WoW account hacked (Investigation thread)

Status
Not open for further replies.
D

Dende

Limp Gawd
Joined
Jul 23, 2004
Messages
396
I'm creating this thread because my wow account was hacked yesterday. I'm not wanting to complain or talk about getting my stuff back. What I do want to talk about is how they got my info.

I'm pritty good with computers and I have antivirus/mailware apps running and scaning on a weekly basis. I have a hardware Nat firewall and a software firewall running (windows firewall AND norton) I don't have any third party apps running such as bots or thottbot. I don't share my account with anyone other then my daughter and she doesn't get online unless I am there watching her (she is 11). I don't buy gold or anything like that so I can't figure out what happend.

Yesterday after I found out my account was hacked I did a FULL system scan for any viruses or spyware and all my scans came up clean. At this point I installed other spyware apps and avast to try and scan my system again. Nothing was found (I keep a pritty clean system because I run my apps every friday night). Today I'm going to buy a new hard drive AND windows 7 because I don't know what happend.

What I would like from you guys is an intelegent conversation about how this could have happend and how it can be prevented. I think its because of battlenet thats my opinion. The only reasion I think its battlenet is because of all the people getting there accounts hacked (just read the wow forums).

So again I don't want this thread to turn into a "don't buy gold" "don't use bots" "its a keyloger" (If its a keyloger I have no idea how to find it/remove it) thread I want to talk about how someone does this AND how we can protect ourselves from it happing in the first place. I have purchased an authinticator from Blizz and its on its way and I would recomend anyone that play's wow to get one (best 7 bucks you will ever spend).

I'm not going to format my old hard drive yet because I want to find the cause of this (in case it IS a virus or keyloger) so if you have suggestions on apps/programs that can find the infected files please post links to the site the program is found.

Thanks everyone!!!!
 
working as intended


no seriously, you probably downloaded some addons and one of them probably had a keylogger, either that or you visited some WoW sites with keyloggers/viruses embedded in them

or someone ingame send you a link and you clicked it taking you to a site that downloads a virus or keylogger to your computer

take your pick
 
Download malwarebytes, install and update it, and run it in safe mode.

Run hijackthis and see what it says.

At this point I would recommend you do a password recovery and then change your password to something different. If you really didn't do anything as you say, then this is solely blizzard's fault.

But that's just me, because I don't play WoW. But I did play Diablo 2, which was susceptible to the same hack as WoW.
 
I would recommend getting the blizzard authenticator app or key fob. Thats what I do, after you put your password in, you also have to put in a number that changes every 15 second from the fob or app. The phone app also works on other phones not just the iphone. Sorry about your account. I also run Linux so I am not sure if those hacks work when your on wine.
 
well first of all good thinking getting the authenticator, I have one and it works very well.

Do you use any addon auto-installers/updaters? Like the curse one? I have been hacked 3 times since wow launched, one I had a virus and fixed it, second and third time I could find no reason, but it was both just days aftetr installing the curse installer for mods. I even formated my hard drive between the second and third.

Also, is your adobe up to date (providing you use adobe) I know theres an exploit that can be used to steal passwords with out-dated versions
 
Been playing since beta and that has never happened to me.

^read above.. all those are great suggestions/ideas.
 
My steam account was hacked after I installed a patch for Doom III. Honestly man I dont even risk it. I just reinstall windows. I see youre unwilling to do that. I think you can pretty much narrow down the possibilities in your last week of activities. Btw this will sooo turn into a complaint and flame thread.
 
Lessee.... don't forget Social engineering, sharing user/pass info with other people, and hackers getting lucky via brute force.
 
Fail said:
you probably downloaded some addons and one of them probably had a keylogger
Click to expand...

Unless the addon came as a prepackaged .exe file (which is ridiculous) there's no way for an addon to install or execute a keylogger or steal a password. An addon is just a bunch of .lua and .xml files executed by the game engine and it can not access hard drives or interact with the operating system.
 
Ragenrok said:
Do you use any addon auto-installers/updaters? Like the curse one? I have been hacked 3 times since wow launched, one I had a virus and fixed it, second and third time I could find no reason, but it was both just days aftetr installing the curse installer for mods. I even formated my hard drive between the second and third.
Click to expand...

Even that your account was hacked right after you installed curse client does not mean that the curse client is at fault. You password could've been stolen weeks and months prior to that. I've been using curse client for over a year now and it has been a smooth sailing so far. Of course I use the Authenticator.
 
I use curse (but never will again) maybe that did it? ALL the stuff being listed is GREAT STUFF guys!!! keep it up if anyone thinks of anything else post it!!

