Patch 5.4 patch notes
Virtual Realms feature revealed
The Proving Grounds are coming
The latest patch 5.4 newsMan in the middle attacks circumventing authenticators
by Alex Ziebart 
Feb 28th 2010 at 12:24PM
This is not the only report of this that we've seen, but it is the first time that a Blizzard representative has openly acknowledged that there is something afoot. For a full account of what happened, check the thread on the EU Technical Support forums. To sum up: There is a piece of malware (emcor.dll is what is being reported at the moment) that is being used as a hijacking tool to facilitate Man-in-the-Middle attacks on users.
Kropaclus After looking into this, it has been escalated, but it is a Man in the Middle attack.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
This is still perpetrated by key loggers, and no method is always 100% secure.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
This is still perpetrated by key loggers, and no method is always 100% secure.
To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.
Because the hacker is only receiving the data as it is transmitted, they are not able to log in more than once unless you are repeatedly broadcasting your authenticator code. They cannot change your account information. They are only in your account until they log off or are disconnected. The password is still your password. They are unable to remove or replace the authenticator. Removing the authenticator would require at least three different authenticator codes from you. One to log in to account management, and two for the actual removal. The chances of this happening are incredibly, obscenely low.
This security breach is unfortunate, but keep in mind that it's far more difficult to do than the keylogging we've suffered for the last few years. Hackers that used keyloggers could theoretically gather thousands of user names and passwords every day and get around to them at their leisure. Your account information could be stolen today, but it might not be used until two weeks later when the hacker needs to fulfill an order. In the case of a Man in the Middle attack like the ones we're seeing now, that can't be done. Authenticator codes need to be used within 30 seconds or they expire. A Man in the Middle attack needs to be done in real time with a large amount of timing and accuracy. This sort of attack is possible, but we don't expect it will happen as frequently as basic keylogging.
What can you do about this type of attack? The same thing you can do about any attack. Keep your virus scanning software up to date (and update regularly, as this exploit is very new.) Scan regularly. Practice safe surfing. Read the thread in the technical support forums on this issue very closely, remember the warning signs. If you run into anything unusual, do not repeatedly try to log in. Play it safe and run a virus scan. Your authenticator is still protecting you against a vast majority of hacking and keylogging methods, it is certainly not money wasted and you shouldn't remove it in a fit of frustration.
Blizzard is very much aware of the issue and are actively looking for a solution.
Edit: This is a PC only attack, at the moment. Mac users are immune to this particular virus, however they are not immune in general. Mac users must practice the same security methods as PC users.
Filed under: Account Security
Reader Comments (Page 5 of 11)
jasonkidd1234 Feb 28th 2010 1:24PM
I guess going by country could work, but it's not that difficult to proxy yourself into another country. I have friends that have used a proxy to make themselves appear as if they are in russia among other things.
Really, the best way to ensure your account is safe is to BE safe. All the authenticators in the world aren't going to protect you if you click on every suspicious link you find.
Get a good solid, regularly updated anti virus, anti-spyware, and DON'T click on random links.
If in doubt, don't click. Simply. Then the only attacks that will happen to you are the result of targeted attacks, which are much rarer and less likely than attacks you bring upon yourself.
Morcego Feb 28th 2010 1:59PM
Not really a good idea. I know I'm not the only one that uses IP tunnels to play WoW, either all the time or occasionally (my case).
People should just stop expecting Blizzard to fix their (the user's) computers security.
And seriously, if your computer gets compromised, is your WoW account your main worry ?
DarkWalker Feb 28th 2010 7:35PM
The cracker could transform your own computer into an internet tunnel for he to hack your own account. If your computer is already compromised, this would not even be hard. So, it's another layer of protection, but would annoy the heck out of anyone that plays WoW while travelling or uses tunnels, while not being 100% secure.
lllcolelll Feb 28th 2010 12:58PM
Some of us would get it, but we cant couse blizzard isnt shiping to our country... so all we can do is sit back and wait... ffs...
scherbaddie Feb 28th 2010 8:23PM
Or you can get the Battle.net mobile authenticator instead and install it on almost any mobile phone.
If you don't have a mobile phone with internet (or wifi) access, you can: fake a phone user-agent with a firefox addon, download the authenticator to your hard drive and install it on the J2ME emulator that comes with the Sun J2ME Wireless Toolkit 2.2 (free download). Then you have an authenticator that runs on your (windows/linux) computer.
