New Virus Attacks World Of Warcraft Accounts with Authenticators
It was a matter of time before someone figure out how to hack WoW accounts with authenticators attached. It seems a “Man in the Middle” attack was used to obtain this account. Check out the thread that was opened in the WoW EU forums:
“Well, as the title says, I use and authenticator for 2+ years now and I just got hacked.
To describe it in more detail:
Had the authenticator since SWP times in TBC. Haven’t touched anything since I first registered it in account management.
No social engineering possible on my side. I only play from home, no other person has access to my computer, the authenticator wasn’t ever taken out of the room where the computer is. Especially not in the last couple days, weeks. Only people close to me have access to my room and I honestly doubt they know what that authenticator is used for.
This is what basically happened:
I was online, got a memory access violation critical error. Not being all to savvy with this, I didn’t pay extra attention to it.
I tried to log in, put the correct password and authenticator code in the WoW in-game login screen. Got “wrong information” message. Tried a couple times.
Went to wow-europe account management, tried to log in, got a message that the authenticator number was put in wrong a couple times and that my authenticator is locked out for the time being or something.
Went to check my system, discovered a suspicious DLL. (emcor.dll if I recall right, ESET NOD32 didn’t find it, nor did Spyware Doctor, found it using Security Task Manager, quarantined it and removed, sadly didn’t bother checking anything about it, googling it doesn’t return much at first glance).
Removed it etc. etc. (took me like 15 minutes).
Logged back online (had to use authenticator number, so it was not removed from my account), stuff was gone.
Made a ticket, logged off, checked my system properly.
Went to account management, logged in fine (again, using a number from the authenticator), checked if authenticator was still assigned to my account (it was), changed the account password just in case. I didn’t touch the authenticator, nor did I put in it’s SN number anywhere besides that one time I registered it to my account like 2 years ago.
To add about the suspicious .dll file:
Edit: emcor.dll was found in /users/username/appdata/TempCreates an autostartup registry entry (or whatever it’s called, not that savvy). I find it interesting that NOD32 doesn’t find that as suspicious behavior when it starts a .dll file from that folder path…
Didn’t take any further notes (my bad, I did have some kickoutofgame stuff and email info + wtf/config.wtf related stuff in the information Security Task Manager displayed about it).
So yeah, lone case of some hacker getting really lucky with hacking my account in real time (as authenticator digit code changes every 30 seconds iirc), or is it finally starting.
Emcor.dll, according to probably one of the only pages I found any info on it via googling was apparently first seen around 24th or 25th February 2010, so it’s definitely something new.
e: I got no clue where or how I got the file. I don’t take too many super extra security measures, just the regular (spyware, antivirus, no-script always active in firefox).”
According to WoW.com there are multiple websites hosting this malware. Be extremely careful when visiting “google’ed” sites. Until yesterday there was a sponsored link on google for the WoW Armory, when in fact it was just a malware site trying to steal your info. The next image is brought to you by WoW.com:
I would like to add that this attack only targets PC users. You Mac users are safe but that’s not really surprising, right?
0 Comments
Trackbacks/Pingbacks