BEWARE OF KEYLOGGERS! Don't follow that link!

(Sticky)

Version 2.0 added updates, new information, and cleaned up the format. Transferred from the Old Welcome to WoW forum. -Tera/Baloo

I figured that a thread alerting new forum goers of our incessant keylogger issues right off the bat would be best suited in the Welcome/Beginners forum....so here goes...

What is a Keylogger? How does it work? and why do I care?

The World of Warcraft forums are a good place to come if you need information about your class, spec, profession or just have questions about the game in general. Unfortunately, a long with the good information that can be found here, there are also "people" who post links to websites that may imitate a legitimate WoW related website, but actually have a hidden program that gets installed on your computer in the background, without your knowledge.

These small programs or scripts are used to record any keystrokes that you make on the keyboard, and secretly send those recorded keystrokes to a person who will then use that information to gain illegal access to your WoW account, bank account, or any other sensitive information. People who have their accounts "hacked" in this manner, will find that when they log on to their characters they have been stripped of any and all gear, crafting materials, Bank contents liquidated, and all of their gold gone.

The violated account will then be used to re-post more links to keylogger websites on the official WoW forums in an effort to perpetuate the problem. Eventually the account will be left with nothing more than naked toons, and in some cases the characters are deleted as well once the account has been banned from posting in the forums by the Blizzard Moderators. These hidden programs or scripts can be embedded, actually hidden inside the data of other types of files such as Pictures, movies, flash objects or malicious web pages.

How do I know if a link is a Keylogger or not?

Well, after you have seen a few of them, you start to notice a few different things that they all seem to have in common. First, most of the time keyloggers are some random topic or a link to some picture or web page that has NOTHING to do with WoW or the topic in which the link is posted. These links are usually accompanied by some random one line comment that makes little or no sense. Also most of the time these links are Chinese specific domains, such as: somedomain dot "cn".

An example might look like:
> "It's too good to be true!" (followed by a link to a picture)
> "Naked woman caught by satellite!" (followed by a link to a picture or video, and a statement such as:"Don't be so relaxed while you are taking the sun naked in the garden of your house... Big brother could be watching you!!!)"
> "NERF INC!" (followed by a link to a picture)
> "Just Beautiful! (followed by a link to a picture)
>"Huge Alliance raid on Halaa (w/ pics)" (with several links to pictures)** (See note below)
>"Shapeshifting proposals (Again, with pics)" (with several links to pictures)**
>"Hey Kalgan, we're fine!" (With links to several .php documents, Kalgan is/was a WoW Developer)
>"#%!#!!ex Toy" (Links to videos embedded in PHP scripts, with a story about a "neglected" girlfriend)

Also, some examples of websites that seem to be posted a bunch "look" like they are WOW related websites, but upon closer inspection they are actually not legit:

-warldofwarcraft
-worldofworceaft
- mmosgame
- warcraftmoviies (note the double "ii" in movies)
- warcraftm0vies (note the Zero in place of an "o") ** "warcraftmovies" IS a legitimate website **

**Note** It seems that whoever is posting the Key Loggers has gotten a bit less lazy and actually put some scheme together that looks like a legit post. These posts are usually about some "proposal/suggestion or bug fix (note:these issues should only be reported in the Suggestions or Bug Reports forums, NOT in the Welcome/Beginners forum, so that's your first clue.)" or of a raid on a major city. Most recently is a raid on Halaa (the PVP objective in Nagrand, Outland), with several links to pictures of their "event or evidence". These links are hostile and will infect your system. If someone is legitimately posting up pictures of a raid, they will be active on the forums and will usually be willing to speak with you about the link in question, whereas a keylogger almost certainly won't respond.
Edited by Baloo on 1/26/2011 11:28 AM PST
Reply Quote
If a link is posted that you are not sure about, there is no need to "cry keylogger" every time. If you are not sure, it's best to NOT follow the link until someone who has more experience with these has verified the validity of said link. You can always ask if you are not sure. It's better to be safe than sorry.

To check the validity of a posted link, there is a fairly simple way to check and see who owns the domain in question. It's similar to a phone book listing, but for internet addresses, and it is appropriately called "whois." You simply type in the domain you wish to check out and search to see what the results are(who owns the domain name.)

http://www.networksolutions.com/whois/index.jsp

You don't need to type in the entire domain name as you see it posted, you only need to search for the "top level" domain (that is the "www.somedomain.com" part of the address). If the owner of the domain in question is registered to a company in China, chances are highly likely that you have yourself a keylogger website. Also, if you do a Google or Yahoo search for the top level domain name, and in the summary, you see that the site provides "WoW Gold" or "Powerleveling Services," again, you've got yourself an illegitimate website that will likely try to steal your account access information. Don't go to that website!

HELP!!! I think I might have a keylogger, what do I do?

First and foremost-
If you think you might have gotten a keylogger on your computer, go to A DIFFERENT COMPUTER with internet access, one that you know is clean and immediately change your account password/Username, and any other passwords that you may have typed on the infected computer...this includes any bank account passwords, forum passwords, Email, or any other accounts with passwords you may have accessed.

Secondly:
On the infected computer, you need to install an up-to-date virus/malware scanner, and scan the complete system, including the boot sector.
There are some very good free online virus scanners that can also be quite effective:

- http://housecall.trendmicro.com/ (this online scanner is free. it can detect and remove infections)
- http://usa.kaspersky.com/products_services/free-virus-scanner.php (this online free scanner can detect infections but will not remove them, however it gives a detailed report of the infected files and their locations, so you can manually delete them.)
- http://free.avg.com/download-avg-anti-virus-free-edition (this is a free, "almost full featured" virus scanner that can be downloaded, and is quite effective. The full version adds Rootkit, Anti-Spam and Firewall protection as well)

Once you scan your system, and remove all infected files, run another full system scan again to be sure the problems are actually gone. If they are still there, keep doing this until they are gone.

