My WoW-account's been compromised

[Merusk]

I did neither of those things and still got hacked, somehow (no trojans, viruses or other backdoors found after the incident or since).

Been to wowhead or thottbot? Guess what, you've been to gold-farmer-owned websites.  Most of the aggregate info sites are.  There's hinky UI mod sites out there, too. (Yet another reason not to add them out the yin-yang)  AND I'd heard that the Curse Client or db was hacked some time in the past.  

This is big money, so they're not going to be JUST hanging around waiting on the low-hanging-fruit of stupid people and account phishing.

Neither, it lets you take more things out of a given tab in a given day than the permissions for your rank allow.

This.  I don't know the how, only that there's a way to do it and it's becoming more widely known.

[Jayce]

I also got a tell in-game yesterday from some d00d saying that my account would be disabled immediately if I didn't go to blizz-wow-update.com/giveusyourpassword.html or something like that.  As if the gold spammers weren't enough...

I get a little charge out of telling the random tells who say "Hey, got a moment?" then hit me up to buy gold. I let them make their pitch then slap them with the "report spam" button.  I guess I'm easily entertained.

[brellium]

I wouldn't be suprised if it's something like a "pop up" installer.

They reskin the pop-up so if you click on the [ x ] button it actually installs their software, I got hit with that sometime back by one of those "infected computer" pop-ups (yeah, that ended up with the os getting reinstalled).

I'm seriously considering using my VM portal to surf the internet and to nuke the user profile on occassion.

(and then log on secure websites with a second VM portal)

[Jayce]

Just found a keylogger on my wife's laptop which I sometimes login to WoW with.  I expect that if I hadn't had an authenticator attached, I might be posting in this thread to say I'd been hacked, but I appear to be good.

I changed my password anyway, after running Windows Defender full scan twice and rebooting to see if any new trojans got launched.

[Cheddar]

My account was closed due to exploitive behavior.  Whats odd to me is I have not subbed to WoW since October of last year, and did not receive any emails noting my account was reactivated.   

[Rendakor]

Can you still log into the account? If so, check the payment history. Also, were your WoW and email passwords the same? Its possible the account was compromised and they just deleted the emails after reactivating it.

[raydeen]

If my account ever got hacked the hackers would probably just shake their heads in pity and walk away. 

[Cheddar]

Can you still log into the account? If so, check the payment history. Also, were your WoW and email passwords the same? Its possible the account was compromised and they just deleted the emails after reactivating it.

Cannot log into the account - its definitely shut down.  Yes, I was a retard and had both the same.  It is possible they had deleted the activation emails etc etc.  I dunno, I hope Blizzard support gets back to me with more info soon. 

I am curious how it all got compromised.  I dunno, its just very odd.

[Koyasha]

Sounds exactly like me, except I was lucky and caught the emails as they came in, so I managed to deal with it immediately.

[Hawkbit]

My PlayNC account was just compromised for "payment fraud".  All the games on that account are shutdown till I hear from them.  Sad part is that I haven't logged into a PlayNC game in over a year, but last week I got into my master account to download Guild Wars just fine.  Now it's shut down.

Already did a logger/virus scan, nothing.  Very odd.  I don't buy gold, either.

[Cheddar]

My account was restored.  I am tempted to resub just to see what was done with it.  I am actually impressed at how fast they responded (I expected 0 reply from customer service).  All in all very strange.

[Ozzu]

Sounds a bit like my experience a few months ago. The only thing that they did was taking mining to 300 on my hunter, mine a ton of thorium, and make me about 1k gold in one day. So, I came back with a mining gain and some money once my account was restored. I count it as payment for the inconvenience of it all.

[Trippy]

mmorpg.com is giving out users' email addresses to WoW account phishers.

Got a WoW acccount phishing email sent to an email address I've only used once on mmorpg.com (I think it was to signup for a beta or something). If you have an account on that site I'd strongly recommend you change your email to something that isn't shared by anything important.

[Tannhauser]

My WoW  account was frozen last night for 'exploitative behavior'.  I haven't logged in in months.  Guess I need to contact CS, I want that account for Cats.