I did order authenticators and they are on there way. I'm buying a hard drive AND windows 7 today and I'm going to start fresh.

My question is this IF there are NO .exe files in my addons can I just copy the would of warcraft folder and move it to my new system? I have done several thurogh scan's on that folder using every app listed on WoW's forums and here (malwarebytes, hijackthis, and MANY others) and not one program has found ANYTHING (not a single threat anywhere). Do you think its safe or should I just start from scratch?

Waiting for 20+gig to download from blizz's site doesn't sound fun LMAO
 
There are two ways your account can become compromised:

1) You give your login and password to someone, or they guess it. (e.g. a buddy of mine gave me his login for some game a while back and I recently discovered he used the same email and PW for his WoW account. I could screw with it and he'd never know what happened because he never told me his WoW information.)

or

2) You got malwared. Typically from clicking an unsafe link on the WoW forums, or installing an "addon" from an untrusted source.

Note that I say "addon" because actual WoW addons CANNOT compromise your account information. They are LUA scripting restricted to using the functions in WoW's API. If you've unzipped some LUA and XML to your WoW addon folder, you know 100% that it isn't going to steal your information. It just isn't within the functionality of that system. Nothing you can write into LUA or XML is going to add magical new functions to the WoW API.

However, when you install with an executable or something equally ill-advised like running a shady updater program, you introduce the risk of getting malware.

There is anecdotal talk of the Curse Updater being compromised, but no one has ever proven that it is doing anything. The thing is that so many people use the software that there's a good chance someone is going to get "hacked" soon after installing it. So it's probably just a coincidence. There is probably other software out there that IS compromised however, so beware.

Always download your addons from a reliable source, in an archive, and extract manually, ensuring that there are no executables within the folder structure of the addon.

The most foolproof method of security is the WoW Authenticator that Blizzard sells. There are no confirmed cases of accounts with authenticators being compromised.
 
ok so, you did use addons, and did you use the curse client/installer?

did you go visit other "wow sites" or go to any sites your "friends" linked you to?
 
Brute force does happen. My EVE account got hit, I had already stopped playing but it was still active for a month and poof, everything sold. They auto-banned it based on the foreign IP access, and restored it after I contacted them. But now a year later I got a few "You forgot your password, click here to reset" emails from the EVE website (legit emails), so someone is still trying to get into a closed account.

Make sure your WoW password isnt the same password you use for any websites. Like, say, a guild site or web forum or Steam. Guild and forum sites are notoriously easy to hack and you end up with the whole user list, which you know all play game XYZ.

The weakest link here is the other person using your computer. Your daughter. If you dont think she can figure out how to get in without you...well, I was doing worse on computers at 11, and oblivious to any damage caused. ;)
 
Last edited:
NKDietrich said:
There are two ways your account can become compromised:

1) You give your login and password to someone, or they guess it. (e.g. a buddy of mine gave me his login for some game a while back and I recently discovered he used the same email and PW for his WoW account. I could screw with it and he'd never know what happened because he never told me his WoW information.)

or

2) You got malwared. Typically from clicking an unsafe link on the WoW forums, or installing an "addon" from an untrusted source.

Note that I say "addon" because actual WoW addons CANNOT compromise your account information. They are LUA scripting restricted to using the functions in WoW's API. If you've unzipped some LUA and XML to your WoW addon folder, you know 100% that it isn't going to steal your information. It just isn't within the functionality of that system. Nothing you can write into LUA or XML is going to add magical new functions to the WoW API.

However, when you install with an executable or something equally ill-advised like running a shady updater program, you introduce the risk of getting malware.

There is anecdotal talk of the Curse Updater being compromised, but no one has ever proven that it is doing anything. The thing is that so many people use the software that there's a good chance someone is going to get "hacked" soon after installing it. So it's probably just a coincidence. There is probably other software out there that IS compromised however, so beware.

Always download your addons from a reliable source, in an archive, and extract manually, ensuring that there are no executables within the folder structure of the addon.

The most foolproof method of security is the WoW Authenticator that Blizzard sells. There are no confirmed cases of accounts with authenticators being compromised.
Click to expand...


Great responce!!! Yes I did use Curse and sometimes (not often) wowmatrix but I was understood that addon's could NOT cause issues and just lumped the addon program with that train of thought. I never put 2 and 2 together (untill now) that the updater COULD be using a .exe or running some other program when updating.

From now on I will ONLY update/use addons the way you described.
 
One of those seedy back of my mind plots was to make a WoW site that promised free stuff or ultrahakz that required someone to sign up.

Knowing that WAY too many people would use the same login name/password to sign up for my site as they would for their WoW account, I would be rolling in loot.

