active, it will reject the login.
That's what I think he's getting at. Even if you disconnect in that timeframe, you will still be logging in from A.B.C.D, so your login will pass.
Mailia Feb 28th 2010 12:57PM
You cannot tie an Authenticator code to a specific IP, as the Authenticator is never connected online and if you only had Authenticator work on one IP, you couldn't log in your friends house / work / etc.
Drakkenfyre Feb 28th 2010 1:29PM
They aren't suggesting the code be tied to an IP.
What they are suggesting is when you log in, your IP is sent along with the authenticator code (your IP is already sent anyway) and then for the next however many minutes you cannot login without using that same IP.
You log in, your authenticator code and IP address are sent. A trojan picks up your authenticator code, they try to log in, but since their IP address does not match your's, they aren't let in.
Faar Feb 28th 2010 1:31PM
@ Galf (and others)
Without knowing the exact specifics of how this malware works, very very likely you aren't at any point actually communicating to Blizzard when you try to log in and this malware is active.
Instead all your WoW IP traffic is being *tunneled through the hacker*, so if the authenticator code was to be tied to any specific IP address, it would be tied to the HACKER'S IP, and not the player's. Thus this security measure wouldn't work.
After you have supplied your authenticator code, all the hacker needs to do is shut down the IP tunnel and the player's PC would experience what looks like a regular disconnect. He'd swear, accuse Blizzard, and try to log in again. Since the tunnel isn't active anymore (the hacker is now in ur accountz, eating ur noms), this would be unsuccessful.
A sign you might be Man-in-the-Middle'd could be much laggier response from the login server than what you are used to since all information is being transmitted through a third party which might be physically very far away from you (the cynical would assume it's most likely located IN CHINA), and inability to log in again after getting disconnected. Try to log in from a physically different PC - like a friend's; NOT one in your own home that might also be infected by the same malware. When you manage to log in, the hacker will get booted out if he is still busy eating your noms and won't be able to get back in again until you open the door for him so to speak.
Mailia Feb 28th 2010 1:41PM
@Drakkenfyre
The trojan doesn't send the Authenticator code to Blizzard, because ONCE A CODE IS USED, IT CANNOT BE USED AGAIN, even if it's inside that 30 second window.
Daveti Feb 28th 2010 1:52PM
Agreeing with the comments above, without knowing the specifics of this exact malware, we can't know with 100% certainty, but it sounds like someone is spoofing Blizz's servers and forcing you to connect to them. My question is, does Blizz not use SSL for their client logins? Unless this emcor.dll somehow manages to modify Windows' SSL implementation (or Blizz stupidly uses their own and warden doesn't check it) this simply should not happen. I should have known something was off about their login system when I started playing with private servers. If my crappy little laptop can emulate Blizz's servers well enough to actually get you logged in then your account info is just an ini file modification away. Brilliant.
Alexander Feb 28th 2010 1:57PM
Wonder if it would be possible for blizzard to allow you to tie a Mac address to your account in addition to everything else.
Janne Feb 28th 2010 1:59PM
I remember Facebook having this type of thing. When i tried to log in from pretty much half way around the globe they asked some extra questions.
mrluohua Feb 28th 2010 4:53PM
@perderedeus , no that wouldn't work because your Ip of 192.168.12.1 never makes it to blizzard. You're not talking to blizzard, you're talking with the malware server. The malware server would just throw away your IP and use it's own.
What WOULD work, is if authenticators could let you enter your IP. Then the authenticator could encode your IP address into the code it generates. In that way, the code it generates would be useless to anyone who isn't using your IP.
This would raise the cost of the authenticator quite a bit, and cause a lot of support issues for Blizzard as a lot of people would mistype their IP, or not understand how it works, or use their NAT'd IP rather than their external IP, etc.
It would solve this particular issue, though...
zerokiwi Feb 28th 2010 5:02PM
Not to mention that unless you pay for a static IP, most ISPs will change your public IP address from time to time
doit Feb 28th 2010 7:20PM
@Mailia
I am not particularly happy with your making public knowledge of my account and pass.
Mailia Feb 28th 2010 12:40PM
They won't put their efforts to this. They went from bot farming to hacking, because it was easier money and now, it is easier to concentrate on non-Authenticated accounts.
Halgrimur Feb 28th 2010 12:41PM
Is it just me hoping that Clysm is gonna ship WITH an Authenticator in-box?
Henry Feb 28th 2010 12:44PM
^ For everyone yeah would be good to have it mandatory or something soon. Most people get them AFTER they're hacked sadly but then they learn how wonderful they are to have.
Vashni Mar 4th 2010 8:49PM
Actually i was hacked and they used an authenticator to lock me out of my own account...
he deleted all my characters except my DK and then progressed to making my Dk a bot that runs around in Storm peaks killing the dudes that drop the Crystalized fire. So if you see a dk just running around there random killing these things lodge a compalint get the account stopped you will be saving the real account holder a whole lot of headaches ^^
flawless Feb 28th 2010 12:51PM
@Vashni
If you'd had an authenticator first, you wouldn't have been hacked.
Then again, if you'd been sensible with your account security, you wouldn't have been hacked.
flawless Feb 28th 2010 12:52PM
As a follow up to my previous post, I'd like to say that "hacked" is the wrong phrase to use - people are just careless about security, and they get their accounts compromised.