It is currently Tue Dec 03, 2024 10:12 am

Security, WoW, and You (plus help after a compromise)

Category for World of Warcraft-related discussions.

Security, WoW, and You (plus help after a compromise)

Postby Zancarius » Sat Dec 06, 2008 2:55 pm

This post contains old information. It should still be usable, but be sure to read Turus' links first as his post contains more pertinent information directly from Blizzard.

Due to a recent rash of account compromises across Terenas, I'm posting here to give our guildies some suggestions on what to do to prevent this from happening.

First of all, it's important to know what to do in case your account has been compromised. Refer to this thread, posted by Blizzard if your account has been taken over:

http://forums.worldofwarcraft.com/threa ... 8319&sid=1

As of late, the going theory has been that account compromises may not have necessarily come from websites making use of exploits in MSIE to install keyloggers on players' computers. Instead, it's possible that at least some of the compromises may have originated from tainted Adobe Flash advertisements. Unfortunately, since Adobe Flash is a third party application that can run in any number of browsers, simply using Firefox, Opera, and others won't necessarily protect you. Here are some suggestions:

  • Download and install Mozilla Firefox.
    • Download and install NoScript for Firefox.
    • Download and install Flashblock for Firefox.
    • Update: NoScript now provides support for blocking Flash/Silverlight and other applications.
  • OR download and install Opera.
    • Disable Flash and other plugins from within Opera by clicking on Tools -> Quick Preferences -> and uncheck "Enable Plugins" and "Enable JavaScript".

For Firefox

Firefox is a reasonably secure web browser. Since Firefox relies on Adobe Flash to display animations, movies (Youtube, specifically), and some advertisements, it is important to keep Adobe Flash up to date. Be aware that as of May 2008, remote holes existed in version 9.x of Adobe Flash that were being actively exploited in the wild. Thus, it is better to use Flashblock (see above) for Firefox at all times, even when keeping Adobe Flash up to date.

Flashblock does create a slight inconvenience, particularly in that you must click the large play icon whenever a Flash item has appeared. However, this gives you some control over what Flash is loaded--and where. Some sites (games, some car dealerships, and others) rely exclusively on Flash which can represent a bit of a hurdle when using Flashblock, so be aware of this before installing the addon for Firefox. There are, of course, additional benefits besides the security and peace of mind when you're using Flashblock: for instance, Flash advertisements (spank the monkey and win $100 comes to mind) will no longer load unless you exclusively allow them to (don't do this) and other obnoxious, noisy banners should cease to appear.

For Opera

Disabling Flash in Opera via the quick preferences menu isn't as convenient as having an addon integrated into the browser. Unfortunately, it's the best you can do with Opera as the user JavaScript addon that provides equivalent functionality to Flashblock isn't as reliable. If you need to view a site that contains Flash, you will need to re-enable plugins in Opera (which will expose you to tainted advertisements if you have an old version of Flash).

Adobe Flash

Because of problems with Adobe Flash, it is advisable to download the latest version of Adobe Flash Player as soon as possible. If you're still running version 9.x, you are likely to be affected by this vulnerability. The latest version is 10, and it is advisable to upgrade as soon as possible if you feel you may have an older version.

General Advisories

Of course, the most sound advice is to 1) keep an updated antivirus package installed and enabled on your system at all times and 2) avoid browsing potentially troublesome sites (porn sites, warez sites, serials, cracks, and key generator sites). With other vectors of exploitation, it's possible that your system can become compromised if you don't keep certain important software packages updated, such as your browser, Adobe Flash, Adobe Acrobat Reader, and so forth, even if you stay away from questionable content. If you're running Windows, be certain to check Windows Update frequently for critical updates, particularly those for Internet Explorer (even if you're not using it, more on this later), Windows Media Player, and the .NET framework. If you watch a lot of movies or receive humorous but short video clips via e-mail--just as it was in the days before Youtube--I would strongly recommend using Media Player Classic instead of Windows Media Player. Staying away from WMP won't prevent everything, but it'll reduce the chances your system is compromised by a WMP-specific target. Generally speaking, though, I would recommend sticking to Youtube; if a friend e-mails you a video, ask them to instead find that same video on Youtube and link that.

Now, if you're not using MSIE, why on earth would you want to update it?

Good question. Unfortunately, there are a lot of features in Windows that rely on certain "shared libraries" to be present, one of them being MSIE (particularly MSHTML). Whenever you open a help menu, chances are it's using MSIE to render the document; same thing goes for a number of other applications that display HTML or other similarly formatted documents. Not all that long ago, there was an exploit in MSHTML--which is the core part of Internet Explorer--that would allow a remote attacker to compromise a system running older versions of IE by simply coercing the user into downloading and viewing a help file. So, the moral to the story: keep Windows updated!

Blizzard also sells an authenticator which provides a one-time-use password every time you log in to WoW. These appear to use an algorithm based upon the unit's serial number and provide an extra layer of security against keylogger. The units retail for about $7, but if you're particularly paranoid it might be a worth while investment.
Last edited by Zancarius on Tue Dec 09, 2008 11:30 am, edited 1 time in total.
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male

Postby Zancarius » Sat Dec 06, 2008 3:08 pm

What is a Keylogger?