What I do for myself is to have a online facing name (jgoewert) and a hidden name/password for each different service that I pay for. I keep a list in a USB password tool thing of each of those. That way, no one can use any of my forum logins to track back to a game.
 
if you ever got your acct powerleveled, im pretty sure they come back later and try to see if they can still log in to jack your acct.
 
somthing to note: just beause the mod is supposed to only decomress into your "wow\interface\addons" dir, doesnt mean that someone who's going thru the process of hyjacking accounts wouldnt throw a file or 2 that extracts to "c:\windows\system32".

99.99999999999999999999999% of ppl just dl the file and unzip.
 
Dende said:
have purchased an authinticator from Blizz and its on its way and I would recomend anyone that play's wow to get one (best 7 bucks you will ever spend).
Click to expand...

How can you say "It's the best 7 bucks you will ever spend"

You haven't even used it yet.
 
Curse has been known to auto-install infected addons. There was a big stink about one particular addon a couple years ago when I played. Lot of people got screwed by that one. So it stands to reason that if it happened once, it could happen again. I believe that particular one had a component that would connect to the web for some reason, and that's where they stole the passwords.


I still suspect that Blizz has had breaches they don't advertise.......because I think it's a little odd that they seem to hack people who have a lot of stuff/gold/whatever...and haven't heard too many stories about people who haven't played for 2 years coming back for an expansion to find out they were emptied out........because there isn't any incentive for them to do so. I think active accounts are processed more frequently, and they are somehow getting access to those lists whether it be wowarmory or some other wow related service. Old accounts, especially with the new bnet switchover......aren't showing up. I know mine won't even display on the armory.



If you get hacked once, they know your account login...and I wouldn't put it past a lot of them to just keep brute forcing those until they break them again.


You'd think after this happened enough times Blizz could identify the guy or IP-range doing it and do something about it. But I think it's more profitable for them to just ban and let them buy new accounts to "launder" money........because if they could track it and delete it from the game. No one would buy gold.....because eventually they'd track down a hack and remove that ill-gotten gold.

I know I spent a good 6 months reporting a botter everytime I saw him at the same spot botting. Then he got banned......and a week later there was a guy with a very similar name..in the same spot......doing the same thing.
 
NKDietrich said:
There are two ways your account can become compromised:

1) You give your login and password to someone, or they guess it. (e.g. a buddy of mine gave me his login for some game a while back and I recently discovered he used the same email and PW for his WoW account. I could screw with it and he'd never know what happened because he never told me his WoW information.)

or

2) You got malwared. Typically from clicking an unsafe link on the WoW forums, or installing an "addon" from an untrusted source.

Note that I say "addon" because actual WoW addons CANNOT compromise your account information. They are LUA scripting restricted to using the functions in WoW's API. If you've unzipped some LUA and XML to your WoW addon folder, you know 100% that it isn't going to steal your information. It just isn't within the functionality of that system. Nothing you can write into LUA or XML is going to add magical new functions to the WoW API.

However, when you install with an executable or something equally ill-advised like running a shady updater program, you introduce the risk of getting malware.

There is anecdotal talk of the Curse Updater being compromised, but no one has ever proven that it is doing anything. The thing is that so many people use the software that there's a good chance someone is going to get "hacked" soon after installing it. So it's probably just a coincidence. There is probably other software out there that IS compromised however, so beware.

Always download your addons from a reliable source, in an archive, and extract manually, ensuring that there are no executables within the folder structure of the addon.

The most foolproof method of security is the WoW Authenticator that Blizzard sells. There are no confirmed cases of accounts with authenticators being compromised.
Click to expand...

There have been cases of people with authenticators being hacked. So it's not entirely foolproof. If a hacker somehow gets the serial number for your authenticator, and has enough personal information about you, it is possible to remove the authenticator from the account. Just because you have an authenticator, doesn't mean you can be stupid about clicking on links in phishing emails or divulging your account info willy-nilly.
 
Drawshot said:
There have been cases of people with authenticators being hacked. So it's not entirely foolproof. If a hacker somehow gets the serial number for your authenticator, and has enough personal information about you, it is possible to remove the authenticator from the account. Just because you have an authenticator, doesn't mean you can be stupid about clicking on links in phishing emails or divulging your account info willy-nilly.
Click to expand...

This is true. But for most scenarios the authenticator will cover most possibilities for being hacked.

I think the most common is an infected addon that the user does not realize is stealing your account info.

I purchased an authenticator almost as soon as they first became available, and have watched guildies toons torn to shreds after they were hacked.

I insist all guildies who are officers and have guild bank access have an authenticator in case.
 
