Sign in with
Sign up | Sign in

Hackers Bypass WoW Authenticators

By - Source: Tom's Hardware US | B 16 comments

A new keylogger disguised as a World of Warcraft add-on is stealing account info and goods.

Last week reports of a "man-in-the-middle-attack" surfaced in regards to Blizzard's MMORPG. World of Warcraft. Apparently hackers have created a tool that grants them access to accounts protected by an authentication tool. Once they are in control of the account, hackers can thus steal virtual gold and possessions until the account password is reset. Currently there's no indication if the hackers gain access to data such as credit cards or other personal information.

The tool in question is a keylogger, possibly a file named emcor.dll which can be found in C:/Documents and Settings/Users/[username]/Application Data/Temp. Once the user launches the keylogger, the PC is infected and will in turn cause World of Warcraft to crash. Once the players re-start the game and log back into the account, the authenticator code is intercepted by the hacker. A different code is sent to Blizzard's servers, locking the player out.

So how do players get the keylogger on their PC? It all starts with a sponsored link in Google showing up as a top result for WowMatrix, a free World of Warcraft add-on installer and updater. The problem is that the listing isn't a genuine, leading gamers to the malware. "Several downloads are available and I decided to check out the installer / updater," reads this forum post. "Results are pretty low at virustotal for the executable. The detection of the DLL hooked into our system is even worse, only 1 antivirus suspects some illegal activity."

Because authenticator codes only last for 30 seconds, hackers have access to the WoW account until they log out. "This is still perpetrated by key loggers, and no method is always 100% secure," Blizzard said in this forum post.

WoW gamers are warned to stay away from the following sites, which are actually based on legitimate WoW related sites with a typo at the end of each URL:

  • wowmatrixf(dot)com
  • Cursea(dot)com
  • deadlybossmodss(dot)com
  • gamesacca(dot)com
Discuss
Display all 16 comments.
This thread is closed for comments
  • 1 Hide
    dtm4trix , March 8, 2010 7:56 PM
    bummer! Never ceases to amaze me what people will do.
  • 5 Hide
    the_krasno , March 8, 2010 8:02 PM
    People do that stuff with Steam all the time. You have to be very wary of which links you click on!
  • 0 Hide
    maigo , March 8, 2010 8:02 PM
    There have been a few actual addons that did the same
  • 4 Hide
    tayb , March 8, 2010 8:16 PM
    This must have been what happened to this guy. http://www.youtube.com/watch?v=fdBrYfxSXWc
  • -3 Hide
    MxM , March 8, 2010 8:27 PM
    This is why you need to manually install all add-ons, do not trust exe files!
  • -2 Hide
    captaincharisma , March 8, 2010 9:22 PM
    i can see the threatening you tube videos from the biggest geeks in the world now
  • 5 Hide
    Anonymous , March 8, 2010 9:23 PM
    People still play WoW?
  • 6 Hide
    mayne92 , March 8, 2010 10:11 PM
    Jigga WhatPeople still play WoW?

    I have never played it...but for last 2 semesters this same kid plays WoW EVERYDAY in class on his laptop...all day long. Not bad for a $30k+/yr college...
  • 1 Hide
    fjjb , March 8, 2010 11:52 PM
    Why they place emphasis on WoW? they should be looking for a way to hack the Assasins creed DRM!!!
  • 1 Hide
    captaincharisma , March 8, 2010 11:56 PM
    with so many people PO'ed about it it will only be a matter of time before its cracked
  • 2 Hide
    OvrClkr , March 9, 2010 12:01 AM
    Quote:
    People still play WoW?


    Yep, aprox 10.8 million users ;) 
  • 1 Hide
    gilbertfh , March 9, 2010 5:01 AM
    Please notice that all the websites listed are variations of the actual websites. For example www.curse.com the bad web site is cursea(dot)com. I am sure they didn't put the dot in there so it wouldn't turn into a hot link so I won't either.
  • -1 Hide
    anamaniac , March 9, 2010 5:51 AM
    taybThis must have been what happened to this guy. http://www.youtube.com/watch?v=fdBrYfxSXWc

    I remember the first time I watched that, it's hilarious.
    OvrClkrYep, aprox 10.8 million users

    Sadly enough... at least it stopped growing.
    fjjbWhy they place emphasis on WoW? they should be looking for a way to hack the Assasins creed DRM!!!

    Because this one actually makes them money. It can make the hackers A LOT of money. Cracking DRM is just for sport.
  • -2 Hide
    tommysch , March 9, 2010 2:59 PM
    OvrClkrYep, aprox 10.8 million users


    10.8 millon people failing and proud of it?

    You should be: WTB life.
  • 0 Hide
    Anonymous , March 9, 2010 3:19 PM
    congratulation, really
    for one this stuff happens all the time and now they have prefected a key logger beat wow's authenicator ... the fact is alot of games are having this happen to them, Aion was out for one week before their were sites that were very similar to the original site. yes all games have people who find it fun to mess with people. but in reallity these people need to find a new hobby, though i think were never going to see the end of these. yes people still pay to play wow, the number grows and strinks but hey their pay to do what they want.
  • 2 Hide
    figgus , March 9, 2010 7:20 PM
    Yeah, god forbid that people play WoW for fun. Everyone should just take up the same exact hobbies as you, or just sit and watch TV, amirite?

    If you feel so little self worth that you have to bash on what people decide to do for fun in their spare time, it's possible that your OWN time would be better spent in counseling. Just sayin'.