My WoW-account's been compromised

[raydeen]

Said message gets sent out to every hacked account, as far as I can tell.  I'm guessing the GM's don't actually have the option to initiation a ban without an automated message.

I didn't get that particular email when mine was hacked. I seem to have been lucky enough to have been hacked by someone who just wanted to do some quick spamming with some level 1's. Far as I can tell, nothing else went on with any of my characters other than my one toon being deleted (which has since been restored).

[Paelos]

I got hacked on Thursday afternoon and had my stuff returned on Saturday afternoon. So I was pretty impressive with the overall turnaround. Also, I think they gave me a few boe's I never had, and some upgrades to my dps stuff for my trouble.

I think I came out ahead in the hack by ~12k gold in net assets. 

[WindupAtheist]

Routine AdAware scan turned up something suspicious. I can think of at least two places it's more likely to have slipped through than from anywhere WoW related but, after giving myself the full multi-program antivirus treatment and finding nothing else, I changed my bnet email and password again.

[Abagadro]

I just received an email from WoWAccountReview@eu.blizzard.com entitled "Character Faction Change Notice."  I haven't played WoW since about two months after it came out.  Is this a phish or has my account already been hacked?  Kinda weird to have this happen the day after I sign up on b.net for SC2.

[Ingmar]

Check the actual header of the message and check the links to see where they actually go (without clicking obviously), you can't put any stock in the From: address.

[Musashi]

There's a shitload of things floating around that can swipe your email.  Likely from a friend's contact list or something.  It may not be you.  But that's phishing mail, for sure.  I get literally fifty of them per week after I got hacked.

[Azazel]

I just received an email from WoWAccountReview@eu.blizzard.com entitled "Character Faction Change Notice."  I haven't played WoW since about two months after it came out.  Is this a phish or has my account already been hacked?  Kinda weird to have this happen the day after I sign up on b.net for SC2.

I got the same email on the same day. I changed my password and sent a query email to blizz via the official wow website. I was almost 100% sure it was a phishing email since I logged into the WoW site with my wow-login, since I quit before they needed bnet addresses.

[Paelos]

I got the same email. I flipped out for a second, then remembered I had an authenticator and this was silly.

[WoopeeTuralyon]

Weird. I've never gotten a fake Blizz email, but I have been hacked!

[Mattemeo]

Here's the latest attempt. Much more convincing but after checking I could happily log into battle.net myself and checking out the support addresses were wrong in the mail it has been discounted.

New Login Account Confirmation‏

01/08/2010

 Blizzard Entertainm​ent

      Blizzard Entertainment
      WoWAccountAdmin@blizzard.com

From:   Blizzard Entertainment (WoWAccountAdmin@blizzard.com)
Sent:   01 August 2010 01:38:48


Hello,

Blizzard Entertainment recently received a request to change the e-mail address used to log in to the Battle.net account with the username myaddress@hotmail.com. The e-mail address k***@hotmail.com has been specified as the new username for this Battle.net account. An email has been sent to this new address containing a verification link to complete the change.

Once the new address has been verified, the e-mail address myaddress@hotmail.com can no longer be used to log in to this Battle.net account or any World of Warcraft accounts merged with this Battle.net account.

If you did not initiate this request, please click here to contact the Blizzard Billing & Account Services team immediately.

Sincerely,
The Battle.net Account Team
Online Privacy Policy

[Paelos]

I'm getting Starcraft phishing mail now, telling me I've purchased things. Very Very odd.

[Morat20]

Here's the latest attempt. Much more convincing but after checking I could happily log into battle.net myself and checking out the support addresses were wrong in the mail it has been discounted.

New Login Account Confirmation‏

01/08/2010

 Blizzard Entertainm​ent

      Blizzard Entertainment
      WoWAccountAdmin@blizzard.com

From:   Blizzard Entertainment (WoWAccountAdmin@blizzard.com)
Sent:   01 August 2010 01:38:48


Hello,

Blizzard Entertainment recently received a request to change the e-mail address used to log in to the Battle.net account with the username myaddress@hotmail.com. The e-mail address k***@hotmail.com has been specified as the new username for this Battle.net account. An email has been sent to this new address containing a verification link to complete the change.

Once the new address has been verified, the e-mail address myaddress@hotmail.com can no longer be used to log in to this Battle.net account or any World of Warcraft accounts merged with this Battle.net account.

If you did not initiate this request, please click here to contact the Blizzard Billing & Account Services team immediately.

Sincerely,
The Battle.net Account Team
Online Privacy Policy

I got that one too. Need to remember to warn the wifey. I just logged into Battlenet and checked.

I've simply gotten into the habit of never clicking email links, unless they are ones I'm expecting -- and even then, I mouse over it and verify it's to the right place.