Next a Spyware/Adware/Grayware scanner would also be a good idea to install and run. Some of the better ones out there are:
- Spybot Search & Destroy (http://www.safer-networking.org/en/spybotsd/index.html)
- AdAware (http://www.lavasoft.com/)
- Malwarebytes (http://www.malwarebytes.org/)
- DriveSentry (http://www.drivesentry.com/)
- Hijack This (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis)
**Warning: This program is recommended ONLY if you are an ADVANCED computer user. Mis-use of this program could potentially render your computer inoperable, and I cannot be held responsible for any potential damage caused by using it. However, it can generate extremely detailed system reports for use with advanced trouble shooting techniques.**

Again, as with the Virus scanner, once you have installed, updated and scanned your complete system for Spyware/Adware, and all of the problems were fixed, run a second complete scan to verify that the infections are indeed gone.

Scanning in Safe Mode is a very good idea actually. Safe Mode is a stripped down version of windows that only loads the bare necessities needed to run the operating system.

(http://windowshelp.microsoft.com/Windows/en-US/Help/d063548a-3fc9-4723-99f3-b12a0c4354a81033.mspx)

Booting to Safe mode will prevent any malicious software from loading into memory, as it does when window starts normally. Also, some of these programs are designed to hide from, or disable virus scanning software. Scanning while in Safe Mode will allow your scanner to find and quarantine the infected files much easier.
Edited by Baloo on 11/10/2010 11:24 AM PST
Reply Quote
While there are ways to boot someone offline remotely, a Keylogger alone does not have the ability to do so. If your computer is infected with a Trojan or some other kind of Backdoor virus that allows an attacker access to your machine, then yes, that is quite possible. However the Attacker will also need an active remote connection to your computer to do so.
Keyloggers are generally designed to do one thing.....Log your key strokes and send them discreetly to a pre-determined destination, without your knowledge. Anything more than that means you likely have more than one problem besides the Keylogger.

I've done all that, now how do I prevent this from happening again?

Well first off, learn from your mistakes. Don't follow random links you don't know.
Second, If you are using Microsoft Internet Explorer ("Internet Exploder" as I like to call it), I would recommend downloading and installing Mozilla Firefox (http://www.mozilla.org/), and also installing the browser add-ons called "Ad Block Plus" and "No Script."

Firefox is a web browser that is Netscape based, which can cause some formatting issues with some websites, but those are very limited, and I'd say 99% of the websites out there don't have any problems at all. Firefox can also be configured to automatically "Clear All Private Data when the browser is closed," this includes, history, saved password, cookies, temporary internet files and saved form data, all common places where a virus can hide. It is always good to clear these things to help keep your computer running smoothly as well.
The "Ad Block Plus" add-on is a tool that is integrated into the browser that will block all of those annoying adds that always popup on your screen, or show as banners all over the web. You can choose to allow certain websites to show adds if you like as well.

"Scripts" are often treated as distinct "programs", which execute independently from any other applications. At the same time they are distinct from the core code of the application itself, which is usually written in a different language, and by being accessible to the end user they enable the behavior of the application to be adapted to the user's needs. Scripting languages are nearly always embedded in the application with which they are associated. (for this discussion the "applications" are malicious websites that the scripts are embedded within.)

The "No Script" add-on is a very nice tool that will block any of these "scripts"(including, but not limited to, Javascript, Active X, VB Script, Flash, ASP, PHP, etc.) from running on webpages that you have not specifically given the "ok," and allowed to load. Many times, a virus, adware, or keylogger are loaded onto your machine via one of these types of hidden scripts. Preventing the script from running will prevent the Keylogger from infecting your computer.

Next, invest in a permanent (non-trial version) Virus scanner, keep your subscription valid and keep the software up to date at all times.

Get a Firewall. A firewall will help keep your computer secure while on the internet. When you are on the internet, your computer is susceptible to thousands of port scans, probes, and other non-friendly actions. What these "attacks" are doing, is testing your system to see if there are any "backdoors" open (or unlocked), where a hacker can sneak into your computer and either steal information about you, or install a virus or other nasty program that can then use your computer as a relay.

The hacker can use your computer to hide behind as a way to "cover his e-tracks," making it look like you are the one sending these virus emails out to all your friends.
A nice "Internet Security Suite" of software usually will include a Virus Scanner, firewall, email protection, adware blocker, popup blocker and some other goodies as well to help keep you safe. I personally use the "Kaspersky Internet Security Suite," as it is very powerful software and is Updated by Kaspersky on an hourly basis.

