Tobold's Blog
Saturday, August 14, 2010
WoW account hacking

The Ancient Gaming Noob asks how so many World of Warcraft accounts get hacked. I'm not sure, but I did notice that in my GMail spam folder these days a *huge* number of mails are World of Warcraft phishing mails. I get several "Cataclysm Beta Invites", or "WoW Account Management" mails every single day. In fact I now get more WoW phishing mails than spam trying to sell me Viagra or offering me the millions of dollars of a deposed Nigerian dictator. And unlike the regular spam, many of the WoW phishing mails are extremely well made, leading to quite realistic looking fake World of Warcraft account websites.

Lots of people are very afraid of trojans and keyloggers. But in my estimate the majority of hacking is decidedly low tech, done by phishing and password guessing. Very, very few people who report their account hacked can afterwards find malware on their computer.
I'm seeing heaps too!
Sometimes they escape gmail's spam trap, so I always check the links (by mousing over them to see what shows up as the actual URL) and click on Show Details to see the actual sender info (in most cases it's sent from hotmail).
But really, all of this should be irrelevant, as people should go straight to and not click on any links inside the email.
I got a notification last spring that my account was closed due to hacking related activity. The hackers must have paid to reopen it though because I hadn't paid or played for at least 6 months prior. It may have been phishing email in itself though. I'm a little worried because I'd like to see Cataclysm but am not going to repurchase the game and expansions to do so.
This comment has been removed by the author.
While I'm sure that the phishing attempts contribute significantly to the hacking, the other problem is that Blizzard is willfully negligent when it comes to account security.

My account was compromised last year, an account that I never shared the credentials and I've never clicked on an email link to login, thus giving up my information.

My belief, verified by some experimentation, is that your account doesn't get locked out after a certain number of failed login attempts. That makes it a prime candidate for brute force cracking. I was fortunate in that the authenticator for my Android phone was free, I'd be really unhappy with Blizzard if I was forced to pay for additional security when they don't take the most basic steps themselves to protect my account.
Sorry I thought I proof read my first comment: here it is with a few more words that might make it read a bit better.

It appears that the number of phishing emails I get for my games goes up with the number of community sites I register with. In my line of work, I have seen that community sites tend to have much less security and get broken into more often and fail to report these breakins more than the primary sites. I always find it interesting on just how many users use the same UserID and Password and email address on both the community sites and primary sites.
Here. I believe, is the biggest source of hacking:

People using the SAME password they use in WoW in multiple places, mostly community sites. Then, when the community site gets compromised (Which happens all the time) the hackers get a list of email addresses to send phishing mail to, and a big pile of passwords to try.

It would not surprise me at all if this was 50% or more of all hacked accounts, with another 25% just being weak passwords.

Even supposedly 'computer savvy' people do this.
Huh. I was quickly searching to see if my gut feelings on the hacking was even close, and found this on the subject:

Now, is he implying that a third of ALL players casually reuse passwords? or just those that got compromised?

I think it's a third of ALL players, or at least a similarly large percentage.
I quit about two years ago. I recently got an email from Blizzard support telling me that I was banned for violations of gold trading or somesuch.

I called them up and found out that someone had attached an authenticator to my account (didn't get an email about that), and then changed my password through support because the authenticator was more "authentic" than my email.

They could offer no explanation as to how that was possible, but it may offer some insight into how people are getting hacked without being phished.

To be fair to support, they apparently were able to restore most or all of my characters, but the authenticator is a vulnerability unless you actually use it. :|

You can't just attach an authenticator to an account, you have to know the password to the account to do that. Then the password is changed to prevent you from accessing it.

I believe the purpose of the authenticator at that point is to prevent you from changing the password back yourself. Because... you don't have the authenticator.

But the root issue is how the thief got your password in the first place.
I never really got that level of spam until I signed up for WoW europe, to play a bit and visit Larisa.