[Cheddar]

Interesting.  So I checked payment history; I was signed up for the 10 day free trial for the Lich King expansion on 4/20, account suspended on 4/21.  What is odd is I had done the trial last year.  So either they offered it again (and my account was compromised) or there was an internal error at Blizzard.

Most likely my account was compromised, but it still bothers me I had no emails from them.  Even if the people who compromised my account had deleted the emails my Android phone should have retained a copy and warned me I had an email.  This never happened.

[Selby]

My guild has had a rash of people getting hacked, some of whom are less than active.  We're not sure why, but no one who has an authenticator has been hacked yet and I've joked that if someone gets hacked, they need to be /gkicked and prove they got an authenticator to get back in.

[Koyasha]

Interesting.  So I checked payment history; I was signed up for the 10 day free trial for the Lich King expansion on 4/20, account suspended on 4/21.  What is odd is I had done the trial last year.  So either they offered it again (and my account was compromised) or there was an internal error at Blizzard.

Most likely my account was compromised, but it still bothers me I had no emails from them.  Even if the people who compromised my account had deleted the emails my Android phone should have retained a copy and warned me I had an email.  This never happened.

The emails I got disappeared even off my phone.  Mine, at least, doesn't seem to save a local copy at all, if it's set to automatically synchronize, though your model may have different options available (mine's a G1).

[Ozzu]

Interesting.  So I checked payment history; I was signed up for the 10 day free trial for the Lich King expansion on 4/20, account suspended on 4/21.  What is odd is I had done the trial last year.  So either they offered it again (and my account was compromised) or there was an internal error at Blizzard.

Most likely my account was compromised, but it still bothers me I had no emails from them.  Even if the people who compromised my account had deleted the emails my Android phone should have retained a copy and warned me I had an email.  This never happened.

This is exactly what happened in my case. However, I did get the emails later in the day and immediately reset the password. I had already done the Lich King trial a couple of times before, so it looks like every few months they let you do it again. Within a few hours of me resetting my password and getting my account back, it was suspended for "exploiting the economy".

[Mattemeo]

Recieved an email titled 'World of Warcraft Account Management‏' from Blizzard Entertainment (WoWAccountAdmin@blizzard.com) claiming that my account is being sold or traded on the 15th of May. Strange to relate, I didn't immediately follow the link provided to 'verify' as I've had a good few blatantly obvious phishing attempts from scammers attempting to get at my CoX/NCSoft accounts (no earthly clue how or why that's started) in the last month or so.

I can access my battle.net account and manage WoW just fine from there, so it doesn't appear to be suspended in any way - though my subscription runs out in 3 days anyway. So what's the deal? Full transcript of the email follows in spoiler form:


(hyperlinks disabled by me)

No graphics were included in the email, and it seems pretty legitimate, but considering I've been largely unable to play since my GPU died and nothing appears to have changed superficially when I view my Armory details, I'm a bit non-plussed.

[Cyrrex]

Your first assumption should probably be that the mail you received is a complete pile of bullshit.  I wonder what percentage of email claiming to come from Blizzard regarding password or account issues actually comes from Blizzard?  Probably something less than 1/3000th of a percent.

[proudft]

I am going to take a wild guess that when you hover over the http://blizzardblahblahblah links they actually go to somewhere else.

[fuser]

Recieved an email titled 'World of Warcraft Account Management‏' from Blizzard Entertainment (WoWAccountAdmin@blizzard.com) claiming that my account is being sold or traded on the 15th of May. Strange to relate, I didn't immediately follow the link provided to 'verify' as I've had a good few blatantly obvious phishing attempts from scammers attempting to get at my CoX/NCSoft accounts (no earthly clue how or why that's started) in the last month or so.