(http://usa.kaspersky.com/products_services/internet-security.php)
Trend Micro also makes a similar software suite that is also very good.
(http://us.trendmicro.com/us/home/home-user/)
Those are the two software suites I have the most experience with, that is why I recommend them, and they both work well.
AVG is also a very good virus scanner/security suite to use, you can download a 30 day free trial that is full featured, meaning there are no trial version restrictions. Updates are also free for both the Trial and Licensed versions.
http://www.avg.com/us-en/homepage
Edited by Baloo on 11/10/2010 11:26 AM PST
Reply Quote
Melugstuff
Stormrage Adds a few suggestions here as well:
________________________________________
Q u o t e:
Free Scanners :
Local -
Avast! http://www.avast.com/eng/avast_4_home.html Requires you to register via e-mail for a key to activate once a year. 3 levels of active scanning {quick, normal, deep} and several "always on" scanners {web, mail, IM, p2p...}
Online -
Eset http://www.eset.com/onlinescan/
F-secure http://support.f-secure.com/enu/home/ols.shtml
Firewall
Comodo http://www.personalfirewall.comodo.com/download_firewall.html also free
Things to know -
Copy/pasting your userid/password does not make you safe. Keyloggers can copy and send clipboard contents as well as keystrokes.
Using parental controls can be a good idea. While you may not be able to prevent someone from doing things like transferring your characters off-server or changing your password, it can be an extra layer of security as parental controls use a different password and e-mail address than your main account. Turning on parental controls and locking out your account when you are not playing will mean it requires *TWO* passwords to log into the game servers. 1 in the account management to unlock the playtime on the account via parental controls and the second to log into the game itself.
If someone has keylogged your account and they can't unlock the parental controls, they cannot log into the game, so they cannot sell all your stuff, send all your money to someone else, use your characters to spam and all the other nasty little things they do. ALSO, unlike the account password change, parental control password changes send the NEW password to you via the e-mail you registered the controls with.
This is by no means failsafe. Keyloggers evolve and logging parental control access may not be beyond the scope of what they can and will track now or in the near future. But it can be helpful. If you want better security, get the Blizzard Authenticator. However, neither the parental controls nor the Blizzard authenticator will prevent you from getting keylogged, and as stated by the OP, keylogging goes beyond WoW. The Blizz Authenticator won't keep your bank account, email, or other sites safe.
The first step to security is always being proactive, not reactive.
Don't go to sites that aren't safe. Look very carefully at the urls you're going to ; links can say one thing and go someplace else or may look ok at first glance but don't be fooled.

______DON'T GO TO THESE EXAMPLE SITES!!!!! THEY ARE CURRENTLY REGISTERED AND ARE NOT LIKELY TO BE SAFE!!!!!______

Someone has registered the domains wworldofwarcraft {note the 2 w's in the second-level domain}, and vvorldofvvarcraft {note, it's V V orld of V V arcraft, not W orld of W arcraft!!} and add subdomains to make them look legit :

ww to make ww.wworldofwarcraft {two W's}
vvvv to make vvvv.worldofwarcraft {four V's}
www to make www.vvorldofvvarcraft {3 W's added to V V orldof V V arcraft}
vvvvvv to make vvvvvv.vvorldofvvarcraft {6 V's}

__________END OF NO-NO LINKS___________

They -look- right, or at least not wrong on a quick glance depending on your font settings, but they are NOT right.
Edited by Baloo on 11/10/2010 10:56 AM PST
Reply Quote
Scammers count on people not paying close enough attention to the minor things. Don't fall for it.

Don't give your userid or password to anyone. This should go without saying but people seem to love to share. Blizzard doesn't need it, they won't EVER ask you for it. Your friends/guildmates/roomates/dog can't have them, it is a violation of the rules to give out your account information.

Yeah, yeah, I know you trust them, but it's still against the rules to share accounts and you cannot vouch for how good THIER computer security is. So it's another good way to get yourself keylogged. Gold sellers/powerlever services can't have it {see friends-dog} as both those types of services are against the rules and they will only use your account to spam gold selling services/keyloggers and get you banned anyway. Probably after cleaning you out and trying to sell your account to someone else.

Use up-to-date anti-virus, anti-spyware/malware programs and firewalls, keep your entire system updated! You do it for your mods, take the time to do it for everything else, too. That includes Windows update, browser updates, Flash...anything like that can have security loopholes that can be exploited.

Speaking of mods, learn to scan them. Make sure you're getting them from valid sites and scan them anyway. You should also take the time to go through the files by hand. There should be no form of executable file in a standard mod.

Personally, what I like to do is wait for Tuesdays. Update mods when the servers go down, do a scan of the individual mods before I install, then do a full system scan. Servers are down anyway, what else do you have to do? Use the downtime to do all the not-fun stuff, like updating and cleaning your system, defragging, virus & spyware scan. Nothing to lose and tons to gain.

As an extra added layer of security specifically for your World of Warcraft account I highly suggest purchasing a Blizzard Authenticator and linking it to your account. It is a little keychain (they also have an iphone app) that generates a unique, random 8 digit (I believe) ID number that you have to type in when you log into the game, at the same time you type your password. The random number is only used once and will not be repeated, each number is a new, and unique ID number. You can purchase one and get more information about them from the Blizzard Store here:

http://us.blizzard.com/store/details.xml?id=1100000822
(Note, there is a "USA" version and a "Canada, Australia, New Zealand and Latin America" version.)

