security-exploit
Latest
Update: Keylogger source identified
Just a quick update from from our friends at World of Raids about the current situation regarding circumvented authenticators. It appears there are multiple websites being used for this malware. Be careful of which sites you go to in order to update your addons from; fake website addresses are being used to trick users. For example, one of the fake sources appears as a "Sponsored Link" right at the top of a Google search. Don't actually visit that site and be sure to warn players asking about addons where to go. What happens is the fake site will allow you to download a fake copy (did you see fake?) of the WowMatrix AddOn Manager which installs the emcor.dll. This Trojan (Malware.NSPack) can currently be detected by Malware Bytes. Thanks Kody!
Man in the middle attacks circumventing authenticators
It has been brought to our attention that Blizzard's technical support department is currently handling a security exploit that is, in a limited capacity, circumventing authenticators. Before we get into the details, please do not panic. This does not make authenticators worthless, and it is not yet a widespread problem. Do not remove your authenticator because of this, and do not base your decision on whether or not to buy an authenticator off of this. They are still very useful, and your account is much safer with an authenticator than it is without one. This is not the only report of this that we've seen, but it is the first time that a Blizzard representative has openly acknowledged that there is something afoot. For a full account of what happened, check the thread on the EU Technical Support forums. To sum up: There is a piece of malware (emcor.dll is what is being reported at the moment) that is being used as a hijacking tool to facilitate Man-in-the-Middle attacks on users. Kropaclus After looking into this, it has been escalated, but it is a Man in the Middle attack. http://en.wikipedia.org/wiki/Man-in-the-middle_attack This is still perpetrated by key loggers, and no method is always 100% secure. source To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.