Now I'm getting about as much as Tobold is mentioning, more than daily amount of e-mails, saying I've violated terms, all of which lead to a redirection website, regardless that I don't play, and the account itself is still inactive.

I'm starting to think, that this is a european thing, over a WoW thing.
Pangoria Fallstar :

Interesting. I too have mostly played on the US side, with 3 accounts there. Recently I started an account on an EU server, Agamaggan to level a char up for Gevlon's "The PuG" project.

I am astonished at the increase of INGAME adverts for gold sellers on the EU server. It is NON_STOP in major cities, even on this backwater server.

However, I get no emails. In fact, I don't think I've gotten 2 phishing emails since I started playing the game when the servers first opened.

I get the in game whispers, sure. and the in game mails. But not emails to my email account.

And I don't even try to hide it, my email account is my only email account, the one I use for everything. I'm using it right now as the account linked to my name for blog replies.

There are enormous social mechanics at play here. There must be... entire classes of community web sites that are mercilessly compromised and used for data mining to get email addresses for phishing attempts.

And I suggest... it's these sites that also provide the reused passwords used to compromise MANY accounts.

I COULD wonder what's different about what I do and what other people that get all these emails do... but that would be counterproductive.

I won't blame the victims. Let's face it, pointing people out for being security noobs is pointless. It's like blaming your fat friends for not being able to outrun that dog. Blaming ain't gunna help... your friend is just too addicted to the twinkies to run any faster. Accept it.

So, what we have is a class of data (WoW accounts) that exist in massive quantities and is immediately fungible into cash without any possible regulatory barriers.

This is different from bank account data... You steal ACTUAL money? Felony time, baby! You steal pixels from a WoW account? You've stolen abstract, meaningless in the larger picture data from Blizzard. So not the same thing.

My advice to people henceforth is GET AN AUTHENTICATOR. I'm going to order one right away, even though I don't think I'm at risk per se, but I wanna practice what I preach.
Tobold, It's real easy to understand.
Accounts are getting hacked more because. Blizzard made it easier for them to be hacked.
Ever since Blizzard implemented the change and tied user ids to email addresses. Blizzard (in it’s attempt to tie users with definable identity) has literally handed user accounts on a silver plater.
When I set up my 2 accounts to use I created new pristine email addresses that had no tie in with my real or prior internet identity. For the most part as a professional computer security expert I don’t trust any company very much. And it turns out that I was right not to trust Blizzard.
[quick reality check everyone did this right? No… well theres an issue]
You see Blizzard set up a system where you register for your id JUST LIKE you do for ANY online service (just like I did for your google blogger id tobold requires – where I created yet another alias). When Blizzard did this it tied a players “virtual toon” identity to an email AND used it as the ID part of an authentication mechanism. The virtual toon has either virtual gold of it’s own or access to gold via guild banks.
THIS is why all the hackings are happening. Blizzard setup a direct path to a network of gold via established guilds AND tied it to REAL email addresses. Is it any wonder that TONS of guild “help” sites exploded on the internet at about the same time??? ALL of them wanting to “help” guilds with forums and member lists and scheduling… Oh Oh Oh and they have special features for OFFICERS COOL!!! AND neato all they wanted was an email and password… gee just like blizzard
How many people used different emails AND passwords for a “theoretically trusted” site and a site? According to most security studies I have read… single digits on the chance anyone used a different email… maybe 20 percent thought to use a different password.
Who owns Guild-o-magic? Who is in charge of security? What assurance do I have that my email is safe? Does guild-o-magic have sufficient audit logs to EVEN KNOW if they are compromised?
So… If I were a “bad guy” and I wanted a good list gold hordes where would I go? Hmm… I might look for raiding guilds they might have bunches of gold. But how do I know who is an officer on these guilds and can access that yummy guild bank… Gee if there were a site that listed all of the guild officers and told me their ids AND possibly gave me their actual passwords… THAT WOULD BE EPIC… Gee I wonder if such a site exists….
Angry Gamer
Stay Angry My Friends
Stay Angry
An Angry Gamer story to illustrate my point
Angry was a member of a guild recently. The guild decided to get more “hardcore” so they utilized a guild magic site to coordinate raid times. (for some reason the Wow Calendar was too complex for them).
Angry was an officer in this guild had been with them for 2 years and the Guild founders and other officers made it “mandatory” for all raiders to sign up on the guild-o-magic site. Angry refused by stating his reluctance to give info to a 3rd party site not directly tied with Blizzard. Angry was assured that it was “tied in and all secure” personally by the Guild Leader.
Angry drug his feet for about 2 days and BAM the Guild Leader was hacked. Followed closely by all of the other officers EXCEPT Angry and 2 officers that had an authenticators– Gbank looted of about 10k and all the officers had toons left naked and alone in various parts of Azeroth… (this happened about 5 months ago by the way)
At least on our guilds home server SEVERAL gbanks were hacked around the same time (can we say concerted hacking effort by a group of pros?). A curious thing about the victims ALL seemed to be established large guilds that were heavily into raiding. A spot check and all of the hacks Angry heard of were registered on the guild magic site.