[proudft]

I server transferred a guy the other day and later the same day got a phishing email about YOUR FACTION TRANSFER IS COMPLETE.

That one alllllmost got me, but hover-link saved the day again.  The timing was eerie, though.  Better luck next time, haxxors.

[Merusk]

My former guild had someone with an authenticator get "hacked" the other day.  They deleted his character after selling everything off.   I'm willing to bet one of these latest social engineering e-mails was the true culprit, but he's too prideful to ever admit as such.  "Naw, it has to have been a common add-on or they're hacking B-net! I don't fall for that stuff."

[WoopeeTuralyon]

I was hacked one time a few years ago, and they deleted all my chars EXCEPT my level 12 rogue, who still had a couple hundred gold on him when I logged on. Weird. And I hadn't clicked any links either... so I guess I was just very unlucky.

[Rendakor]

I'm getting Starcraft phishing mail now, telling me I've purchased things. Very Very odd.

I got one of those today too. It strikes me as strange too since I've never gotten any WoW phishing ones. Pretty obvious though, since even the listed links were to us.battle.coderedemption.net/login.html.

[Mattemeo]

Ok, the last one was at least competently written and made me need to check things out. Today's attempt is just sad... here's an exerpt from 'WoWAccountEU @ review.blizzard.com' (I don't even play on EU) :

Due to suspicious activity, the Battle.net account myaddress @ hotmail.com has been locked. You logined your account successfully at 11:26:56 on 2010-8-4 from the 175.242.12.5, but our system shows this IP isn't your registered IP. We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you follow these steps:

Rest includes some seriously bad, overlong, blatantly phishy clickthrough urls, not even hyperlink-masked. I wouldn't usually have bothered posting an obvious one, but I'm guessing this one was just a shot in the dark.

[Lt.Dan]

Some of those phishing attempts are scary clever.  After getting a few in the last couple of weeks I've changed my bnet email and login to a new email address created specifically for WoW.  Hopefully that stops me falling for "your account has been stolen" or "cataclysm launcher" emails. 

[Riggswolfe]

Well, I think I got hacked but got very, very lucky as near as I can tell.

Earlier today I was on my highest level "main". My wife came home and I switched to my druid. I kept getting booted offline and I kept coming back on. The last time it didn't take my password so I changed it and got back on again. Then I got booted again and this time got the "your account has been suspended notification" followed later by an email. I've run Spybot, Malware Byes, am currently running Windows Security Essentials and plan to run AVG after that. None of them have found anything yet. As far as I know my characters didn't get touched unless it was during that 2-3 minutes were my password was changed.

Edit: I still haven't found anything. Do any of you guys have any hints? Do you think I have a key logger or was it just a brute force attack on my password?

[Arthur_Parker]

How many characters in your old password out of interest?

[Dren]

If you actually changed your password and it still continued to happen, it has to be a keylogger doesn't it?   I can't believe brute force would come up with your new password that quickly.

[Riggswolfe]

If you actually changed your password and it still continued to happen, it has to be a keylogger doesn't it?   I can't believe brute force would come up with your new password that quickly.

Except I didn't actually change it. I was stupid and thought I was mistyping it so just reset it thinking I'd locked my account and put it right back to my old password. Yes, I was a moron. I wasn't thinking clearly, it was late and I was in a dungeon and my main thought was "got to get back on NOW". I'm paranoid about changing it now because if there is a keylogger they'll just get the new one anyway.

Edit: It is now actually changed. We'll see. The password I changed to isn't the one I was originally planning to use. So far, nothing I have tried has found anything except a trojan called Java/Downloader.P which I can't find any information on and something called Html/Framer.CX which I also haven't had much luck finding anything about. I'm wondering if they're both false positives. Have any of you heard of them?

[Arthur_Parker]

http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show&id=98273#post_98273

You on latest dat files?

[Rendakor]

You running an unsecured wireless network by any chance?

[Riggswolfe]

You running an unsecured wireless network by any chance?

Hell no. If people want wireless they need to buy their own damned router. Now, my key could be hacked if someone was determined enough but you know, I doubt I'm important enough for some dude to park in front of my house and hack me and my neighborhood is mostly old people so I doubt any of them even know how to use one of these newfangled computer things.

http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show&id=98273#post_98273

You on latest dat files?

Yes I am. I just updated them today. Thanks for the link. My googlefu is apparently weak today.

[Morat20]

Most common ways to get your password:

1) Phishing/social attacks.
2) You reusing name/password combos that have either been phished before, or hacked.
3) Trojans/keyloggers/the like.

Most likely explanation is you typed your ID/password somewhere you shouldn't have -- fake WoW site via phishing for instance. No matter how vigilant you are, sooner or later you'll brain fart and do this with SOMETHING. Second most likely is -- and we're pretty certain this is how my wife had hers compromised -- you used that username-password combo for something like, say, a WoW guild forum, which someone cracked and sold the id/password combos to.