Well, that about covers it I think. I hope this post saves at least one person from getting keylogged. It's such a shame to see someone's time and hard work just thrown away like that. If anyone has anything further to add to this, please feel free.
Here are some links to other, Similar posts in the Official Cust. Service forums as well: Thanks Adonos!
Edited by Baloo on 11/10/2010 11:35 AM PST
Reply Quote
________________________________________
Q u o t e:
Key-Loggers and Computer Security
http://forums.worldofwarcraft.com/thread.html?topicId=1778038509&sid=1
Computer Security Recommendations
http://forums.worldofwarcraft.com/thread.html?topicId=1778038509&sid=1
Account Retrieval Tips and Suggestions
http://forums.worldofwarcraft.com/thread.html?topicId=6762836524&sid=1
Account Compromise Info Center**
http://forums.worldofwarcraft.com/thread.html?topicId=14318909866&sid=1
Fake Emails From "Blizzard Entertainment**
http://forums.worldofwarcraft.com/thread.html?topicId=965511383&sid=1
________________________________________
Astera
< Game Over > posted a few preferences and comments about Addons:
Gilneas
________________________________________
Q u o t e:
Just wanted to add my 2 copper worth to a great thread!! <3
Some of my favorite programs that I use to protect my computer would be: (some have already been mentioned..)
1. SpyBot Search and Destroy- This is the best spyware remover out there, in my opinion.
2. AdAware-Also a good spyware remover; made by LavaSoft, a reputable company.
3. Comodo Internet Security- Great Anti-Virus and Firewall in one. Has several "modes" that you can use.
There is also a rumor going around (for a while actually) that addons from www.curse.com are the cause of several keyloggers and hacked accounts. While i have personally not experienced this, use caution if you do. Addons can be very helpful when playing. When installing addons, it is always best to manually install it.
***If an addon has a file with the .exe extention, or asks you to install anything, or run anything outside of WoW, then it is not safe! Addons do not have to be installed, just put in the folder! On the curse.com website, they have a detailed list of instructions for manually putting your addons in.***
Addons that I have researched and found to be keyloggers are:
FasterPing (or BetterPing): It is just a keylogger. Don't use it.
(will add more as i find them)
A good website that i have found, that includes links to all of the software that has been listed in this thread is www.100-downloads.com (always, always use caution and download from the original sites. I havent found a keylogger or virus yet from here, but there is a link that will take you directly to the original site to download.)
And the best way to protect your wow account (not your computer) from keyloggers is to buy a $6.50 Authenticator from the online blizzard store. You may not think wow is that important to protect. Im here to tell you, from experience, that if you pay your account with a debit card, wow is the least of your worries if you get hacked...
Be safe and have fun! ^_^
________________________________________
Plaguemourne
< Kamikaze > Wanted to emphasize being careful about what websites you go to:
Dethecus
________________________________________
Q u o t e:
What his helpful post was is that keyloggers normally play with legit website's addresses, for an example there is a legit website named www.warcraftmovies.com
A keylogger website might be like..
www.warcraftmoviis.com
I bolded and italicized the two i's in warcraftmoviies.
also it might be www.warcraftm0vies.com
same with YouTube
www.y0utube.com
or
www.youtuube.com
Edited by Baloo on 11/10/2010 11:13 AM PST
Reply Quote
Some Q & A from the original Thread:
Friarbones
< TalmaheRä >
Kirin Tor
What about Mac's? Can a keylogger be installed on a Mac as well as PC or is it OS specific?

Mac's are MUCH more resilient to malicious software...but that does not mean that they are totally immune. Most malicious programs are OS specific....in other words, they are either written for a Windows computer or a MAC computer, rarely both. It is not as common to find a virus, Trojan, or Keylogger that will infect a MAC, but it can (and has) happened, and seems to be happening more often, the more Popular MACs get. So exercising "Safe surfing" practices is always wise regardless of what kind of computer you are running on. It's better to be safe than sorry.
Also, just as an FYI, pretty much anything that has access to a public network has the potential to be hacked or infected with a virus or other nasty things. This includes computers, Cell phones, PDA's, Pocket PC's, Video Game Consoles and I've even heard of a case where someone had their car "Hacked" via a Bluetooth connection.
---------------------------
Carne
< Tyranny >
Coilfang
My account actually got hacked recently so I did a full system scan with my up-to-date virus protection program and it didn't find anything wrong. That doesn't seem right and I'm worried I may still have a key-logger on my computer. What are some more steps I can take to remove it?

If you scanned your computer and nothing was found, there's 2 things you can try. First, go to one of the online scanners that are linked in the original post .... then disable the virus scanner on your local system, and start a fresh scan using the online scanner (you may want to try 2 different scanners to be sure).
Housecall will try to quarantine or delete any corrupted files it finds. The Kaspersky scanner is also very good, but will only show you the path to the infected file if it finds one...you must manually delete the file to get rid of it. I personally would start with the Trend Micro scanner, let it finish, and then scan again using the Kaspersky scanner for a second "opinion."
IF that doesn't work, you can reboot your computer into Safe Mode(with Networking) (http://windowshelp.microsoft.com/Windows/en-US/Help/d063548a-3fc9-4723-99f3-b12a0c4354a81033.mspx) which will load windows using only the absolute minimal set of drivers and files that windows needs to run stable. This prevents any other programs, settings, or files from loading into memory automatically when windows starts. Once booted into Safe Mode, go to the online scanners and scan your system as I described above.
If nothing has been found by this point, I'd say you are most likely OK. However, if you are as paranoid as I am with this stuff, you can always network your infected computer (first booted into Safe Mode with Networking of course) with a known clean computer, Share the "C" drive on the infected machine on the network. On the "clean" computer, Map a network drive to the shared "C" drive, and Use an online scanner on the "clean" computer, but make sure the scanner is set to scan the Network drives remotely. This will take longer depending on your connection speeds, but it is pretty effective as well.

If you still can't find anything...I'd say you probably got lucky and are alright. But, keep your eyes open for anything "weird," and be sure to learn from your mistake, and change all your passwords.
----------------------------
Dieburnx
Alexstrasza
the anti virus(internet security versions) are not suppose to prevent these situations?
________________________________________
Q u o t e:
Kuu
< Slash Win >
Shadow Council
Might want to add the recent trend of ingame mail including keylogger sites. A bunch of us in guild got a message from a toon that has a really similar name to a guild member. In the message, it says something about a promotion video that he made and includes a url link with an .exe extension. While we all picked up on the fact that it was a keylogger, I hope that other people didn't follow that link.
(I don't have the original letter in the mailbox anymore, but it followed standard keylogging format.)
________________________________________
Yes they are, however, in an event such as the one Kuu described...where someone voluntarily executes the keylogger program and allows it to run via an internet link, all of the security in the world won't be able to help you.