Now, If you are thinking that the Guild officers all realized that maybe being in “guild-o-magic” was a mistake. You would be wrong… they all blamed it on pron or bittorrent hacks or what not…
Not one of my fellow officers looked at it from an attackers point of view… Or more precisely how a police investigator would look at it…. What did the victims ALL have in common???
So just remember TRUST NO ONE
Stay Angry My Friends Stay Angry
I don't get that much WoW spam in my email, in fact I don't remember when I last got a phishing email. However, a few days ago I got a phishing mail inside the game which was a first for me.

So be aware of that possibility too.

Usually phishing emails are too poorly worded to pass for genuine Blizzard correspondence. In any case, a basic rule of the internetz is not to click on any link you receive in your email, but instead type that address directly in your browser.
I have multiple battelenet accounts, one for myself and each of my kids under my name, each have their own new email, created for only battlenet when they signed up, and authenticators, I have never gotten a phishing email on any of these email addresses, but I do have an email that is separate with no WoW account attached and a different password for joining community sites and such it gets a few phishing emails every week, so yeah, keep a separate email for only battle net with separate passwords.

I was hacked in vanilla about a year into playing but, in my case it was actually an ex friend who was mad at me, I hadn't shared account information just used their computer once to play.
I have an email account for getting into things I won't be going back to. But I never got phishing e-mails until I signed up for WoW eu.

It IS a yahoo mail account though... so that might be the issue?

I wouldn't put it past yahoo to sell info (or gmail really, but my gmail hasn't been spammed yet, since they advertise within it already anyways).
one bad example of a community site would be

a friend of mine registered with a brand new mail adress for the site.

after 10min he had 5 mails from goldsellers and phishing sites.

after 1 week it was 87 mails.

his email adress was new and created shortly before registration.
I don't think I've ever received a phishing mail in my nearly four years of playing either. Depends a lot on where you hang out online I guess.
Same deal here, tons of Blizzard/WoW phishing spam in my spam folders. More amusing though is that the two accounts I get all spam for aren't even linked to my WoW account. Best idea is to use an email address for your WoW account that you never use elsewhere on the public internet. I have never seen WoW spam for that account.
To a degree angry gamer is correct.

You needed the username and password to hack the account and the email if you wished to change the password.

My username was allways unique, but once it was lost and all they needed was my email(used publically) and a password then its easier. I changed my email to to specific email thats not used in connection with wow.

The lack of attempts being shown is a problom as well, Seeing you username failed to log in 27 times when you havent tried once certainly jogs the heart and motivates you to be more secure.

Passwords? I have passwords and more passwords and even more passwords. Its certainly irritating when you have typed a password 100's of times then come back years later and your hoping that muscle memory will bring it back because you have no idea.
Post a Comment

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool