Patch 5.4 patch notes
Virtual Realms feature revealed
The Proving Grounds are coming
The latest patch 5.4 newsUpdate: Keylogger source identified
by Matt Low 
Mar 1st 2010 at 11:00AM
Just a quick update from from our friends at World of Raids about the current situation regarding circumvented authenticators. It appears there are multiple websites being used for this malware. Be careful of which sites you go to in order to update your addons from; fake website addresses are being used to trick users.
For example, one of the fake sources appears as a "Sponsored Link" right at the top of a Google search. Don't actually visit that site and be sure to warn players asking about addons where to go.
What happens is the fake site will allow you to download a fake copy (did you see fake?) of the WowMatrix AddOn Manager which installs the emcor.dll. This Trojan (Malware.NSPack) can currently be detected by Malware Bytes.
Thanks Kody!
Filed under: News items, Account Security
Reader Comments (Page 4 of 4)
Brian Carnell Mar 1st 2010 4:51PM
It is interesting to see all the "its the users fault" comments. While technically this is true, the reality is that it is getting more and more difficult not to get hacked for non-technical users. You can run NoScript and anti-Virus and something like Secunia to make sure your Adobe crapware is patched when the inevitable security holes are found in them, and you can still get hacked because the gold sellers just keep getting more and more sophisticated with their attack vectors.
This MITM attack using Google supported links is pure genius. I think many of the commenters here fail to recognize just how difficult it is for nontechnical folks to not realize these are fake.
Does the average WoW user need to become a computer security expert simply to play an online game?
Spark Mar 1st 2010 5:01PM
-----
perderedeus Mar 1st 2010 2:12PM
My other worry is that we will see a surge in trojans who mimic this behavior, making them the new threat and further weakening Authenticator-based security overall... which is bad for Blizz/WoW/Battle.net and bad for Vasco and other token companies plus the industries that rely on them for security. Tokens have been a major part of 2 factor authentication for a long time, but they have been out of the limelight. Now with WoW's popularity, the technology is being put under a hacker's microscope due to its prevalence in the market, and tokens in general can be more easily, readily targeted for attack.
-----
Two things. First, MITM attacks on tokens are not new. The first recorded attack was directed at Citibank in 2006. Yet Vasco is still growing (one of Forbe's top growth companies in 2009). Do not worry for them. The issue, and consequently the market, it more complex than this single incident.
Secondly, the attacker has a limited time to use the data. It's not just 60 seconds. It's 60 seconds or first login, whichever comes first. Granted - the way you take care of that is lock out the user. But that only lengthens the time by a certain amount. There's a lot more pressure to use the token code than there is with passwords.
Spark Mar 1st 2010 5:48PM
-----
Brian Carnell Mar 1st 2010 4:51PM
This MITM attack using Google supported links is pure genius. I think many of the commenters here fail to recognize just how difficult it is for nontechnical folks to not realize these are fake.
Does the average WoW user need to become a computer security expert simply to play an online game?
-----
The MITM attack and using Google ads to distribute malware are all old hat. Let's not give these folks more credit than they deserve. But then, most folks don't really understand how authenticators work or, more to the point, how the bad guys work. And that leads in to the next point.
You don't have to be an information security expert to play wow. But you have to know a bit about security to use an Internet connected computer. The same thing goes for avoiding all manner of scams, cons, mugging, etc. You don't have to be on a crime task force to live in a high-crime environment. But you do have to have some aspect of street smarts to survive. Unfortunately, when it comes to infosec, there's a huge number of pigeons fresh off the bus just waiting to be scooped up by the latest malware conmen.
I'm not for giving the conmen a free ticket; these folks are scum and should be taken down as soon as possible when possible. But folks DO need to educate themselves and recognize that not being a victim as largely their responsibility.
Xarnlen Mar 2nd 2010 10:44AM
You can still get addons from wowace.com, they simply store it on the curse servers but you get a website free from all the clutter that is curse.com.
For a firewall in win 7 try windows firewall, it actually is quite good.
for a good pay AV+FW and it work's in x64 land, try eset.com makers of NOD32, it's small footprint and integrates with the windows firewall./.
MrAngryPants Jun 3rd 2010 4:56PM
I use avast and scriptblocker. Its probably detected by avast, but I used VirusTotal for all files I download off the internet. Just type it in google and its a website that you upload your files to and it scans them with 42 different virus scanners.
-Angry