Keyloggers are being used increasingly to compromise the accounts of World of Warcraft players worldwide. A keylogger is a malicious software package installed either accidentally, by running an application that advertises itself as something else, or by utilizing a known exploit in the user's operating system. Once installed, a keylogger looks for username and password combinations (or even bank account and credit card numbers), then shuttles the data off to an e-mail address or foreign site. Once the data has been transmitted to an unknown third party, it is then used to conduct illegal or unwanted activities. Since there is a separate economy based solely on the distribution and sale of WoW gold, your accounts are a high-priced commodity! If you're curious why anyone would want to gain access to your account, think about it this way: If 2-5k gold retails for $20 or more, your account alone might be worth that much to an attacker! Plus, if they can gain access to your account, they don't have to work for the gold--you did all the work for them.

Don't Buy Gold

This is somewhat obvious. But, in case you weren't aware, whenever you purchase gold from a third party, what you're doing is buying gold that very likely came from someone else's misery. That very commodity was probably obtained from someone else's account, and they very likely lost weeks of game time simply trying to get things back in order. Don't buy gold, because all you're doing is encouraging (and indirectly funding) the use and authoring of keyloggers and other dangerous malware.

If you think you have been keylogged...

Don't panic! See the link in my previous post about how to contact Blizzard. If your account hasn't been compromised, you may wish to change your password immediately. Don't use the computer you think has been compromised, though, because the attackers will simply gain access to your new password; instead, if you have access to a known, clean computer, change your password from there. Otherwise, contact Blizzard immediately and give them a brief overview on the situation.

Next, make sure to scan your system for malware. It's possible that future keyloggers may share some attributes with rootkits, rendering them nearly undetectable. If your account has been compromised and your antivirus software doesn't find anything, you will very likely need to wipe your drive and reinstall your operating system (and WoW).

I can't stress this enough, but please be sure to keep a new, updated antivirus package running on your machine at all times. I usually recommend Avira, because it's free for personal use. It does pop up during updates with a notice about updating to the commercial version, but I think that's a minor inconvenience for the utility of it. I've had better luck with Avira than most commercial-for-private-use packages, like Norton. Avira isn't quite as bloated and generally does a good job at limiting malware, even when your browser attempts to download something it shouldn't. Of course, no AV is a silver bullet and it's a good idea to practice safe hex when going about your business online.
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male

Postby Tirian » Tue Dec 09, 2008 10:36 am

Watch out, facebookers, some e-mails are fake.

http://news.bbc.co.uk/newsbeat/hi/techn ... 773340.stm
Letting the demon do the work for me since 2004.
I play to some degree: WoW (EU now, US before), Guild Wars 2 (EU), SWTOR.
User avatar
Tirian
Officer
 
Posts: 802
Joined: Fri Dec 07, 2007 5:16 am
Location: Moscow
Gender: Male

Postby Tirian » Tue Dec 16, 2008 6:04 pm

Keyloggers coming through IE on various sites, avoid IE: http://www.guardian.co.uk/technology/20 ... 6/internet

By the way, it's pretty interesting that this has become a big enough problem (primarily Chinese keyloggers, that is) to make it to The Guardian.
Letting the demon do the work for me since 2004.
I play to some degree: WoW (EU now, US before), Guild Wars 2 (EU), SWTOR.
User avatar
Tirian
Officer
 
Posts: 802
Joined: Fri Dec 07, 2007 5:16 am
Location: Moscow
Gender: Male

Postby Zancarius » Tue Dec 16, 2008 6:26 pm

Indeed. The problem with these exploits in Internet Explorer is that they're largely zero-day exploits (i.e. exploited they day they're discovered).

What's more disconcerting to me than WoW account compromises is the potential for literally hundreds, if not thousands, of bank accounts to find their way into less than scrupulous hands.
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male

Significant proposed WoW changes (some rather worrisome)

Postby Tirian » Fri Jan 08, 2010 10:31 pm

Mandatory authenticators?: http://www.wow.com/2010/01/08/blizzard- ... #continued

Forced "care packages" rather than true restoration of accounts?: http://www.wow.com/2010/01/08/account-a ... #continued

Human "hacks"/exploits to gain loot: http://www.wow.com/2010/01/08/how-flaws ... #continued

Blizzard responds (and possibly refutes) the above posts... but I'll believe it when I see it: http://www.wow.com/2010/01/08/blizzard- ... #continued

Unfortunately, a lot of this just makes me even less enthused about returning to WoW... and that said, very glad that my account is protected by a mobile authenticator.
Letting the demon do the work for me since 2004.
I play to some degree: WoW (EU now, US before), Guild Wars 2 (EU), SWTOR.
User avatar
Tirian
Officer
 
Posts: 802
Joined: Fri Dec 07, 2007 5:16 am
Location: Moscow
Gender: Male

Postby Tirian » Mon Jun 07, 2010 6:03 pm

Letting the demon do the work for me since 2004.
I play to some degree: WoW (EU now, US before), Guild Wars 2 (EU), SWTOR.
User avatar
Tirian
Officer
 
Posts: 802
Joined: Fri Dec 07, 2007 5:16 am
Location: Moscow
Gender: Male

Postby Zancarius » Mon Jun 07, 2010 7:06 pm

Looks as if it ties into this: http://forums.blackravendragoons.com/vi ... php?t=1547

This is proof that it's necessary to have some kind of flash blocker enabled in addition to disabling scripting (in general).
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male


Return to World of Warcraft

Who is online

Users browsing this forum: No registered users and 0 guests

cron