Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsMan in the middle attacks circumventing authenticators
by Alex Ziebart 
Feb 28th 2010 at 12:24PM
This is not the only report of this that we've seen, but it is the first time that a Blizzard representative has openly acknowledged that there is something afoot. For a full account of what happened, check the thread on the EU Technical Support forums. To sum up: There is a piece of malware (emcor.dll is what is being reported at the moment) that is being used as a hijacking tool to facilitate Man-in-the-Middle attacks on users.
Kropaclus After looking into this, it has been escalated, but it is a Man in the Middle attack.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
This is still perpetrated by key loggers, and no method is always 100% secure.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
This is still perpetrated by key loggers, and no method is always 100% secure.
To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.
Because the hacker is only receiving the data as it is transmitted, they are not able to log in more than once unless you are repeatedly broadcasting your authenticator code. They cannot change your account information. They are only in your account until they log off or are disconnected. The password is still your password. They are unable to remove or replace the authenticator. Removing the authenticator would require at least three different authenticator codes from you. One to log in to account management, and two for the actual removal. The chances of this happening are incredibly, obscenely low.
This security breach is unfortunate, but keep in mind that it's far more difficult to do than the keylogging we've suffered for the last few years. Hackers that used keyloggers could theoretically gather thousands of user names and passwords every day and get around to them at their leisure. Your account information could be stolen today, but it might not be used until two weeks later when the hacker needs to fulfill an order. In the case of a Man in the Middle attack like the ones we're seeing now, that can't be done. Authenticator codes need to be used within 30 seconds or they expire. A Man in the Middle attack needs to be done in real time with a large amount of timing and accuracy. This sort of attack is possible, but we don't expect it will happen as frequently as basic keylogging.
What can you do about this type of attack? The same thing you can do about any attack. Keep your virus scanning software up to date (and update regularly, as this exploit is very new.) Scan regularly. Practice safe surfing. Read the thread in the technical support forums on this issue very closely, remember the warning signs. If you run into anything unusual, do not repeatedly try to log in. Play it safe and run a virus scan. Your authenticator is still protecting you against a vast majority of hacking and keylogging methods, it is certainly not money wasted and you shouldn't remove it in a fit of frustration.
Blizzard is very much aware of the issue and are actively looking for a solution.
Edit: This is a PC only attack, at the moment. Mac users are immune to this particular virus, however they are not immune in general. Mac users must practice the same security methods as PC users.
Filed under: Account Security
Reader Comments (Page 4 of 11)
Docp Feb 28th 2010 1:51PM
The problem with making authenticators mandatory is that then forces hackers to try and find work around for authenticators. At the moment a large chunk of the safety of authenticators comes from the fact that there are easier targets to attack, to put it in wow terms you're misdirecting threat onto those without authenticators.
Maybe authenticators really are safe and even if everyone else had them those who want our accounts still couldn't get through them, but I wouldn't underestimate their ingenuity.
Oriflame Feb 28th 2010 1:55PM
@Flawless
Your seem to think that your account is invulnerable, but I would like to know what you are doing that makes you think this. Just running a patched system with antivirus, a personal firewall, and never surfing to any sites you don't trust doesn't make you immune to hackers. It makes you much less of an easy target, but everyone that gets hacked isn't an idiot.
Yes, taking the basic measures is good, but it isn't perfect - don't feel like you're such as smart guy because you haven't been hacked.
The irony of your handle is probably lost on you. :)
Hollow Leviathan Feb 28th 2010 2:22PM
Requiring that all wow accounts use an authenticator does make everyone safer. The level of compromise for a hacked account with an authenticator is limited and less than an unauthenticated account, authenticated accounts have to be hacked in real-time instead of via phishing, and it's much harder generally to hack them.
It's even possible that with mandatory authentication, that the most profitable source of in-game gold becomes botting/farming again, which would effectively kill hacking.
flawless Feb 28th 2010 12:43PM
Hadn't seen any post regarding this on WoW.com so sent this in via comments - as the post says, you don't need to panic at all. Authenticators are still the best option for account security, but a secure chain is only as strong as its weakest link. Since the user is also one of those links, just make sure you're as vigilant as you can be.
