Diablo® III

Catagories of the Hack attacks.

90 Draenei Shaman
12945
Posts: 48
I have been reading the hack forums and getting detailed information on all the types of hacks.

I myself have not been hacked yet however please fill your detailed information on the hacks.
Keep in mind this is just situations I have taken from almost every post I can find in the technical support forum post. There are speculations within the forum, and are my ideas only on how number 2, 3 were performed. Please if you are more knowledgeable in the situation feel free to correct me this is just a precaution on people for hacks.

From all the posts I have read in the past week there appears to be 3 types of hacks that are occurring.

1)Key-logging hack I figured I would start with the basic. There have been some people getting their B-net account hacked which posted on the D3 forums of their account being hacked where they're having the B-net password changed and are unable to claim their account. After running virus scans they have found the key-log and removed it off their computer.
Things missing; Diablo 3 characters wiped, items, gold, Auctions, friends removed, B-net password changed, in some cases even their linked Wow accounts compromised as well.

This is actually one of the lowest common hacks that I have found on the forums so far.

Steps to avoid this:
Avoid strange sites, emails, etc. Have a good anti Virus program, with the physical key chain authenticator. These still are not 100% protection but is the best you can get against these types of attacks.

2) D3 account hacked not B-net. This one occurred shortly after release and hasn't appeared much after the first scheduled maintenance. The results in this one seem quite strange people would be kicked off playing their toon then get the 37 error. When logging in, all their toons would be stripped clean as well as the AH. Nothing would be changed on their B-net account suspecting that it was not actually a B-net hack since it was set to only the diablo 3 accounts.

Things missing; All toons wiped, gold, auction house, stash, removed, Strange names listed in recently played.

Difference between 1-2. B-net left alone, friends list left alone.

These appeared to have been accepting character logins which if they had the physical authenticator they would not have been able to run this hack. Also these ones seem to have stopped since the first scheduled maintenance.

Ways to avoid Physical (key-fab) authenticator with the always require authentication when logging in.

3) Main toon session ID possible hack. This appears to be very Very common at the moment.
High level toons are being hacked on the softcore accounts I have not found a single case of a Hardcore toon that has been hacked. If you find one please let us (The community) know.
What happens is the victim if they are currently online will start to get a massive lag spike and get kicked from the game when they get back online their main character is striped of all his gold, items, and stash. Their auction house is fine as well as their other toons.

Things missing; Stash, items, gold, gear on main toon.

Reasoning as to why this is a session ID hack is the following below (speculation on how they were accomplishing this):
What appeared to be happening is the following before 5/30/2012 there was a command valid the /who command which at this moment now crashes the game. You could set a parameter to search for level toons this allowed people to find the high level toons you could then place that high level toon as a friend on your list without confirmation from the recipient. Currently the game allows you to quick join friends games without confirmation.
Now we have identified a 60 toon and wish to quickjoin them as the hacker sends a massive DDOS to the recipients game it kicks that player out the hacker then sets up the session ID hack pretty much taking the place of the booted person. They then quickjoin their level 1 toon and strip the high level of everything they have. They also have the players recently played and friends list and continues down new people they haven't hacked yet.
There has been few cases of people logging on durring the hack where they prevented mid selling and kept part of their gear,stash. The difference here is they didn't get re-hacked after they kept off the game sessions. That is why it is presumed as a session ID hack.

The reason the auction house and other toons are unharmed is because they never get to the menu section. This bypasses all authentication methods and making extra security invalid. My thoughts is if they were actually forced to leave the game to get to a menu it would mess up their program maybe even require an authentication which is why the auction house is safe as well as the other toons.

Keep in mind a hacker would not spare a low level toon just because they're low. all the hackers are doing is selling the gear to a vendor and transferring the gold to their level 1 they could get an extra 1k gold off a lowbie since it only takes about a maximum of 2 min to strip everything and sell it

Ways to prevent this- Press esc in game click on options, click on social, under the friends and chat section make sure to uncheck Allow Quick Join. Also stay out of public games so you cannot get hacked through a person in that public game. DO NOT TALK IN GENERAL CHAT.<< this is by far the easiest way at this moment to compromise a persons game it is the same as placing your name in a functioning /who list. I know this way is terrible but until blizzard fixes this issue which it appears they are catching on. Since the /who command is causing crashes I am almost positive that bug was intentional.

