Diablo® III

PSA: Hacking - Possible Phishing Source

Hello all,

For a little bit of back story, my brother and I play Diablo 3 together. We have two computers in the same room on the same network. We discovered that one day he had been hacked and we immediately jumped to the conclusion that there must have been some kind of breach on blizzard's server side and the number of posts on these forums indicating the danger of playing public games just cemented this for us. I also thought it was also possible he was a victim of a phishing scheme. I knew he must know better than that, but of course, that is the whole reason phishing works...because you don't know it is happening.

I recently reformatted my hard drive for a completely unrelated reason. Little did I know, I never actually reinstalled Microsoft Security Essentials.

After his account was compromised, I acquired an authenticator for my iphone and will be ordering his physical one. I installed Microsoft Security Essentials and ran a quick scan. There was nothing found. Last night I decided to run a full scan and let it run through the night.

Today after work when logging in successfully with my new authenticator (and with all my gear, phew) I noticed that Blizzard put out the patch notes and said to go to www.diablo3.com to view them.

I went to this exact URL and was presented with this page...

http://i46.photobucket.com/albums/f140/darrellgonzales/diabloteaser.png

All was good. So I clicked "Proceed to the Diablo III site" right there up top. But something strange happened...rather than go to the main Diablo III page, it brought me to this page...

http://i46.photobucket.com/albums/f140/darrellgonzales/diablologin.png

I thought that it was strange since this never happens, why would it ask me to log in as I am just trying to view the patch notes? I thought this was very sketchy so I closed firefox and tried again. The exact same thing happened, I was redirected and asked to log in. This was very strange to me and just seemed very sketchy. I closed firefox, and instead of going to www.diablo3.com, I went straight to www.battle.net and proceeded to Diablo 3. Oddly enough, I was already signed in from last night! I repeat...I was already signed in from last night!

Excitedly, I noticed that my MSE Full Scan was complete and so I looked at the history.

There was one individual Trojan infection. I apologize, I deleted it immediately and kept no record of it's exact name.

EDIT: It was Trojan:Win32/Sisproc

EDIT: This trojan was not on my OS drive, but a secondary Media Storage Drive (F:)

Once I deleted it...I cleared my browsing history and once again attempted to go to www.diablo3.com and click the link up top to continue to the D3 site...

Rather than the log in screen...I was taken to the regular Diablo 3 site.

I strongly believe that the log in screen I was presented was a fraud and may have compromised my username and password if I were not as vigilant.

TL;DR

An infection on my system may have caused www.diablo3.com or other blizzard affiliated sites to redirect to a fraudulent phishing login screen. This login screen would have looked identical to the official blizzard one and could be one possible source of the mass compromising of accounts recently.

I hope that this helps some people out there.

===========================================================

EDIT:

Thank you for all the wonderful contributions in this thread.
I will reserve this section for very informative posts. Please let me know if you feel anything should be added here.

Ahlias - Information about Trojans (Win32)

http://us.battle.net/d3/en/forum/topic/5592449838?page=7#129

Ahlias - On Hijackthis vs. Only antivirus/malware
-denotes registry changes including breaking of internet access and redirection via TCPIP settings

http://us.battle.net/d3/en/forum/topic/5592449838?page=8#149
Edited by Daru#1181 on 5/31/2012 7:14 AM PDT
Reply Quote
bump (wow this section moves quickly)
Reply Quote
If you have an authenticator, and you didn't login to the false login screen, your account was not compromised.
Reply Quote
Just found the record.

The detected item was

Trojan:Win32/Sisproc

This file was stored in a download of Cyberlink PowerDVD 10 (yes this was Torrented)

Technical Information (Analysis)
Trojan:Win32/Sisproc is a generic detection for a group of trojans that have been observed to perform a number of various and common malware behaviors. The generic nature of this detection means that the malicious behaviors exhibited by files detected as Trojan:Win32/Sisproc may vary from once instance of this detection to the next.

