For a little bit of back story, my brother and I play Diablo 3 together. We have two computers in the same room on the same network. We discovered that one day he had been hacked and we immediately jumped to the conclusion that there must have been some kind of breach on blizzard's server side and the number of posts on these forums indicating the danger of playing public games just cemented this for us. I also thought it was also possible he was a victim of a phishing scheme. I knew he must know better than that, but of course, that is the whole reason phishing works...because you don't know it is happening.
I recently reformatted my hard drive for a completely unrelated reason. Little did I know, I never actually reinstalled Microsoft Security Essentials.
After his account was compromised, I acquired an authenticator for my iphone and will be ordering his physical one. I installed Microsoft Security Essentials and ran a quick scan. There was nothing found. Last night I decided to run a full scan and let it run through the night.
Today after work when logging in successfully with my new authenticator (and with all my gear, phew) I noticed that Blizzard put out the patch notes and said to go to www.diablo3.com to view them.
I went to this exact URL and was presented with this page...
All was good. So I clicked "Proceed to the Diablo III site" right there up top. But something strange happened...rather than go to the main Diablo III page, it brought me to this page...
I thought that it was strange since this never happens, why would it ask me to log in as I am just trying to view the patch notes? I thought this was very sketchy so I closed firefox and tried again. The exact same thing happened, I was redirected and asked to log in. This was very strange to me and just seemed very sketchy. I closed firefox, and instead of going to www.diablo3.com, I went straight to www.battle.net and proceeded to Diablo 3. Oddly enough, I was already signed in from last night! I repeat...I was already signed in from last night!
Excitedly, I noticed that my MSE Full Scan was complete and so I looked at the history.
There was one individual Trojan infection. I apologize, I deleted it immediately and kept no record of it's exact name.
EDIT: It was Trojan:Win32/Sisproc
EDIT: This trojan was not on my OS drive, but a secondary Media Storage Drive (F:)
Once I deleted it...I cleared my browsing history and once again attempted to go to www.diablo3.com and click the link up top to continue to the D3 site...
Rather than the log in screen...I was taken to the regular Diablo 3 site.
I strongly believe that the log in screen I was presented was a fraud and may have compromised my username and password if I were not as vigilant.
An infection on my system may have caused www.diablo3.com or other blizzard affiliated sites to redirect to a fraudulent phishing login screen. This login screen would have looked identical to the official blizzard one and could be one possible source of the mass compromising of accounts recently.
I hope that this helps some people out there.
Thank you for all the wonderful contributions in this thread.
I will reserve this section for very informative posts. Please let me know if you feel anything should be added here.
Ahlias - Information about Trojans (Win32)
Ahlias - On Hijackthis vs. Only antivirus/malware
-denotes registry changes including breaking of internet access and redirection via TCPIP settings
Edited by Daru#1181 on 5/31/2012 7:14 AM PDT
Just found the record.
The detected item was
This file was stored in a download of Cyberlink PowerDVD 10 (yes this was Torrented)
Technical Information (Analysis)
Trojan:Win32/Sisproc is a generic detection for a group of trojans that have been observed to perform a number of various and common malware behaviors. The generic nature of this detection means that the malicious behaviors exhibited by files detected as Trojan:Win32/Sisproc may vary from once instance of this detection to the next.
Malware detected as Trojan:Win32/Sisproc may exhibit one or more of the following common malware behaviors:
Opens a port that may be used for unauthorized remote access and control of the affected system
Executes applications without the affected user's knowledge or consent
Disguises malicious behavior by patching processes in memory
Disables security products
Attempts to spread using Autorun functionality
Copies itself to system-protected folders
Modifies the system to execute itself automatically on each Windows start
Attempts to bypass security systems by modifying firewall access lists
Installs an unsigned driver
Is distributed and packed by a packing utility or tool commonly used to obfuscate malware
Edited by Daru#1181 on 5/29/2012 9:13 PM PDT
Oh Yes, my account was not compromised, unfortunately my brother's was. He uses the same computer sometimes. I got the authenticator on mine immediately after his was compromised.
Your anti-virus should keep logs. See if you can find the name or any identifier for the trojan to share with us.
One possibility that I know I am guilty of is that my quick scans showed nothing, but an overnight full scan revealed the trojan.
For those running FireFox, I highly recommend this add-on to the browser.
You know, this happened to me a couple days after release. I didn't think much of it and thought I typed the address wrong and ended up on a phishing site, backed out, went back to D3 and it worked fine. Seems like a very possible cause.
Running full scan tonight to see what comes up.
Edited by Serokin#1334 on 5/29/2012 6:53 PM PDT
And to think of how many who don't take notice of this, or simply shrug it off as a change in how the website works. It's plausible that a design changes over the course of time, so those who are reporting hacked characters, may have never noticed.
Redirects off of the official site, in which they themselves typed in or bookmark - www.diablo3.net, www.starcraft2.com, www.worldofwarcraft.com, and get redirected to a fake log-in page, could have happened long ago.
They type in their information, do a scan that week, find something, remove it and realize their virus scanner is working just fine, cleaned the problem and continued doing what they do.
That's the genius of phishing sites. You click on a link you've clicked on for so long, it becomes habit and one day, you see a change like Daru did but for whatever reason, don't pay it much mind.
Sadly, by then, it's too late.
It really is a shame. I stumbled upon dozens of posts just like this on the popular "i've gotten hacked" threads.
Phishing is obvious. Besides, why would anybody give out their account information unless it were to log into blizzard's website or the game itself. Right after the patch completed installing, EVERYTHING was stripped of me but gems. I've been hearing this over and over again. Yet, I did NOT give my account information out anywhere, join any public games, fall for sad phishing attempts or anything of the kind. You would think that when hundreds of people are complaining of the same exact symptom and AFTER the patch is applied that the only idiots in here are the people calling those who lost everything idiots. Obviously, these people are showing they are incapable of putting two and two together...
If you think about the thousands that were hacked...it really only takes about one in one hundred people to miss this.
Threats of violence. We take these seriously and will alert the proper authorities.
Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.
Harassing or discriminatory language. This will not be tolerated.