Advertisement

Guildportal, keyloggers, and you

Elizabeth Harper
Updated ·4 min read

In the past week, you may have noticed an increase in complaints about hacked accounts on the forums. Why? Well, the popular guild-hosting website Guildportal was hacked -- hackers added a bit of code exploiting an old Internet Explorer vulnerability (Microsoft had a patch available six months ago) to install a keylogger on visitors' systems. It was a brilliant move by the hackers, who managed to tap into a site visited by a massive number of WoW players -- the perfect place to steal account information. But I can't say it was very good for some of Guildportal's users, who logged on to World of Warcraft to find their characters completely naked next to an unfamiliar mailbox.

However, this entire affair was very preventable. First off, Guildportal itself had a vulnerability that allowed hackers to insert the exploit that installed the keylogger. And then in order for the keylogger to be installed, individuals visiting Guildportal had to be running a version of Internet Explorer that was 6 months out of date.

Guildportal has taken steps to prevent this from happening again, by patching their systems and banning traffic from China, where the hack attack originated from. (According to Guildportal's response as reported on the forums and a commenter on Madness and Games identifying himself as Aaron Lewis of Guildportal.) But have you taken steps? In Blizzard's post on the subject, they point out Microsoft Security Bulletin MS06-055, released by Microsoft on September 26th, 2006. You can stop many potential keylogger threats by simply visiting Windows Update to download patches regularly -- or, even easier, enabling Windows' Automatic Update feature. Either option would have resulted in your computer being protected from this vulnerability well before now.

Think your account has been compromised? GM Kaone offers some good instructions on how to rid your computer of keyloggers (it's a lengthy post but very informative) and then points you to their billing support department for account recovery. (Yes, it is important to get rid of the keylogger before having your account restored -- otherwise you'll end up right back where you started!) But be prepared for a wait -- the account recovery process isn't always fast.

See Guildportal's full response to its users after the jump.

Other recent security advisories:
Beware the cursor hack
Keep keyloggers away: New Microsoft hotfix available
More security warnings from Blizzard
Blizzard reminds us to be careful of keyloggers

[Via PlayNoEvil, with thanks to robodex for the forums link]



Via the forums:

Dear GuildPortal Members,

Over the past few days we have been fighting a brute force attack against our servers by multiple (10+) computers that we suspect are located in China. While we have secured the services and the problem is gone, we want to let you know, fully, what exactly happened.

The attacks were successful to an extent, in that they were able to modify content on many sites, injecting code into welcome messages that contained a hidden iframe. This frame would then load script into the user's browser that installed a keylogger.

This did not affect all guilds or all users. The users that were affected were running Internet Explorer on Windows with no virus protection installed.

We have been working very hard with Rackspace to identify the means the attackers used and to nullify their ability to continue, but our top priority was always to reverse the injections as soon as we possibly could. We don't expect or deserve any pity for missing sleep, to be sure, but please believe that we have been doing everything we can to first remove the malicious code from your sites and then remove their ability to do it again. Many times during this, we have brought GuildPortal completely down in order to prevent the spreading of the trojan while we removed the code that loaded it. The process the attackers used to do this was automated -- our ability to counter what they were doing was not.

We believe we have patched up the problem that made what they did possible. However, please, if you use Internet Explorer under Windows, install a virus scanner if you don't already have one. If you don't, odds are overwhelmingly in favor of you already being infected with something.

Blizzard has an excellent write-up on securing your computer here, as well as information on what to do in case your World of Warcraft account has been compromised at this link.

Over the next few days, we are conducting a full security audit of our entire infrastructure, to locate and eradicate any other even remotely possible security risks. We cannot promise a security problem will never happen again -- no more than Microsoft promises their operating systems or browsers will be completely secure and virus-free after a service pack release -- but we will call (and have been calling) on all of the resources we have at our disposal to secure every part of the site, and it is our top priority.

We apologize for any inconvenience and, as always, thank you very much for choosing GuildPortal as your guild's home on the web!