Glasken Feb 28th 2010 1:17PM
The solution to this is relatively simple, and one that has been used by organizations that use RSA key tokens (basically the same as an Authenticator) to prevent man in the middle attacks:
Encrypt the login session.
Blizzard would need to change the client so that initial setup of the communication channel occurred by having the client connect to the login servers in order to get the username/password screen, but in doing so it would prevent this type of attack - because as soon as you hit enter, the data is encrypted and sent to Blizzard. If the article is correct on how this particular attack works, they are using hooks into the login screen of the WoW client in order to capture the data. If those hooks no longer exists, because that screen is no longer part of the client, then this should prevent the attack. This would require that Blizzard implement some decent encryption - SSL is a start, but there are other solutions.
Morcego Feb 28th 2010 2:07PM
Encrypting the login session doesn't not protect against man-in-the-middle attacks. Sorry.
Yes, it is still better than plain text data, without a doubt. But thinking this would solve the problem is just plain wrong.
Actually, there is more than one way to compromise that kind of connection. Session Hijacking is another method that might prove to be a valid attack.
In a nutshell, once the user's computer gets compromised, there is nothing Blizzard can do to assure the WoW account won't be also.
DarkWalker Feb 28th 2010 7:35PM
The cracker just need to use a common keylogger to get the code, so this would offer almost no extra protection in this specific case.
RedGuard Feb 28th 2010 1:17PM
I'm no expert but... is it really "hacking" if someone breaks into your account? I thought hacking was a lot more complicated than that.
jasonkidd1234 Feb 28th 2010 1:26PM
Hacking is generally just when somebody you don't want messing with your computer, is messing with your computer.
It's not hacking on a high level, but it is generally considered hacking if somebody puts a keylogger on your computer, and takes data from it.
Morcego Feb 28th 2010 1:46PM
The correct term for this is "compromised". But if you say "hacked", everyone will know what you are talking about.
Kung Fu Hamster Feb 28th 2010 1:26PM
And yet some people still mock me for playing WoW in Linux...
No malware for me!
Membrane Feb 28th 2010 1:35PM
Don't fool yourself into thinking that Linux will protect you from yourself just because it isn't Windows.
Morcego Feb 28th 2010 1:41PM
No amount of technology will protect the world against stupidity.
However, considering what a PITA it is to get WoW running on Linux, I would say that guy has at least some idea what he is doing.
Drakkenfyre Feb 28th 2010 1:34PM
The term "hacking" has become used for everything nowadays. It's overused.
"I was hacked!"
No, you weren't. You fell for a phising scam, and gave your login info away.
"I was hacked!"
No, you weren't, you let someone else log in to your account, and they cleaned your account out.
If someone places a virus on your computer that does damage (no data stolen, just does damage) they will say they were "hacked".
The term "hacking" originated from the "hacking" apart of circuit boards and resoldering them back together to do what you want. It's just overused today.
Drakkenfyre Feb 28th 2010 1:35PM
And this was a reply to someone above. Damn reply fails.
Birdfall Feb 28th 2010 1:36PM
AVG Free is a free program to check for viruses.
Malwarebytes handles your malware and spyware issues.
For extra keylogging protection, get I-Hate-Keyloggers.
Morcego Feb 28th 2010 1:44PM
Actually, according to the lastest antivirus studies (they are around, just look for them), Microsoft Security Essentials (aka Microsoft Antivirus) is more effective than AVG Free.
The best antivirus around are still the usual suspects: Kaspersky, Symantec, McAfee and NOD32. Those 4 have been holding their grounds on the top 5 positions for the past few years. Microsoft's has been steadily climbing ranks, and is already showing in the top 5 in a few tests, but is still nowhere near as good as the other 4 I mentioned.
DarkWalker Feb 28th 2010 7:35PM
If the cracker uses his own virus/trojan, you are out of luck with most (if not all) of the anti-virus in the market today. Besides, a cracker can get most of the anti-virus and just modify their trojan until none of the most popular anti-virus picks it; heuristics (which is what they use to get unknown viruses) is not a totally trustworthy means of detection.
Thijs Feb 28th 2010 1:40PM
I know if there weren't authenticators there would be more people who were hacked but they got to fix this problem otherwise the authenticators won't be needed anymore and more people would be hacked -.-