*Compromised accounts* Potential Trojan

(Locked)

100 Night Elf Hunter
6705
So, are we safe now?
100 Blood Elf Hunter
18235
I am just at a complete loss right now. I had my account set to always require an authenticator, sms protect (with notifications), and was hacked yet again while at work so no one else had access to my authenticator. SMS protect and authenticator were removed. I just checked after turning it back on and if I want to remove the sms protect it says a verification text will be sent to the registered mobile number. However one wasn't sent when I was hacked and it turned off.

Just looked and they are using the web chat, and ticketing system in both EU, and US to make changes to sms and then using that to remove the authenticator.


From a PC you know to be free of malware, change your email password because hackers often get into that too. Check it for forwarding as well. Sometimes hackers set up forwarding to prevent you from seeing Blizzard mail.

Once you get control of your account, from a clean computer; Change your bnet password again now that the PC is clean.

Create a new email that you use ONLY for battle.net and switch to it. Gmail is great because you can put two factor authentication on it and prevent hackers from logging in without a code.

If you still have a problem after that then it most likely means there is an ownership dispute about the account. In which case you maybe a victim of ID theft. You need to check and lock down all of your personal and finical information. If it spreads you other parts of your personal and finical life you may need to file a police report. Blizzard will cooperate with the authorities, in the matter.
1 Undead Rogue
0
I am just at a complete loss right now. I had my account set to always require an authenticator, sms protect (with notifications), and was hacked yet again while at work so no one else had access to my authenticator. SMS protect and authenticator were removed. I just checked after turning it back on and if I want to remove the sms protect it says a verification text will be sent to the registered mobile number. However one wasn't sent when I was hacked and it turned off.

Just looked and they are using the web chat, and ticketing system in both EU, and US to make changes to sms and then using that to remove the authenticator.


What browser do you use to surf the web? I ask because if you read through this post, you will see I have had the exact same thing happen to me. I haven't been able to find the trojan, sadly, but I'm convinced it's there.

Here's what you need to do (or at least what worked for me):

1) Assume your computer is utterly compromised. I don't care how many times you've scanned it. This thing is not detectable. If you do anything on battle.net through that computer, assume it is going straight to the hackers.

2) Call Blizzard when they open. My experience tell me that you need to talk to a live person. Unfortunately, the recent push to live chat has really opened the door to this hack. It's part hack, part social engineering. Try to be at a device that you _know_ is secure. (Remember, it's NOT your computer). If your case is anything like mine, it's much better to be talking to someone live.

3) Have blizzard get you back control of your account and have them change the e-mail address. Create a new g-mail account that you will only use for login. Bonus points if you force it to SMS text your phone for added security. Change your password and change your secret question/answer. You will have to do the last via computer since I don't think the GM can type in the answer. Don't use your (compromised) computer to do this.

4) Now you need to fix your computer. How? Beats me. The only reason I haven't been hacked a bunch more times is because I stopped using the suspect computer.

These guys will abuse the ticket system over and over and over and over and over again. For some reason that I don't understand, it's not the least bit suspicious to Blizzard when someone submits 20+ tickets for the same thing over and over again in a 24 hour time span. 95% of them are cancelled but it only takes the one "helpful" GM to give control back to the hacker. The problem is that, if your case is like mine, they have a lot of your information. You have to fix that. In my case, I had to speak with someone from both EU and US support on the phone and have RED flags put all over my account.

Best of luck to you and, as always, if anyone has any thoughts as to how to scan for this malware, I'd love to hear it...I've done nearly everything with and without WoW open and username and password typed in.
90 Human Paladin
14440
I have never used the curse client. i just manually download everysingle addon from curse when there is an update. Am i at risk too?
100 Pandaren Warrior
7655
if anyone has any thoughts as to how to scan for this malware, I'd love to hear it...I've done nearly everything with and without WoW open and username and password typed in.


Try Norton Power Eraser. It is an aggressive antivirus program developed by Symantec that it designed to dig deep and target the files that allow the virus to continue to attack. It is aggressive because it targets infected files, no matter how important they may be to your computer. If an important file is indeed infected, you will be able to set a restore point just incase the file is of importance.