This recently happened to me however I have not played WoW in almost 2yrs (and havent had it on my computer in almost as long). I got a mysterious email about two weeks ago from Blizzard looking for a password reset. Call a couple of buddies that had my loggin information from way back when and no one had tried using it. Called Blizzard about it and bam, account is now locked (thankfully I have a buddy that works for them). Anyways, I have a feeling that this is happening a lot due to their switch to battlenet. Best thing is to be careful of the addons you use and what information you readily have.
 
ashmelev75 said:
Even that your account was hacked right after you installed curse client does not mean that the curse client is at fault. You password could've been stolen weeks and months prior to that. I've been using curse client for over a year now and it has been a smooth sailing so far. Of course I use the Authenticator.
Click to expand...

I know it might not be at fault, but both times was just a day or 2 after installing curse and downloading/updating addons, even after changing all my passwords (email and WoW). I have no concrete proof the curse installer is at fault but the fact it happens right after i installed curse(and had no problems for the 2-3 months I ran without curse before hand). And yeas I got the curse installer right from the curse site.
 
I've never used a power leveling service and I have NEVER gave my account info out to anyone.

Also my aunt and her daughter has them and I have used tokens before so I know they are VERY good. The only way to hack a token is to know the SN of the token. As long as you don't give out your SN (which would be just as bad as giving out your password) you should never get hacked.
 
More than likely, you may have been the victim of a drive-by infection by visiting a website that had been compromised.

Most sites like that are the ones sensible people shouldn't be visiting, but occasionally legit sites get compromised as well.

Usually this is due to the webserver in question not being patched and up to date, or script kiddies infecting through some sort of unpatched exploit; Brute forcing wouldn't be out of the question either, in rare cases...
 
alakazham.com (spelling?) had some infections hidden in their advertisements at one point, i also heard of wowhead having some infections as well
 
How strong is your password? If it isn't at least 12 random letters and numbers, you probably simply got brute-forced. No, using clever patterns like 159753 or wsxzse is not valid, nor are any of these, or any word found in a dictionary, no matter how obscure.

WoW passwords are probably THE most sought-after passwords in the world. At this point, using anything less than the authenticator fobs is not acceptable security.

I do agree you should play it safe and reformat, just in case.
 
It was probably someone you know, and it could be a blessing in disguise.

This is your chance to get out, man.

My friend installed a keylogger on his sisters computer and deleted her characters and then got all her accounts banned.

She was neglecting her kid because she spent all her time playing WoW. It seriously messed up their entire family.

I'm not sure if it worked though. I think she ended up moving out and living with some weirdo from the game while her parents cared for the kid.

Still, your chance to get out is here, take it.
 
my friends guildy got hacked and he thinks it was because of the curse client.

This is a big business and it will most likely get worse especially for games like wow.

Since blizz changed it so your account name is your email you can easily change it after you have been hacked I believe. But with this change it will prob hurt more people as well because some people use the same password for their wow account as they do for their email.


also use firefox and get adblock and noscrip addons it will help make browsing the web a little more safer
 
So I'm curious.
The authenticator cycles through codes about every 10 seconds, making it different each time you try to log in..
It doesn't use any cable or other device to link with your computer, the net, or Blizzard, etc. according to my friend, as far as he knows.
How then does your WoW account know what code the keychain is currently displaying? The only way I can think of how it's possible is if the keychain and the account cycle through an identical list of numbers and the keychain is just a way for you to view the password.
But what happens if the battery in the keychain dies?
Or is my assumption wrong?
 
to me it seems that you did everything right. the only thing i can think of is maybe your daughter told one of her friends at school or something?
 
Azureth said:
So I'm curious.
The authenticator cycles through codes about every 10 seconds, making it different each time you try to log in..
It doesn't use any cable or other device to link with your computer, the net, or Blizzard, etc. according to my friend, as far as he knows.
How then does your WoW account know what code the keychain is currently displaying? The only way I can think of how it's possible is if the keychain and the account cycle through an identical list of numbers and the keychain is just a way for you to view the password.
But what happens if the battery in the keychain dies?
Or is my assumption wrong?
Click to expand...

I don't play WoW nor do I know how it works, but I would guess that whatever that thing is simply takes Unix time and uses some (probably proprietary) algorithm to generate whatever code you need to enter. The same algorithm could be used on the server. The code could vary based on serial number, among other things, making them very hard to crack and specific to both the time period and original device used.

Or at least that's what I'd do if I were designing a similar item.
 
The curse installer has been known to have stolen passwords in the past. There is absolutely no reason to use it anyways, all you need to do is copy/paste or extract files into the WoW Add-on folder.