There are posts that mention current virus scans not detecting the emcor.dll as a threat, but hopefully they have been reported as such and will be flagged for new threat definitions shortly, helping to protect those who havn't seen this news. If you have been infected by the dll, please use your virus scanner/security suite to report it to the developers so that it can be investigated and flagged.
CM Feb 28th 2010 12:47PM
Unfortunately people will just use this as justification for *not* buying an authenticator.
Mailia Feb 28th 2010 12:48PM
And they are the ones that will suffer.
Lissanna Feb 28th 2010 12:51PM
Having an authenticator limits the likelihood of being hacked by a substantial amount. If people think being less secure will help them, then they deserve to get hacked.
Crowqueen Feb 28th 2010 3:10PM
There's a selection of ghastly, arrogant threads on the EU general forums as we speak. Trust WoW.com people to keep things in proportion :).
http://forums.wow-europe.com/thread.html?topicId=12730534403&sid=1
/facepalm.
DarkWalker Feb 28th 2010 7:35PM
People need to realize that getting an authenticator is just one step to secure your account. This "man in the middle" attack is just one of the multiple potential ways an authenticator could be compromised; there are even potential methods to get an authenticator removed from an account. For those that doubt it, go look at existing exploits to circumvent bank issued authenticators.
Just for the naysayers, how to remove an authenticator using something with the same capabilities this man-in-the-middle attack have:
- Let the person log and get one code. Use it to log into their account management.
- Let the person play for some 5-10 minutes, and then disconnect him by cutting WoW's connection to Blizzard's servers.
- When he tries to log once, register the code, make it seem as if Blizzard rejected it, but delay the error message until the code has expired.
- He will probably try to log again. Get the new code. The cracker is now logged into the victim's account and have the pair of authenticator codes needed to remove the authenticator. If he wants, he can then proceed to attach a different authenticator to further lock the owner out of his account.
Lissanna Feb 28th 2010 12:50PM
Keep in mind that if you have any type of keylogger on your computer, it is safer to HAVE an authenticator than to not have one. It's equally important, however, to practice safe internet & anti-keylogger practices.
If you DON'T have an authenticator, then it is pretty easy for them to change the e-mail address associated with the account, or to add an authenticator of their own, or to really muck things up in a way that is going to be hard to recover from.
With an authenticator, the amount of damage they could do is limited even with one of these kinds of attacks - because you are limiting how many authenticator codes they can get.
Basically, 99% of hacked accounts don't have an authenticator on the account, because not having an authenticator leaves your account much more vulnerable. With the 2 or 3 confirmed cases of bypassing the authenticator, compared to likely thousands or millions of people hacked without an authenticator, it's better to be more secure (ie. have an authenticator) than less secure.
Morcego Feb 28th 2010 1:51PM
If the computer was compromised, it is no longer "your computer".
Tankadin Feb 28th 2010 12:52PM
Off topic, but what happens if you lose your authenticator? Does Blizz have a safety for this so you're not locked out of your own account?
Lissanna Feb 28th 2010 12:54PM
If you lose your authenticator, you can call Billing and work through their process for removing it from the account.
Cheese Rations Feb 28th 2010 12:51PM
This isn't really that much scarier than any other piece of keylogger or malware targeted toward WoW players. It doesn't exploit any flaws in Blizzard's systems or the authenticator in general. It is still a result of poor security and actions by the user of the computer involved.
If you don't properly secure your computer and prevent it from becoming infected, no amount of extra security like an authenticator will protect you. As great as authenticators are, I think that they don't treat the actual problem and likely cause people to become more lax with their computer's security. With that said, everyone should still have one.
I'm glad that this WoW.com article isn't the typical scaremongering that we'd see on some other sites were something like this to happen. Alex took a very realistic and professional stance in writing this and didn't take an initial Blizzard-bashing stance like we've seen happen before.
