For a little bit of back story, my brother and I play Diablo 3 together. We have two computers in the same room on the same network. We discovered that one day he had been hacked and we immediately jumped to the conclusion that there must have been some kind of breach on blizzard's server side and the number of posts on these forums indicating the danger of playing public games just cemented this for us. I also thought it was also possible he was a victim of a phishing scheme. I knew he must know better than that, but of course, that is the whole reason phishing works...because you don't know it is happening.
I recently reformatted my hard drive for a completely unrelated reason. Little did I know, I never actually reinstalled Microsoft Security Essentials.
After his account was compromised, I acquired an authenticator for my iphone and will be ordering his physical one. I installed Microsoft Security Essentials and ran a quick scan. There was nothing found. Last night I decided to run a full scan and let it run through the night.
Today after work when logging in successfully with my new authenticator (and with all my gear, phew) I noticed that Blizzard put out the patch notes and said to go to www.diablo3.com to view them.
I went to this exact URL and was presented with this page...
All was good. So I clicked "Proceed to the Diablo III site" right there up top. But something strange happened...rather than go to the main Diablo III page, it brought me to this page...
I thought that it was strange since this never happens, why would it ask me to log in as I am just trying to view the patch notes? I thought this was very sketchy so I closed firefox and tried again. The exact same thing happened, I was redirected and asked to log in. This was very strange to me and just seemed very sketchy. I closed firefox, and instead of going to www.diablo3.com, I went straight to www.battle.net and proceeded to Diablo 3. Oddly enough, I was already signed in from last night! I repeat...I was already signed in from last night!
Excitedly, I noticed that my MSE Full Scan was complete and so I looked at the history.
There was one individual Trojan infection. I apologize, I deleted it immediately and kept no record of it's exact name.
EDIT: It was Trojan:Win32/Sisproc
EDIT: This trojan was not on my OS drive, but a secondary Media Storage Drive (F:)
Once I deleted it...I cleared my browsing history and once again attempted to go to www.diablo3.com and click the link up top to continue to the D3 site...
Rather than the log in screen...I was taken to the regular Diablo 3 site.
I strongly believe that the log in screen I was presented was a fraud and may have compromised my username and password if I were not as vigilant.
An infection on my system may have caused www.diablo3.com or other blizzard affiliated sites to redirect to a fraudulent phishing login screen. This login screen would have looked identical to the official blizzard one and could be one possible source of the mass compromising of accounts recently.
I hope that this helps some people out there.
Thank you for all the wonderful contributions in this thread.
I will reserve this section for very informative posts. Please let me know if you feel anything should be added here.
Ahlias - Information about Trojans (Win32)
Ahlias - On Hijackthis vs. Only antivirus/malware
-denotes registry changes including breaking of internet access and redirection via TCPIP settings