Knowledge is the best computer security you can have. If you know what to look for and know the signs of a fake Phishing email, or Keylogger links, you will be much safer while doing anything on the internet in general, not just while playing WoW. That is the point of this thread....to educate those who might not know what to look for, so they don't have to learn their lesson the hard way after it's already too late.
----------------------------
Edited by Baloo on 11/10/2010 11:38 AM PST
Reply Quote
Evlhasselhof
< Mal Fortuna Redux >
Kargath
it seems the keyloggers are a bit more hightech, gone are tehsexleg days. now they whisper in game telling us to go to a website for a free trial mount.. and then mah keys would be logged not only that, but the first name was something clever. then it was bliz, bilzze blizpony . basically some raw shiet to snag a kids account I haven't had the pleasure of experiencing this one yet, but thank you for the heads up!

Blizzard will not whisper anyone in game to promote anything, let alone free mounts! Don't fall for that people! If it seems too good to be true....it usually is.
----------------------------
Deathkíller
< Bushido >
Nordrassil
________________________________________
Q u o t e:
I am glad there are people on the fourum's like this. Good job man. And also if u did say or if u didn't, one of the best things to protect yourself is to get the blizzard authenticator. It cost's $8.00 and is SOO worth it. http://www.blizzard.com/store/details.xml?id=1100000442
________________________________________
----------------------------
Velkyrie
< Vetus Schola >
Tichondrius
________________________________________
Q u o t e:
Copy pasting this from another thread
Hey guys,
If you use a windows based OS and Firefox, and want further protection against keyloggers, I recommend this addon for Firefox (not available for Linux or Leopard etc so far):
https://addons.mozilla.org/en-US/firefox/addon/3383
Enjoy
I personally found this extremely helpful
________________________________________
Nice find Velkyrie, Thank you.
It's a Keyscrambler addon for Firefox, Quoted from the addon's web page:
________________________________________
Q u o t e:
KeyScrambler Personal encrypts your keystrokes at the kernel driver level to protect what you type from keyloggers.
Starting with version 2.0, KeyScrambler protects everything you type into Firefox, including:
* All login forms and dialogs, online shopping, webmail, forums, and more
* The Firefox master password dialog
* URL and search bar
* Other Firefox add-ons and toolbars like RoboForm, Chatzilla, and Sxipper.
________________________________________
This is a great way to add another layer of protection to your web surfing for sure. Just to be clear for those who may not be aware, it will only encrypt your keystrokes for things you type inside the Firefox web browser. Programs like WoW will not be protected from this addon, but as I said, it is a great way to help make your normal web surfing a little bit safer.
------------------------------
Ursula
Perenolde
________________________________________
Q u o t e:
Might want to add the new information about the new Armory and the new scam look-alike sites through search engines such as Google. It's on MMO -

Important - Armory Scams

The new version of the armory is now available on both US and EU armory and a lot of people lost their account because of scammers exploiting the popularity of the armory. The scam is fairly simple, people buy advertising on Google to display ads pointing to fake armory sites when you search for the real one on google.

NEVER, EVER, EVER, EVER use google to access the official site or the armory, just type http://www.wowarmory.com / http://eu.wowarmory.com in your browser and bookmark it if you're lazy and don't want to type it every time.

The armory now requires you to login for a lot of the features introduced with the latest upgrade and you should make sure that you do not do anything stupid when you access it. I don't think you would use google to go to your Account Management page.

If you think you might have been scammed by one of these pages, change your password immediately. If you do not think that you're concerned by this post, change your password immediately because it's always a good idea anyway.
________________________________________
Thank you for the information Ursula. I hadn't heard about those scams yet as the new armory just came out last night. Anyways, you should always do what Ursula said, don't use google, or any other search engine to find the wow armory. I normally just go directly to www.worldofwarcraft.com (have it bookmarked for easy access) and link to the armory directly from the official website only.
------------------------------
Edited by Baloo on 11/10/2010 11:40 AM PST
Reply Quote
Update 12/9/09
While I was browsing through the forums I ran across a newly fabricated attempt at logging people's keys with links to pictures of the well known actress Angelina Jolie. Below I have quoted the Keylogger's newest posting, however, I have broken the malicious links but left the file names intact for reference. This quote is directly from the keylogger in question:
________________________________________
Q u o t e:
Angelina Jolie sex on legs <~~~thread title
Angelina Jolie sex on legs
http://...../Angelina/665legsmovie.jpg
http://...../Angelina/343legsmovie.jpg
Angelina Jolie by far the best looking actress in hollywood and in her new film wanted she can only become bigger
________________________________________
Points to take note of:
-Random Topic that has nothing to do with WoW at all.
-Really bad attempts at forming sentences in the english language, severely lacking any punctuation.
-The movie "Wanted" with Angelina Jolie came out June 27, 2008. Not exactly a "new film."

PHISHING EMAILS:

While this is not a Keylogger...it is just as destructive to your account security, and I thought I should put it in this thread so this information doesn't get lost in the depths of the forum archives. Here's a link to the original thread: http://forums.worldofwarcraft.com/thread.html?topicId=16904262904&sid=1
This is an email that was sent to Ntago of the Nathrezim server on his account registered email address:
________________________________________
Q u o t e:
I just got an email from wowaccountadmin@blizzard.com
This is the email:
"It has come to our attention that you are trying to sell/trade your personal World of Warcraft account(s). As you may or may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled. It will be ongoing for further investigation by Blizzard Entertainment's employees.
If you wish to not get your account suspended you should immediately verify your account ownership. If the information is deemed accurate, the investigation will be dropped.
This action is taken because we at Blizzard Entertainment take these sales quite seriously. We need to confirm you are the original owner of the account. This is easiest done by confirming your personal information along with concealed information about your account.
You can confirm that you are the original owner of the account by replying to this email with:
Use the following template below to verify your account and information via email.
* First and Surname
* Date of birth
* Address
* Zip code
* Phone number
* Country
* Account e-mail
* Account name
* Account password
* Secret Question and Answer "

I was not trying to sell my account... and I thought a blizzard employee was not supossed to ask for your password. Is this email a fake?