Leevo Mar 2nd 2010 2:30PM
ANYONE can be hacked...using any OS/Hardware combo!
Some posts throughout this thread suggest (not necissarily the one I hit reply under) that only 'idiots' get malware and 'deserve what they get'.
WRONG
Typical scenario as to how keyloggers (and possibly this man in the middle bit of code) can be distributed.
1. User is banging away at some Mob in ZF and wipes.
2. User hits his start button or opens a browser and types in "WoW ZF Instance".
3. User's OS opens default browser and search engine...displays a list of links that look helpful on defeating this encounter.
4. User reads the website.
5. User now has a keylogger!
Yes, it happens every day!
Many people don't know or care that there are choices of browsers out there. It doesn't necissarily make them 'stupid', nor 'deserving' of being hacked.
This is why several layers of security become more important.
Here are a few ideas:
1. If you can afford it...set aside a junk low end PC for all of your general web browsing. Never use this junk PC for the exchange of personal information, or logging into sensitive accounts. Have a second PC with a very secure browser. ONLY use the browser on this PC for your sensitive transactions and NEVER 'browse' the web or do general 'internet/lan searches' with it. Carefully screen the apps and tasks that are allowed to run on your better 'secured' system.
2. Do regular virus/malware scans on all systems on your LAN.
3. Get an authenticator...they aren't very expensive at all...I suspect the shipping part is as much or more than the authenticator cost...these do knock out several methods out there that are used to compromise WoW accounts.
Some other future possibilities:
WoW could have more layers of passwords throughout the game. I.E. Before you can send 4000 gold, to some non-account bound toon, sell 50 epic items to a vendor in a row, or mail dozens inventory items to some non-account bound toon...they could ask for additional security codes or phrases (this could even ask for the authenticator code if you have one).
Just my two cents...
I personally would not mind having to punch in a fresh authenticator code in order to 'clean out' my vault, or send an unusually large amount of WoW Gold to some avitar or account that is not obviously linked/bound to ME. It's rare that I would just send someone 5,000 gold off hand...so occasionally having to enter my code would be painless in retrospect to loosing it all!
I.E. If I'm sending more than 500g or 50 items to one of my own toons bound to the same account...no check.
If I'm sending it to another account that is bound to my armory/billing account...no check.
I.E. If I go to a vendor and am offloading 20 or more green or better items in one go...a code is requested just after closing the transaction....no code...items go back in bags.
Make sense?
Extra layers can and should be implemented to help guard from 'man in the middle' attacks.
MDrules Mar 16th 2010 3:12PM
@Leevo
Thats some good advice. I use virtual machines to accomplish this task. I'm more paranoid with banking/cc info than my wow account.
I think that we should approach this from more of a 'cure the addict' and the drug dealers go away problem. I think this just proves that if you build a better mouse trap, you get a better mouse. If you want to STOP 'hackers', need to get people stop buying gold. I know easier said than done.
Nazgûl Feb 28th 2010 12:55PM
Stay calm...
YOU'VE BEEN HACKED
Lissanna Feb 28th 2010 12:57PM
The actual # of confirmed cases of authenticators being bypassed is still below 10 accounts worldwide, so far as I've been able to tell. The odds of being hacked without an authenticator are still much higher than the odds of being hacked with an authenticator. It kinda feels like yelling "shark!" in a swimming pool and seeing everyone scatter....
Noah Feb 28th 2010 1:30PM
Everybody panic! We're all being hacked — by a shark!
Shigsy Feb 28th 2010 12:57PM
IP addresses are easily geographically identifiable, so I'd have thought it would be relatively easy to say flag your own account for use only in your country. This would surely stop alot of it as commonly the perpetrators are in China or something. :) I guess this could similarly be applied to Credit Cards - tell your bank you're only ever going to use your card in your own country (which in alot of cases most of us only ever do). Sure there are exceptions, but it would reduce the issue massively in my opinion. Every example of credit card cloning or identity theft I've come across personally is always flagged up from use abroad. There is of course the issue of IP masquerading.... :S