Hacked this morning

Technical Support
So, this morning my account (which had/has a mobile authenticator attached) was compromised. I've gone through most of the standard security options and have successfully gotten my account back, while changing passwords, etc. on a computer which I know to be secure. My question is: I've run 4 full scans (where the option was available) on my primary computer, in safe mode, using Malwarebytes, Microsoft Security Essentials, Spybot Search & Destroy, and the Windows Malicious Software Removal Tool, all of which turned up nothing. Do I still have to worry about my computer being infected? If so, are there more thorough ways of ensuring that my desktop (which is the only place, other than my cell-phone, where I've logged into my b-net account) isn't infected?
Floseidon

I'd try the steps below. If nothing is found, then you should be good to go.

1. Download the following programs:

Rkill: http://www.bleepingcomputer.com/download/anti-virus/rkill

FixTDSS: http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99

2. Reboot into safe mode.

Here's a link that shows you how to get into safemode:

http://us.blizzard.com/support/article/21148

3. Run Rkill, then run FixTDSS.

When FixTDSS finds the rootkit, it'll need to restart to remove it. You can let it restart normally.

4. Download & install malwarebytes.

Here's a link where you can download Malwarebytes: http://www.malwarebytes.org

*Be sure to completely update it before running any scans.*

Do a full scan - it'll take over an hour, but its required to remove the rest of the keylogger bits.
______________________________________________________
I'm available Monday through Friday from 11AM to 8PM Pacific Time
Support Contact Information
I ran the two programs which you indicated. Rkill, according to the log, found no issues, while FixTDSS did not find a rootkit. Is it still necessary for me to run Malwarebytes again? If so, I was brought back out of Safe Mode after the reload. Should I just scan as is?
Floseidon

You can scan it as is, but if it didn't find anything before from a full scan, you should be fine.
______________________________________________________
I'm available Monday through Friday from 11AM to 8PM Pacific Time
Support Contact Information
Alrighty, thanks.

Obviously I can't ignore the fact that my account was breached somehow. Like I said, as far as I can remember the only places where I've signed into my battle.net have been on my desktop and my cell phone (using the mobile armory app), other than signing in on my laptop, which was roughly a year ago. Is it possible someone got my information off of my cell?
Floseidon

Did you maybe reply to a phishing email thinking it was one of ours?
______________________________________________________
I'm available Monday through Friday from 11AM to 8PM Pacific Time
Support Contact Information
100% certain that I haven't replied to any phishing emails, nor does anyone else have my account information.
Looking at my support tickets, two tickets were sent in by whoever had access to my account. The first ticket was submitted when I was still online last night, and it was a petition to have my real authenticator removed, complete with what I'd imagine was a doctored driver's license. This ticket was handled by a GM, and the authenticator was removed. Could the process of removing my authenticator have been done without actually fully accessing my account (i.e. without somehow knowing my authenticator information)? As I understand it, if someone was able to access my authenticator code, then it's 100% a case of malware on my computer.
my friend just got hacked the exact same way

they changed his authenticator, how does he log in to create a ticket when he can no longer authenticate his account?
my friend just got hacked the exact same way

they changed his authenticator, how does he log in to create a ticket when he can no longer authenticate his account?


The petition to remove an authenticator from an account can be done without being logged in to a battle.net account, assuming he has all the proper information (Address, phone number, answer to security question, etc.) If he goes to the support section, it's all pretty straight forward from there. He can either create a ticket, or talk to support through live chat/the phone. I found the latter to be much quicker.
Floseidon

To remove an authenticator you would normally need to have access to the authenticator code. However, there are cases where this may change. For example, if an authenticator is lost or broken, you would then need to contact us to remove the authenticator, but we would only do so after verifying that you are the account owner.
______________________________________________________
I'm available Monday through Friday from 11AM to 8PM Pacific Time
Support Contact Information
Really curious about which authenticator you used. Was it one with a random number in a display that changes every so often?

To hack that type, they'd have to know not only one of the recent random numbers it generated, but also the seed.
Floseidon

To remove an authenticator you would normally need to have access to the authenticator code. However, there are cases where this may change. For example, if an authenticator is lost or broken, you would then need to contact us to remove the authenticator, but we would only do so after verifying that you are the account owner.
______________________________________________________
I'm available Monday through Friday from 11AM to 8PM Pacific Time
[url="https://us.battle.net/support/en/article/contact"]Support Contact Information[/url]


The ticket that was opened claimed that "my phone reset to factory settings so I lost my authenticator + serial number." I'd assume that the verifications you spoke of are providing ID, which whoever opened the ticket did. Like I said, the ticket was serviced by a GM, so I'm going to assume whoever got access to my account just had my account information, but not a way to access my authenticator. Still not sure how it happened, but at the very least it means I have to be less worried about malware on my main computer.

Really curious about which authenticator you used. Was it one with a random number in a display that changes every so often?

To hack that type, they'd have to know not only one of the recent random numbers it generated, but also the seed.


Isn't that how every authenticator works? For what it's worth, I was using the mobile authenticator.

Join the Conversation

Return to Forum