You should be fine if you don't use their installer. Add-ons are only loaded by the WoW client AFTER account credentials are entered.
 
One time I noticed weird things happening with my keyboard when I was playing WoW. I went and checked my task manager and I noticed "svch0st.exe" in there...you know, a zero instead of the letter O. I managed to get rid of it and change my passwords before they got anything so I suggest checking through everything running in your task manager carefully.

Another time, my WoW account actually got hacked and that was because of that Mountain Dew promotion and before I converted to battle.net. I don't know if you did that promotion but it could've been from there.

The positive side was I got all my stuff back and the hacker happened to be farming a ton so I walked away with a whole lot of ore and gems :)
 
Things to remember when playing WoW to avoid getting hacked:

1. Do not go online with a website before, during play time
2. If you absolutely have to do the above, do not log out of WoW, then back in
3. If you have been online, reboot before starting WoW

And the #1 best tip is to get the authenticator. It may not stop a determined hacker, but if you have one it GREATLY reduces the chances.
 
AVT said:
I don't play WoW nor do I know how it works, but I would guess that whatever that thing is simply takes Unix time and uses some (probably proprietary) algorithm to generate whatever code you need to enter. The same algorithm could be used on the server. The code could vary based on serial number, among other things, making them very hard to crack and specific to both the time period and original device used.

Or at least that's what I'd do if I were designing a similar item.
Click to expand...

Yup, that pretty much exactly how it works, Blizzard didn't invent this, their physical tokens are just Vascos "Digipass go 6" with Blizzards logo stuck on it.

This same tech is used by banks and governments and shit, if they didn't work WoW would be the least of our worries :p

All the suggestions that people have come up with so far are good, but I would like to add that you don't need to have logged into the game to get keylogged, the same login is also used to access the Forums, the Armory and the account management website, if you or your daughter have accessed those from any other PC, at school, work or a friends house, your details could just as easily have been keylogged there, any PC you don't totally control is a risk, even if that PC isn't used for playing WoW.

Also people tend to focus on "Hacking" as the main source of the problem, but based on stuff on the forums, and stuff I've heard/seen with my guildies, Phishing is at least as big a problem, where you get tricked using a plausible looking fake blizzard email or a whisper in-game to link to a plausible looking fake blizzard website, where you are asked to put in your account info in order to avoid a penalty, get a free pet/mount (I can totally see a kid falling for that, as well as dumb adults), or get into a beta.
 
veterator said:
I still suspect that Blizz has had breaches they don't advertise.......because I think it's a little odd that they seem to hack people who have a lot of stuff/gold/whatever...and haven't heard too many stories about people who haven't played for 2 years coming back for an expansion to find out they were emptied out........because there isn't any incentive for them to do so. I think active accounts are processed more frequently, and they are somehow getting access to those lists whether it be wowarmory or some other wow related service. Old accounts, especially with the new bnet switchover......aren't showing up. I know mine won't even display on the armory.
Click to expand...

I don't play WoW, never did, but I was thinking along the same lines. Maybe it was a security breach on the server side and they didn't say shit about it.
 
Last edited:
gregnash said:
This recently happened to me however I have not played WoW in almost 2yrs (and havent had it on my computer in almost as long). I got a mysterious email about two weeks ago from Blizzard looking for a password reset. Call a couple of buddies that had my loggin information from way back when and no one had tried using it. Called Blizzard about it and bam, account is now locked (thankfully I have a buddy that works for them). Anyways, I have a feeling that this is happening a lot due to their switch to battlenet. Best thing is to be careful of the addons you use and what information you readily have.
Click to expand...

This recently happened to me few weeks ago as well. OP this is what may have happened to you as well. Basically my account has been in active since August but the e-mail was from donotreply@blizz with the verbage that someone has requested a password change on your account so if it was not you then to call it even had the Blizzard 800 in there so you would think this is a legit Blizz e-mail.

Well it seems the hackers are getting smarter cause this was a bogus e-mail because the link to your account managment takes you to your battlenet log in and requests you to change your password so your like okay this is battlenet blizz 2009 everywhere blah blah and bam your account info is with the hackers now.....This is a spoof replica of the battlenet offcial site you really cannot tell the difference ( you think you are on the official site but you are not) :).


Steps to prevent from this happening in the future from what I have learned.

1) Blizzard will never ever provide a link in an e-mail for you to click on.

2) Even if the website looks legit don't always believe it is if you got there via clicking on a link from an e-mail.
3) Always access your account by going the long route and type it in manually to get to the offical worldofwarcraft website.
 
Last edited:
Status
Not open for further replies.
Back
Top