Skip to Content
2-28-2010 @ 12:39PM
Can't they come up with something where only the IP address of the person initially starting the WoW client (or acct. management session) have access to the game/website?Basically, if I load up WoW and try logging in with a public IP of 192.168.12.1 and this keylogger nabs me, and I end up failing the process... the hacker ACTUALLY logging in would be using a different IP address. Unless they're in my house, which I doubt. They could stop allowing accounts to be accessed within, say, a 60 second timeframe from two different IPs. No one legitimately using their account would be switching that quickly.
2-28-2010 @ 12:42PM
blizzard wouldn't put something in place like this, because people like to login there accounts on freinds computers. Which is a bad idea to do. :P
2-28-2010 @ 12:45PM
a) 192.168.12.1 is your LAN adress.b) How does the IP thingy work? I'm gonna give an example.I come home from work and start WoW. I enter my account name, ExampleAccount@YarrHarr.com and password YarrHarrFiddlyDee. The keylogger gets both of these things, but the data still gets connected to Blizzard and the WoW client asks for the Authenticator key. I enter the key, 123456 and instead of sending that to Blizzard, thus disabling it, it sends it to the hacker, who gets the key 123456, which lasts for about 30 seconds and sends some other key, like 456789 to Blizzard and you will see an error when logging in. If the IP restriction would come, someone trying to lock on your account could disable you from getting in the game by trying to access the game on your account name all the time.
2-28-2010 @ 12:51PM
This is going to sound really ignorant, but is IP address the physical location of your computer? Say, if you log in from your laptop at your mother's house or your school compared to your apartment, you'd be posting from a different IP address?If that's how it works, that would be the worst idea ever.
2-28-2010 @ 12:52PM
...Well, worst idea ever is hyperbole but I'd be kinda irritated.
2-28-2010 @ 12:54PM
Wouldn't work. Effectively, you are never communicating with Blizzard. You are communicating to the hacker, who communicates to Blizzard. You login, the virus intercepts the info and crashes the client (or fakes a 'could not connect' signal being sent to it) and forwards it to the hacker. At no point does Blizzard actually receive anything from your computer. Hence the name, "Man In The Middle". However with two-factor authentication, with tokens usable only once in a limited time frame, the damage done is limited. They cannot change account settings, remove the authenticator, or such. The damage is kept to what is possible within a single session. The article has sound advice. I'd like to point out, we don't have sex without condoms, leave our houses unlocked, or put our wallets out in the open unattended. Why would you treat your computer any different?
2-28-2010 @ 12:53PM
While I have no clue what the OP is talking about, they could make it so once you use an authenticator code, that specific code is tied to the IP that used it first. Then they would need to be on your network to be able to use the authenticator code that they stole. It wouldn't really be an inconvenience because I don't think many people login from two different IPs within 20 seconds.
@ophelos, I don't think you quite get what perderedeus is suggesting.He's suggesting when your login information is sent, it sends the originating IP address. For example, when you log in it will send the following : Username, Password, Authenticator (if applicable), Login IP : A.B.C.DFor a set amount of time (say, when the authenticator number expires) logins from an IP other than A.B.C.D would be rejected.If the MIM keylogger attempts to login from IP W.X.Y.Z while this block is active, it will reject the login.That's what I think he's getting at. Even if you disconnect in that timeframe, you will still be logging in from A.B.C.D, so your login will pass.
2-28-2010 @ 12:57PM
You cannot tie an Authenticator code to a specific IP, as the Authenticator is never connected online and if you only had Authenticator work on one IP, you couldn't log in your friends house / work / etc.
2-28-2010 @ 1:29PM
They aren't suggesting the code be tied to an IP.What they are suggesting is when you log in, your IP is sent along with the authenticator code (your IP is already sent anyway) and then for the next however many minutes you cannot login without using that same IP.You log in, your authenticator code and IP address are sent. A trojan picks up your authenticator code, they try to log in, but since their IP address does not match your's, they aren't let in.
2-28-2010 @ 1:31PM
@ Galf (and others)Without knowing the exact specifics of how this malware works, very very likely you aren't at any point actually communicating to Blizzard when you try to log in and this malware is active.Instead all your WoW IP traffic is being *tunneled through the hacker*, so if the authenticator code was to be tied to any specific IP address, it would be tied to the HACKER'S IP, and not the player's. Thus this security measure wouldn't work.After you have supplied your authenticator code, all the hacker needs to do is shut down the IP tunnel and the player's PC would experience what looks like a regular disconnect. He'd swear, accuse Blizzard, and try to log in again. Since the tunnel isn't active anymore (the hacker is now in ur accountz, eating ur noms), this would be unsuccessful.A sign you might be Man-in-the-Middle'd could be much laggier response from the login server than what you are used to since all information is being transmitted through a third party which might be physically very far away from you (the cynical would assume it's most likely located IN CHINA), and inability to log in again after getting disconnected. Try to log in from a physically different PC - like a friend's; NOT one in your own home that might also be infected by the same malware. When you manage to log in, the hacker will get booted out if he is still busy eating your noms and won't be able to get back in again until you open the door for him so to speak.
2-28-2010 @ 1:41PM
@DrakkenfyreThe trojan doesn't send the Authenticator code to Blizzard, because ONCE A CODE IS USED, IT CANNOT BE USED AGAIN, even if it's inside that 30 second window.
2-28-2010 @ 1:52PM
Agreeing with the comments above, without knowing the specifics of this exact malware, we can't know with 100% certainty, but it sounds like someone is spoofing Blizz's servers and forcing you to connect to them. My question is, does Blizz not use SSL for their client logins? Unless this emcor.dll somehow manages to modify Windows' SSL implementation (or Blizz stupidly uses their own and warden doesn't check it) this simply should not happen. I should have known something was off about their login system when I started playing with private servers. If my crappy little laptop can emulate Blizz's servers well enough to actually get you logged in then your account info is just an ini file modification away. Brilliant.
2-28-2010 @ 1:57PM
Wonder if it would be possible for blizzard to allow you to tie a Mac address to your account in addition to everything else.
2-28-2010 @ 1:59PM
I remember Facebook having this type of thing. When i tried to log in from pretty much half way around the globe they asked some extra questions.
2-28-2010 @ 4:53PM
@perderedeus , no that wouldn't work because your Ip of 192.168.12.1 never makes it to blizzard. You're not talking to blizzard, you're talking with the malware server. The malware server would just throw away your IP and use it's own.What WOULD work, is if authenticators could let you enter your IP. Then the authenticator could encode your IP address into the code it generates. In that way, the code it generates would be useless to anyone who isn't using your IP.This would raise the cost of the authenticator quite a bit, and cause a lot of support issues for Blizzard as a lot of people would mistype their IP, or not understand how it works, or use their NAT'd IP rather than their external IP, etc.It would solve this particular issue, though...
2-28-2010 @ 5:02PM
Not to mention that unless you pay for a static IP, most ISPs will change your public IP address from time to time
2-28-2010 @ 7:20PM
@MailiaI am not particularly happy with your making public knowledge of my account and pass.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.