The last is you got infected by something that was looking for and logged those things, and sent them off.

At least that's the general gist I got from the security courses and classes I've had to take, about how internet security is compromised. I'd just get a token. I've been meaning to get one myself -- we use RSA SecureID at work, and it prevents a lot of crap, and I understand the WoW authenticators work under similiar principles.

[Riggswolfe]

Yeah, I've ordered the authenticators and they should be here in a week or two.

Most common ways to get your password:

1) Phishing/social attacks.
2) You reusing name/password combos that have either been phished before, or hacked.
3) Trojans/keyloggers/the like.

1) I haven't even gotten any fake emails or the like.
2) yeah, I probably did this one. I'm bad about that, I won't lie.
3) This is my big worry mostly because it puts stuff besides WOW in danger.

It turns out that the framer "virus" AVG found is probably a false positive. That only leaves the java/downloader.p which it removed but I'm trying to find info on. Meanwhile I'm running other AVs and doing the "go overboard and scan the hell out of my comp" routine.

Edit: I will be unsuspended around 10pm central tonight. We'll see what I find when that happens. One of my worries is that they put a fake authenticator on my account. We'll see.

[Morat20]

Edit: I will be unsuspended around 10pm central tonight. We'll see what I find when that happens. One of my worries is that they put a fake authenticator on my account. We'll see.

They're pretty good about it, customer service wise, fixing stuff like that. Most farmers and hackers simply won't bother with a massive back and forth with customer service if you're disuputing it.

It'll help if you tended to use a credit card and not a pre-paid card, though, since it can tie "who is paying for this" to a specific person.

[Riggswolfe]

Edit: I will be unsuspended around 10pm central tonight. We'll see what I find when that happens. One of my worries is that they put a fake authenticator on my account. We'll see.

They're pretty good about it, customer service wise, fixing stuff like that. Most farmers and hackers simply won't bother with a massive back and forth with customer service if you're disuputing it.

It'll help if you tended to use a credit card and not a pre-paid card, though, since it can tie "who is paying for this" to a specific person.

I do. I was actually a little worried about that but the Blizzard rep said these guys don't usually mess with your credit card because that brings down alot more heat on them than getting your virtual stuff from a video game.

[Morat20]

I do. I was actually a little worried about that but the Blizzard rep said these guys don't usually mess with your credit card because that brings down alot more heat on them than getting your virtual stuff from a video game.

My wife got her account hacked, had it played and used for farming, then the account perma-banned. She didn't notice for a YEAR. It took Blizzard customer service about 4 days to reinstate the account, and they were apologetic that they couldn't get her stuff back.

Not that it mattered. She got a free WoTLK upgrade out of it (the farmers had upgraded her account) and had a bank full of farmed materials. She was just upset at someone having moved her main through TBC and WoTLK, so started an alt while slowly relearning her main and going through all the quests. (The farmer hadn't bothered with that).

[Arthur_Parker]

That only leaves the java/downloader.p which it removed but I'm trying to find info on. Meanwhile I'm running other AVs and doing the "go overboard and scan the hell out of my comp" routine.

This it?

http://forums.avg.com/pl-en/avg-free-forum?sec=thread&act=show&id=93653#post_93653

[Riggswolfe]

That only leaves the java/downloader.p which it removed but I'm trying to find info on. Meanwhile I'm running other AVs and doing the "go overboard and scan the hell out of my comp" routine.

This it?

http://forums.avg.com/pl-en/avg-free-forum?sec=thread&act=show&id=93653#post_93653

It looks like he had the same thing at least though it doesn't say what it was. AVG cleaned it out. I'm just trying to figure out if it was what got my password or if I need to keep looking. I'm running something called Webroot now which is supposed to be pretty good. All it's found so far are various tracking cookies. I think I know where I got it I just want to know if it's gone for real or if it's being missed.

[Riggswolfe]

Well, my account unlocked at 9:45pm yesterday. I got in and nothing was missing and obviously no authenticator. So far there has not been anything else suspicious going on. That said, I don't know if they're just waiting or if I really did save myself through password changes and running multiple security programs. They never seemed to find anything major but maybe I got lucky and it was just brute force?

[proudft]

Could be.  WoW passwords are apparently non-case specific and have no # of attempts limiter so it is actually fairly feasible for someone to write a custom brute force login thing.  Plus they tend to be short, and your email is floating around somewhere already.  Take a look at these times if you want to be scared:

http://www.lockdown.co.uk/?pg=combi

Then get an authenticator.  

[Riggswolfe]

Then get an authenticator.  

I bought one for my wife and myself. Really, my biggest worry is a key authenticator logger. Not because of wow but because of stuff like ordering online with a credit card and stuff.