Please if I have missed a situation in how you were hacked symptoms/preventions let us know. However I feel I have covered all the basis on preventions on the specific types of hacks seen on the Technical Support Forum.
Reply Quote
Oh for goodness sake. I thank you for your attempt to inform people of the steps required to avoid getting hacked, but perpetuating the "Session" hack myth is ridiculous. If there is anything like that going on it is not a session hack it is a much more serious security compromise.

Games like this don't use http so they don't have a "Session ID" that can be spoofed, they use a socket based TCP/IP connection typically. This stores its session information in memory. The session info in TCP/IP is used to decrypt the data flowing between the server and the client and is updated frequently. Authorization and Acknowledgement packets whiz back and forth constantly to make sure the session stays in parity.

Even the simplest TCP/IP session spoofing attempts are typically easily detected because they cause a "storm" of packets called ACK packets when mysterious packets are injected. In addition most TCP/IP spoofing hacks require one or both of the machines to be compromised by some sort of virus already (or the local network of one of the machines to be compromised) because the IP addresses of the machines need to be known to even try to inject data.

These attacks can typically be assumed to be man-in-the middle attacks, because they require knowledge not accessible without direct communication with both server and client. Since this is not a peer-to-peer game model a man in the middle attack is not possible without either the client or server being compromised.

In any case, if TCP/IP hijacking is occurring it is not "Session ID" spoofing, that doesn't even make sense. This is not a website, this is a socket server connection of some kind. More accurately it would be session packet hijacking, but like I said that is nearly impossible without compromise.

So stop scaring people and chill. People get hacked because they have viruses or because something much more serious is going on like Blizzards network being compromised or a security glitch is causing everyone's private info to be broadcast to other users. If something this serious were happening it would probably be known by Blizzard already at this point.

Sources:
I'm a Game Dev & have experience with Network programming. I was a Software Engineer in testing at a major game publisher and did some security validation for an MMO style game. Also, just search Google for "TCP session hijacking" and read up on how its done (its kind of underwhelming)
Reply Quote
90 Draenei Shaman
12945
Posts: 48
Thank you for the detailed information figs this is exactly what I was looking for as stated before. I do not know much of the "how to" these were just compiled information on what people have undergone in their own hacked situation.
Also It is not my intention of scaring people but to inform people on how to protect themselves from other peoples hacked situations. After reading the TCP session hijacking it appears to me that it could be a possible Cross-site scripting method so I read up on the http://en.wikipedia.org/wiki/Cross-site_scripting which appeared to only be on web based hacks. However the theory behind the practice is the same which would place it in a security glitch or compromise Just like http://freethoughtblogs.com/zingularity/2012/05/21/stolen-handshakes-session-id-hijacking/. As to protect yourself from those compromises is good practice and what better then hide yourself until the issue is resolved. Even if the post helps one person from being hacked that is all I want to do nothing is worse then losing all your hard work.

it may be overblown and this may all be for naught? Even if it is can the little more security in protecting yourself be so bad? http://us.battle.net/d3/en/forum/topic/5149619846
Reply Quote
No I truly do commend you for trying to help, but the "Session ID" hack is simply impossible. Cross-Site scripting doesnt apply to TCP/IP, and session spoofing is really only an applicable attack method against random users if their machine is compromised.

Recommending people not talk in general and to turn of public games wont help. Getting people to not visit web-sites that could be infected with malware will. Any kind of man in the middle attack (if that is what is really happening) will require the attacker to at least know your IP-address and network information, which public chat will not tell them.

My advice if you are really scared of session spoofing is to make sure you're on a clean network with all possible security options turned on. Make sure you have no viruses/spyware/trojans running on your machine. Don't visit any websites that are in ANY WAY suspect that have anything to do with Diablo (This is the most important one).

Avoiding general chat or other features of the game will only hurt the community and hinder gameplay in general. Unless notified by Blizzard there is no reason to suspect that general chat or /who or public games gives away enough information to allow a hacker to compromise a direct TCP/IP connection.
Edited by figs#1113 on 5/31/2012 4:10 PM PDT
Reply Quote
Posts: 5
Main toon session ID hack happened to me. Fits the description perfectly.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]