This email is absolutely a FAKE! Blizzard will NEVER....EVER....EEEEVER ask for your Account Name, Password, or Answer to the secret question in an email....EVER!
Edited by Baloo on 11/10/2010 11:43 AM PST
Reply Quote
Edit 8/12/09: Another example Posted by Zanderea of Azjol-Nerub: http://forums.worldofwarcraft.com/thread.html?topicId=19110233085&sid=1
________________________________________
Q u o t e:
A sample of the email is as below:
===============================================================================
From: wowaccountadmin <wowaccountadmin@blizzard.com>
To: youremailaccountname <you@youremail.com>
Sent: Wednesday, August 12, 2009 4:22:30 PM
Subject: World of Warcraft - Account Under Review
Greetings!
It has come to our attention that you are trying to sell/trade your personal World of Warcraft account(s).
As you may or may not be aware of, this conflicts with the EULA and Terms of Agreement.
If this proves to be true, your account can and will be disabled. It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership. If the information is deemed accurate, the investigation will be dropped. This action is taken because we at Blizzard Entertainment take these sales quite seriously. We need to confirm you are the original owner of the account.
This is easiest done by confirming your personal information along with concealed information about your account. You can confirm that you are the original owner of the account by replying to this email with:
Use the following template below to verify your account and information via email.
* First and Surname
* Date of birth
* Address
* Zip code
* Phone number
* Country
* Account e-mail
* Account name
* Account password
* Secret Question and Answer
-Or-
WoW CD-Key
Show * Please enter the correct information If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation. We ask you to NOT change password until the investigation is fully completed.
Blizzard Entertainment Inc
Account Administration Teamaa
P.O. Box 18979, Irvine, CA 92623
Regards,
Account Administration Team
Blizzard Entertainment
2009-08-12
--------------------------------------------------------------------------------
wowaccountadmin
================================================================================
The sample header of the email is as follows:
================================================================================
From wowaccountadmin Wed Aug 12 01:22:30 2009
X-Apparently-To: you@youremail.com via 206.190.58.142; Wed, 12 Aug 2009 01:23:51 -0700
Return-Path: <andi_holly@hotmail.com>
78oTiHwWLDuKwiAGraXUH4b6av0T09vMQ0QG5m9vd8AmnaWq2N.GyIGV8V7DGgbFUzi9bxRiSHVDKaeub57cMjqbJ_xa8SvMtz9TwzYvwLOZaxQiJKEXgTvzhkBEnDTtG6_G4n6J4czAtra88A_TeqU0Y
STbAW2CmA_FDQJKU114MQQv2Hvo3QpMsUHk9Bvf_cmf7rmRyoY3MpnMlRoc07vwutRzE0nb8ElTGwqS3SqPk8d5LRF9oA6_iQlfnX8H_ZrRwlKEQG9muNr0dEU3V_Hls3LoT990gpkSczUE0E7V06b_Ps
fU4o4Jlc9Lu9kZr6ahBRIFEbzNrhfjPA--
X-Originating-IP: [65.55.111.80]
Received: from 65.55.111.80 (EHLO blu0-omc2-s5.blu0.hotmail.com) (65.55.111.80)
by youremailserver Wed, 12 Aug 2009 01:23:51 -0700
Received: from BLU0-SMTP44 ([65.55.111.73]) by blu0-omc2-s5.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 12 Aug 2009 01:23:11 -0700
X-Originating-IP: [117.18.100.174]
X-Originating-Email: [andi_holly@hotmail.com]
Message-ID: <BLU0-SMTP440870C7C06978E2A8E508EC040@phx.gbl>
Return-Path: andi_holly@hotmail.com
Received: from ykz-20090603CUA ([117.18.100.174]) by BLU0-SMTP44.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 12 Aug 2009 01:23:10 -0700
Date: Wed, 12 Aug 2009 16:22:30 +0800
From: "wowaccountadmin" <wowaccountadmin@blizzard.com>
Reply-To: wowaccountadmim@vip.**#@@!*
To: "youremailaccountname" <you@youremail.com>
Subject: World of Warcraft - Account Under Review
X-mailer: Foxmail 6, 15, 201, 21 [cn]
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="=====003_Dragon574264227113_====="
X-OriginalArrivalTime: 12 Aug 2009 08:23:10.0621 (UTC) FILETIME=[20C8ACD0:01CA1B26]
Content-Length: 5954
================================================================================
Please note that I have bold the parts to take note of.
Regards,
Zanderea
Edited by Baloo on 11/10/2010 11:44 AM PST
Reply Quote
8/12/09: Alliepooh from Lightbringer Server posted this one he received recently:
http://forums.worldofwarcraft.com/thread.html?topicId=19110027944&sid=1
________________________________________
Q u o t e:
Below is the email I received this morning please if you received this type of email don't reply to it. If you check closely to the email address
within < > it is not blizzard.com.
------------------
2009/8/12 wowaccountadmin@blizzard.com <wowaccountadmin@blizzarid.com>
Greetings!
It has come to our attention that you are trying to sell/trade your personal World of Warcraft account(s).
As you may or may not be aware of, this conflicts with the EULA and Terms of Agreement.
If this proves to be true, your account can and will be disabled. It will be ongoing for further investigation by Blizzard Entertainment's employees.
If you wish to not get your account suspended you should immediately verify your account ownership. If the information is deemed accurate, the investigation will be dropped.
This action is taken because we at Blizzard Entertainment take these sales
quite seriously. We need to confirm you are the original owner of the account.
This is easiest done by confirming your personal information along with concealed information about your account. You can confirm that you are the original owner of the account by replying to this email with:
Use the following template below to verify your account and information via email.
* First and Surname
* Date of birth
* Address
* Zip code
* Phone number
* Country
* Account e-mail
* Account name
* Account password
* Secret Question and Answer
-Or-
WoW CD-Key
Show * Please enter the correct information
If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.
We ask you to NOT change password until the investigation is fully completed. Only the Account Administration department can address disputes or questions you may have about this account action. To learn more about how we are able to assist you, please visit us at http://us.blizzard.com/support/article/21505.
Regards,
Lanhelly
Account Administration
________________________________________
________________________________________
Q u o t e:
Greetings!
This is an automated notification regarding the recent change(s)
made to your World of Warcraft account. Your password has recently been modified
through the Password Recovery website. *** If you made this password change, please disregard this notification. However, if you did NOT make changes to your password
we recommend you Login verify your password: worldofwcrcraft ****NOTE: URL BROKEN, SEE BELOW FOR DETAILS
If you are unable to successfully verify your password .using the automated system, please contact Billing & Account Services at 1-800-59-BLIZZARD (1-800-592-5499) Mon-Fri, 8am-8pm Pacific Time or at billing@blizzard.com.
Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
Regards,
The World of Warcraft Support Team Blizzard Entertainment
________________________________________

