Patch 5.2 interview with Dave Kosak
Inside an old alt's vault
The latest patch 5.2 news
All of the latest Mists of Pandaria newsUpdate: Keylogger source identified
by Matt Low 
Mar 1st 2010 at 11:00AM
Just a quick update from from our friends at World of Raids about the current situation regarding circumvented authenticators. It appears there are multiple websites being used for this malware. Be careful of which sites you go to in order to update your addons from; fake website addresses are being used to trick users.
For example, one of the fake sources appears as a "Sponsored Link" right at the top of a Google search. Don't actually visit that site and be sure to warn players asking about addons where to go.
What happens is the fake site will allow you to download a fake copy (did you see fake?) of the WowMatrix AddOn Manager which installs the emcor.dll. This Trojan (Malware.NSPack) can currently be detected by Malware Bytes.
Thanks Kody!
Filed under: News items, Account Security
Reader Comments (Page 2 of 4)
Sterb Mar 1st 2010 6:16PM
I came here to bring up the same point. Google is royally falling down on the job here. They were running a service off their search engine that would warn you if you clicked a dangerous site. That service seems rather worthless considering it's not even going to protect you from links they are handing you.
The fact is by running these ads, they are endorsing the links contained within. Google needs to take a lot more heat for this.
Elleyna Mar 1st 2010 11:16AM
I always just type in curse.com, as great as google is, it's not perfect when it comes to weeding out bad sites.
galestrom Mar 1st 2010 11:56AM
I've avoided clicking on sponsored links for quite some time. They simply don't go through the algorithms that typical results do. They're purchased. This means that the site could contain anything at all, far removed from Google's standards.
Genuine results on the other hand attain their high ranking in Google's placement by being applicable. They're referenced often by other sites, visited often by a variety of users, and are prominent on the web in other ways.
The long and short of it is, Google isn't the problem here. Users are. RSA tokens represent one of the most secure methods of keeping accounts protected, and one of the most infallible.
It's this simple: if you give away the keys, you can't be surprised when they're used.
neon12025 Mar 1st 2010 11:18AM
I have allways been iffy about add on sites. I'm sure this has been asked before, but does wow.com have a list of safe add on sites?
Duulket Mar 1st 2010 11:24AM
www.curse.com, www.wowinterface.com, and www.wowace.com are your best bets for addons.
Raaj Mar 1st 2010 12:06PM
Adding to that, TYPE THE URLS INTO YOUR BROWSER'S ADDRESS BAR YOURSELF. All these keyloggers seem to come from similarly named websites that appear when you Google the name of a website you already know exists. Do these duplicate sites even pop up if you Google something like "wow addons" ? I tried on both browsers I have and can't get sponsored links to even show up, so I apologize for not being able to test it.
Shrike Mar 1st 2010 4:17PM
As Duulket said, use www.curse.com or www.wowinterface.com. S/he also mentioned www.wowace.com, but wowace no longer hosts any AddOns; all wowace AddOns in beta/release form should be available on Curse instead.
Finally, WoWMatrix in particular is not a recommended site for AddOns. It has a history of unethical behavior and it often has out-of-date AddOns (it only gets current versions if it steals them or is directly given them by authors, and authors are predominantly against WoWMatrix because of its past unethical behavior).
Tim Mar 1st 2010 11:19AM
People should be more careful even though authenticators are a good too. I manually install the few addons I use and I get them from the same source. Also scanning it wouldn't hurt. Another thing to remember is that hackers come up with new ways to hack others all the time so being careful is always the best policy. Never let your guard down.
Chuck Mar 1st 2010 11:20AM
and this is why i don't run 3rd party applications to update my addons. Is it a bit more work to manually download and unpack the zip files? Sure, but it protects you from this sort of man in the middle attack.
And like most cases of account hijacking, it comes down to poor security at the end-user level.
jasonkidd1234 Mar 1st 2010 1:14PM
This.
I don't use curses auto downloader. The odds are low, but entirely possible that somehow a rogue file that isn't an addon makes it on there, and bam, formatted hard drive, keylogger, etc.
Tinwhisker Mar 1st 2010 11:24AM
Remember, all the security in the world can be circumvented by a careless user. This particular attack that has limited ability to hack an authenticated account in real time requires that the user go to a face website, download a program and install it on their computer.
Blizzard can build the sturdiest doors and the strongest locks but it won't help at all if users keep handing out keys.
seanthehorde Mar 1st 2010 11:37AM
I agree 100% with this. Computer security is common sense.
Common sense is the least common of all the senses.
Tyr Mar 1st 2010 11:48AM
Please stop with the common sense bullshit. Even common sense (if you don't have an authenticator) won't save your ass 100% of the time.
I was hacked about a month ago; my anti-virus/firewall was updated and active, I had teatimer running, scanned my comp once a week with malwarebytes/antivirus and had ad-block turned on and it still wasn't enough. The only wow-related sites I visited on this comp were wow.com, tankadin and mmo-champion. My only mistake was that I didn't use Noscript in Firefox, so I got hacked through some random Java applet (I still have no idea where I got it from).
So, did I lack common sense for not using just one firefox add-on? Was I that stupid? You tell me.
Joshua Ochs Mar 1st 2010 12:00PM
@Tyr: Yes, you were. Next question?
Drakkenfyre Mar 1st 2010 12:30PM
Tyr, if you had a weak password, they could still get in.
Not saying you did, but even with all of those precautions, it is still possible to get your account stolen.
Your case may be different, but common sense is still a good way to protect your account. You can have every precaution in the world, but if you have one weak area (a bad password) they can still get you.
Not that I am blaming you for that one app.
Crowqueen Mar 1st 2010 12:24PM
Yes, you were. I've just downloaded NoScript and am about to do Security Essentials.
I got an authenticator at the beginning of the year and it's not the problem.
The fact remains, you weren't hacked by some guy - it was a bit of malware some random site installed. Your security is your responsibility - at least you know where it came from, rather than trying to pretend someone else sold your details or Blizzard is somehow hackable.
Tyr Mar 1st 2010 12:59PM
@ Drakkenfyre
My password was not weak at all (12 letters, 3 digits, no dictionary words or important dates), it was just stolen. I've been playing for 4 years and last month was the first time my account was compromised.
The point of my post was, without an authenticator, it is simply a matter of time until your account info is stolen. Without it, you will never be sure you are safe; because you aren't.
As I've mentioned here before, this is just one single virus and it needs to be installed by you. Please don't decide not to buy an authenticator based on this.
Drakkenfyre Mar 1st 2010 5:30PM
I wasn't claIming your password was weak, didn't you see me say that? My point was was even with all of the precautions in the world, minus an authenticator, you could still use a weak password, and get your account broken into.
Common sense should still be used. Even if you think you covered all the bases, you might have missed something, like a weak password.
Ryan Mar 1st 2010 11:31AM
There used to be a sponsored fake link on Google when you tried to search for the Armory. I'm guessing this is the same tactic.
Risible Mar 1st 2010 11:32AM
Sponsored links? Wut's dat? - says Firefox with Adblock plus