Malware detected as Trojan:Win32/Sisproc may exhibit one or more of the following common malware behaviors:

Opens a port that may be used for unauthorized remote access and control of the affected system
Executes applications without the affected user's knowledge or consent
Disguises malicious behavior by patching processes in memory
Disables security products
Attempts to spread using Autorun functionality
Copies itself to system-protected folders
Modifies the system to execute itself automatically on each Windows start
Attempts to bypass security systems by modifying firewall access lists
Installs an unsigned driver
Is distributed and packed by a packing utility or tool commonly used to obfuscate malware
Edited by Daru#1181 on 5/29/2012 9:13 PM PDT
Reply Quote
Your anti-virus should keep logs. See if you can find the name or any identifier for the trojan to share with us.

edit: lol, nice timing. Thanks!
Edited by Baarogue#1203 on 5/29/2012 6:13 PM PDT
Reply Quote
05/29/2012 06:10 PMPosted by iceache
If you have an authenticator, and you didn't login to the false login screen, your account was not compromised.


Oh Yes, my account was not compromised, unfortunately my brother's was. He uses the same computer sometimes. I got the authenticator on mine immediately after his was compromised.

Your anti-virus should keep logs. See if you can find the name or any identifier for the trojan to share with us.

edit: lol, nice timing. Thanks!


Added :)
Reply Quote
One of the first informative posts regarding how folks could be getting compromised, although that does not answer how some say their own scans find nothing. Still, thanks for sharing this with the community.
Reply Quote
05/29/2012 06:24 PMPosted by Ahlias
One of the first informative posts regarding how folks could be getting compromised, although that does not answer how some say their own scans find nothing. Still, thanks for sharing this with the community.


One possibility that I know I am guilty of is that my quick scans showed nothing, but an overnight full scan revealed the trojan.
Reply Quote
Thanks for sharing this. I hope it will help someone not lose their items.
Reply Quote
For those running FireFox, I highly recommend this add-on to the browser.

http://noscript.net/

It's open source and gives you full control over which websites you visit that are considered safe to run Javascript, Java, Flash, etc. You can also disable certain aspects of web sites, such as annoying pop-up advertisements and the like. It's really handy.

The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).

NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.

NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...
Reply Quote
After you cleared that trojan did you try just going straight to diablo3.com and see if it asks to Log in shows up still?
Reply Quote
wow, great thread. Thanks for breaking that down for us.
Reply Quote
Sounds about right.
Reply Quote
85 Goblin Shaman
0
You know, this happened to me a couple days after release. I didn't think much of it and thought I typed the address wrong and ended up on a phishing site, backed out, went back to D3 and it worked fine. Seems like a very possible cause.

Running full scan tonight to see what comes up.
Edited by Serokin#1334 on 5/29/2012 6:53 PM PDT
Reply Quote
it doesnt explain the macs who are getting their accounts hacked either
Reply Quote
And to think of how many who don't take notice of this, or simply shrug it off as a change in how the website works. It's plausible that a design changes over the course of time, so those who are reporting hacked characters, may have never noticed.

Redirects off of the official site, in which they themselves typed in or bookmark - www.diablo3.net, www.starcraft2.com, www.worldofwarcraft.com, and get redirected to a fake log-in page, could have happened long ago.

They type in their information, do a scan that week, find something, remove it and realize their virus scanner is working just fine, cleaned the problem and continued doing what they do.

That's the genius of phishing sites. You click on a link you've clicked on for so long, it becomes habit and one day, you see a change like Daru did but for whatever reason, don't pay it much mind.

Sadly, by then, it's too late.
Reply Quote
It really is a shame. I stumbled upon dozens of posts just like this on the popular "i've gotten hacked" threads.

Phishing is obvious. Besides, why would anybody give out their account information unless it were to log into blizzard's website or the game itself. Right after the patch completed installing, EVERYTHING was stripped of me but gems. I've been hearing this over and over again. Yet, I did NOT give my account information out anywhere, join any public games, fall for sad phishing attempts or anything of the kind. You would think that when hundreds of people are complaining of the same exact symptom and AFTER the patch is applied that the only idiots in here are the people calling those who lost everything idiots. Obviously, these people are showing they are incapable of putting two and two together...

Just wait until the same thing happens to you; authenticator or not.


If you think about the thousands that were hacked...it really only takes about one in one hundred people to miss this.
Reply Quote
I like you greatly for your work on hammering this out, this may be a good step since who knows how long this might've been lurking about.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]