***NOTE: Notice the website name that was linked in this fake email. It is very similar to the official Worldofwarcraft website except the word "warcraft" in the URL is spelled wrong....."wcrcraft"***

Thanks Galandorian of Blackwater Raiders

These emails can also come through the in game mail system from a character with a name similar to, but slightly different from someone whom is actually in your guild. These Emails typically will say something about a guild promotion video and will include a link to an executable file (some_file_name.exe) on some random website...this is a keylogger! Pay very careful attention to the name of the person who sent you the email, chances are it is not actually who you think it is. Thanks Kuu for the info. If anyone gets an email from "Blizzard" asking to "verify your account" and asks for one of those three things...that is a tell tale sign that it is a fake email, and Red Flags should be flying. DO NOT RESPOND TO THIS EMAIL!!!! no matter how official it looks....it simply is NOT LEGIT. These fake emails should be forwarded immediately to hacks@blizzard.com. If you have any doubts contact Blizzard's Billing and Account Department directly BEFORE taking any action.
Edited by Baloo on 11/10/2010 11:31 AM PST
Reply Quote
________________________________________
Q u o t e:

I am not sure, entirely, that this is what's happening. But, I keep getting private whispers telling me to go to a certain site for a special mount. The first thing they want is your login and password. Last night I started getting a private whisper, (supposedly from a GM), telling me my account was closed, (while in game), and to go to a website and talk to Blizz. STAY AWAY FROM THESE SITES ! ! ! ! I was wondering Blizzard, is there a way to stop this??
________________________________________


Thank you Greyel of Kirin Tor server
-->It seems that the newest thing is for a "Representative of Blizzard," Someone posing as a GM in game will whisper you in game, and tell you that you've won a mount and to claim it you must go to a website and log in with your WoW account name and password to claim it.

-->A second scenario is that this person posing as a GM will say that your account was closed by blizzard and you have to log in to some unofficial website with your WoW account information to speak with a GM about it.

Both of these scenario's are attempts at stealing your account access information! You should immediately "Report Spam" these people. This can be done by simply right clicking on the name of the person who sent you these whispers and selecting "Report Spam," they will also automatically be added to your "ignore" list to prevent any further communication with them.
---------------------------------------------------------------------------------------

Thank you to Vizionz of the Mannoroth server for posting this one.

Take note of the bad use of punctuation in the second paragraph. Also, Blizzard will NEVER, EVER ask you for your password, or the answer to your secret question. They also say themselves that they won't make statements with such a blatant lack of style, as noted in the examples here:

http://us.battle.net/security/types.html#phishing
________________________________________
Q u o t e:
Is this legit or not, I can sign in fine, but I just wanted to make sure, like if it was pending or something... Sorry if this is noobish to ask.. by the way it came in my email and the sender email was noreply@blizzard.com

---------

World of Warcraft -> Legal -> End User License Agreement and Section 8 of the Terms of Use: Blizzard Entertainment -> Legal -> Terms of Use A 3-hour probationary suspension is pending on this account, awaiting confirmation from a specialist. A final warning has been issued. The investigation will be continued by the Account Administration team to determine the any further suspensions. If the account in question is found in violation of the EULA and Terms of Use, further action will be taken. Be aware that any additional inappropriate actions may result in the permanent closure of the account. Thank you for respecting our position on this matter. ==================================================================================================================
** We request that you verify your legitimate ownership of the account here:

<removed>
Blizzard staff will verify your account information submitted in two days, please do not modify your account information during this time . It will not affect your game uptime.If you are unable to successfully verify your password .using the automated system, please contact Billing & Account Services at 1-800-59-BLIZZARD (1-800-592-5499) Mon-Fri, 8am-8pm Pacific Time or at billing@blizzard.com. Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
Regards,
The World of Warcraft Support Team Blizzard Entertainment
Reply Quote
UPDATE! 4/29/2010

Last night when I logged on to my guild vent, there was a conversation going on about getting hacked, so my ears perked up. Apparently what happened was our main tank had his account hacked, his gold stolen, much of his bank cleaned out (including on alts, plus his 4 80's). Plus there was some other oddities that didn't make much sense. All of his characters were left with between 20g-80g and his BOA gear was deleted along with SOME (not all) of his tier gear and other non-vendorable items. Another strange thing was that the hacker did not touch anything in the guild bank at all, despite having officer status/bank access permissions at the time of the hacking.