Generally a quick look at the email header will tell you if its a phishing attack or not. A quick scan of all my archived email shows legitimate email traffic is sourced from:

Received: from uw1-admin-smtp12.wowadmin.net (smtp12.us.worldofwarcraft.com [12.129.242.48])
Received: from outbound.blizzard.com (outbound.blizzard.com [198.74.38.108])

[Mattemeo]

I am going to take a wild guess that when you hover over the http://blizzardblahblahblah links they actually go to somewhere else.

Hadn't thought of that, but primarily because my first thought on getting the email was 'haha no'. Turns out the hover-over reveals the verification hyperlink actually wants to send me to a slightly more suspect 'h**p://www.worldofwarcraft-accountadmins-login.com/whatever.xml' and clearly not battle.net. Nice try, no cigar.

Cheers for the advice, guys! 

[Lantyssa]

Granted I haven't been around much lately, but I think if one of your characters logged in and it wasn't you, we'd know.

[Dren]

The first clue is that Blizzard would never trade or sell your account themselves.  If they had knowledge of said trade or sale, they would block it, not make sure you log in and say it is "ok" or "stop this now!"  That email message doesn't make sense to begin with.

I've noticed a rise in in-game tells trying to phish me too.  Thanks to Blizzard for the "Report Spam" tool.

The best message I received that even had me thinking twice was, "You have received a rare mount.  Please log into blah blah to receive it."  It was simple and cooresponded to my own knowledge that I should be getting a mount soon from the "recruit-a-friend" program.  It was spelled correctly and used proper English.  I thought it was a good attempt anyway right up to the point where I knew they would just send the mount in in-game mail to my chars.

[Fordel]

The first clue is that Blizzard would never trade or sell your account themselves.  If they had knowledge of said trade or sale, they would block it, not make sure you log in and say it is "ok" or "stop this now!"  That email message doesn't make sense to begin with.

I've noticed a rise in in-game tells trying to phish me too.  Thanks to Blizzard for the "Report Spam" tool.

The best message I received that even had me thinking twice was, "You have received a rare mount.  Please log into blah blah to receive it."  It was simple and cooresponded to my own knowledge that I should be getting a mount soon from the "recruit-a-friend" program.  It was spelled correctly and used proper English.  I thought it was a good attempt anyway right up to the point where I knew they would just send the mount in in-game mail to my chars.

In game communication is the easiest to verify, Blizzard always has the actual Blizzard logo in their names/mails in game.

[Tannhauser]

I was cleaned out and Blizz restored all of my gold and items.  I still don't know how they got me, I haven't played WoW since Dec.

Many thanks Blizz.

[Righ]

This is clearly a false flag operation by Blizzard to get inactive players interested in their accounts again.

[Lantyssa]

I'm beginning to wonder if they let people input incorrect passwords all day.  Vu got hacked and we haven't been able to find anything on our end.

[Fordel]

I'm beginning to wonder if they let people input incorrect passwords all day.  Vu got hacked and we haven't been able to find anything on our end.

They do.

Specifically, the Forums don't have a login attempt limiter and you can apparently just power through combos easily enough with whatever technique/software you know.

WoW passwords are not case sensitive either.

[Mosesandstick]

I don't know when, but my account got compromised and I played a loooooong time ago. To stop myself from re-subbing I put my password as long, pure, gibberish. Still got broken.

[Lantyssa]

Specifically, the Forums don't have a login attempt limiter and you can apparently just power through combos easily enough with whatever technique/software you know.

WoW passwords are not case sensitive either.

Seriously!?  No friggin' wonder everyone and their dog gets hacked.

That's...

[Rasix]

I'm getting a brand new type of phishing scam I haven't seen before: a Cataclysm beta invite that just asks me to confirm my opt in.   First time I've seen this one. 

Still getting two phishing emails a day trying to gank my WoW account and I haven't been playing for a few months. 

[Cyrrex]

I get one or two a day despite not having played for about 18 months.  Anybody who hacks my account would be terribly disappointed with what they found anyway.  I'm probably the worst WoW player ever, in that I don't have much of either money or interesting loot.

[Dtrain]

I wonder how much of their CS resources are devoted to cleaning up stolen accounts. From what I understand, they do a pretty thorough job of sorting out a compromised user.