Here's the kicker....the account that was hacked **HAS AN AUTHENTICATOR** on it. So we started doing some investigating and here's what we found:

Our Guild member who was hacked had a new "Droid" Smartphone, and he had the Blizzard Mobile Authenticator on it for his account. Well our guildy took his phone to his provider where they scanned it and found a virus on his phone. Apparently what happened was this: Our guildy was accessing his BANK STATEMENTS on his bank web site via his smartphone. While the communications port on the phone was open during the download from the bank website, his phone was compromised wirelessly and a virus was installed on it which cloned his SIM Card as well as took a system "Snapshot" of everything on his phone including his bank account number, how much he has in his account and all the apps he had on his phone including a cloned copy of the Mobile Authenticator, which was then used to generate a code to access his WoW account.

The good news is that his bank account passwords were not compromised and his money wasn't stolen (although it could have easily been). This attack was purely targeted at WoW information, but could have easily been A LOT worse. Also, his phone provider gave him a whole new phone and SIM Card after they extracted his address book to save his numbers. Our guildy is currently working with Blizzard to get his account restored and all of his stuff back.

So Beware of using the Mobile Authenticator on your Smartphones, as they are not nearly as secure as most people think they are. I would suggest using the actual stand alone keyfob authenticator code generator that blizzard also has available. Then again, apparently those keyfobs are made in China from what I have heard from people who have them...so those may or may not even be "secure."

edit 4/30: Apparently there's more to this story, the phone wasn't hacked during the download from the bank. The guildy in question frequently visited sites such as WoWArmory, Wowhead, Thottbott, and other similar sites via his smartphone and picked up the virus somewhere along the way, possibly from an advertisement on one of the sites. Then when he accessed his bank statements online and the phone was allowed to connect to the internet again is when all of the cloned information was transmitted to the thief. Accessing his bank online just allowed the transmission to take place after the internet connection was established.

Be Careful out there folks! This kind of thing really sucks to deal with and is very violating.
Reply Quote
UPDATE: 5/9/2011

A few day's ago I received an email that looked almost like a legitimate email from Blizzard informing me that the email address associated with my Battle.net account had been changed and was pending approval...Make no mistake, this is indeed a fake phishing email trying to steal my account login information by using a "scare tactic" to make me think that my account has already been compromised when it actually hasn't.

Battle.net Account - E-mail Address changed
On: May 05/07/11 4:12 PM
WoWAccountAdmin@blizzard.com

Hello,

Blizzard Entertainment recently received a request to change the e-mail address used to log in to the Battle.net account with the username <my email address here>. The e-mail address a***@hotmail.com has been specified as the new username for this Battle.net account. An email has been sent to this new address containing a verification link to complete the change.

Once the new address has been verified, the e-mail address <my email address here> can no longer be used to log in to this Battle.net account or any World of Warcraft accounts merged with this Battle.net account.

If you did not initiate this request,please click here(bad link here) to contact the Billzzard Billing & Account Services team immediately.

sincerely,
The Battle.net Account Team
Online Privacy Policy


First notice that the email address that my account was supposedly changed to is "censored" using stars, but every other email address listed in the message was written out completely with a clickable "mailto:" link as well.

Second the link "(bad link here)" that I removed, was actually a link to a website that looked like a WoW account login webpage, but in fact was a redirect to a fake page on a URL based out of Tokyo. Simply by putting the mouse over the link (but NOT clicking it) allowed me to see where the link really pointed to....which was a website with a ".tk" suffix.

Third, when I looked at the message headers, I could see that this email was originally sent from a Hotmail email account based in Italy.

Finally note in the last sentence how the bolded/underlined word is spelled.
Edited by Baloo on 5/9/2011 12:48 PM PDT
Reply Quote
reserved
Reply Quote
last one....Transferred from the old Forum, If it get's stickied again, great. If not, then I promise I won't be upset, because I was hesitant to transfer it over in the first place. :-P I did my best to keep the format and layout the same, but some of the pages had to be edited so they would fit......I think the Character limit allowed per post was lowered from the old forum, and the formatting seems to be kinda funky chicken.
Edited by Baloo on 11/10/2010 11:56 AM PST
Reply Quote
Stickied again, Baloo. Nice work.
Reply Quote
85 Human Warrior
2640
Good to see this thread get restickied
Reply Quote
85 Tauren Paladin
2920
good post, and very important. But I should say (as an IT professional) that the antivirus programs you linked in the original post are NOT the best wat to beat keyloggers. Most keylogging programs fall under the category of 'spyware' or 'malware' and modern antivirus programs like AVG and trend micro overlook these completely.

To get rid of things like keyloggers and adware your best (free) bet is to run spybot search and destroy or malwarebites anti-malware. Generally I prefer spybot as a passive defense as it has a great 'immunizer' program that proactively protects your computer and if I'm seeing some possible malware related problems I install malwarebites anti-malware as a temporary scanner (since the active scanner is more powerful on that program).

I'm just going to reiterate that a 'traditional' antivirus (like trend micro etc..) is still important, but in order to be secure you still need to run an anti spy/malware program in tandem along with regular password changes. I don't have enough time to go into proper password security but one main thing is NEVER EVER use the same password for your email as you do for your warcraft login. (or any forum accounts. And I mean never!!) If you do have the same email password as warcraft password, and you do have the misfortune of being hacked, the hacker can (easily!) take your entire account by changing your account password and can also sometimes steal your email account!

*edit: i see that further down you clarified the OP quite a bit (including mention of Spybot SD). Very nice work, great thread!
Edited by Raygecow on 12/1/2010 11:46 AM PST
Reply Quote
80 Dwarf Priest
2365
Today we got an in-game whisper from Blizzard(with funny symbols above the letter) saying that due to complaints from other players, we had one hour to validate our information at a web address other than wow before the account is closed.
The help section( red question mark in-game) says all messages will have the blue blizzard symbol by the name.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]