I don't know how effective this will be for you if you decide to use it, but I've used it to get rid of numerous Trojans, worms, and rootkits on my computer in the past. My regular Norton scanner picked nothing up, but NPE did.
90 Dwarf Warrior
6450
Well seeing as every thread relating to RAF is locked and i cannot open a ticket about it NOR can i contact support I am forced to post on here and hope i get help i wetn through the entire RAF process with my brother extra xp summon friend etc so our accounts ARE linked i went and upgraded his account fully to MOP(RAN ME 40 BUCKS) on top of a 60 day time card! did everything i was supposed to do and have yet to receive my game time OR my mount i am getting agitated at the lack of service and i have been a faithful customer for YEARS and have ALWAYS filled out my surverys with great appreciation to the service i received i have an open ticket with 3 days wait time and it has been over a week since we upgraded etc his account did i just get the boot and o well 40 bucks out of the window?!!?!
90 Dwarf Warrior
6450
Well seeing as every thread relating to RAF is locked and i cannot open a ticket about it NOR can i contact support I am forced to post on here and hope i get help i wetn through the entire RAF process with my brother extra xp summon friend etc so our accounts ARE linked i went and upgraded his account fully to MOP(RAN ME 40 BUCKS) on top of a 60 day time card! did everything i was supposed to do and have yet to receive my game time OR my mount i am getting agitated at the lack of service and i have been a faithful customer for YEARS and have ALWAYS filled out my surverys with great appreciation to the service i received i have an open ticket with 3 days wait time and it has been over a week since we upgraded etc his account did i just get the boot and o well 40 bucks out of the window?!!?!
I have never used the curse client. i just manually download everysingle addon from curse when there is an update. Am i at risk too?


The safest you're going to be against this attack. From everything that's gathered, the Trojan is the fake Curse Client from the fake Curse site. Still, practice safe Internet Etiquette and scan your computer often.
100 Draenei Shaman
10605
01/09/2014 04:33 PMPosted by Morohtar
I had my account set to always require an authenticator, sms protect (with notifications), and was hacked yet again while at work


I know you posted this 18 hours ago, but still.....For you, specifically, I would be highly suspicious of that work computer. Does your company have any kind of internet access monitoring in place?
90 Worgen Druid
9190
One of the best free solutions for doing that is actually COMODO.

I encourage people to look into it.


According to this report, https://www.virustotal.com/en/file/850dc3ebb2437edaf3352eee79ee704cdb881779684c2128f1f07d8dd79c0344/analysis/

Comodo will report a clean system. This was as of the 9th of January.
90 Tauren Druid
7390
Hi guys, Malwarebytes rep here! :)

Our research team has been ruthlessly hunting down every variant we can find of this and locking it down. Malwarebytes Anti-Malware with updated definitions should detect any variants of this particular trojan. Simply run a Quick Scan after updating the database, and select to Quarantine the trojan once it is found.

If for some reason Malwarebytes Anti-Malware is still not detecting this (or anything you feel should be detected) after you've run a scan, please send it to us here: https://forums.malwarebytes.org/index.php?showforum=51

Thanks!
49 Dwarf Warrior
9420
Is this just something that has happened recently or should I uninstall the curse client that I installed when I started playing a couple of years ago?
100 Blood Elf Hunter
18235
Is this just something that has happened recently or should I uninstall the curse client that I installed when I started playing a couple of years ago?


This was a recent attack that mainly happened over the holidays. It mainly mainly affected players with new or recently reformatted system who went to a fake/spoof Curse addon site, and downloaded a fake Cures Client.

The last time this happened, 4 years ago, It mainly involved players who hadn't or couldn't update their fire walls; and who went to a fake/spoof WoWMatix site, and downloaded a fake WoWMatix Client.

So since you downloaded your copy of Curse client a couple of years ago, you should be OK. Just be sure not to just click on a Google link, and are going to the real Curse web site, when down loading new addons.
Edited by Ewing on 1/15/2014 8:31 PM PST
49 Dwarf Warrior
9420
thank you
Support Forum Agent
Hi guys, Malwarebytes rep here! :)

Our research team has been ruthlessly hunting down every variant we can find of this and locking it down. Malwarebytes Anti-Malware with updated definitions should detect any variants of this particular trojan. Simply run a Quick Scan after updating the database, and select to Quarantine the trojan once it is found.


Many thanks for the update! We appreciate that your company and many other companies in the security community have worked hard to defeat this high-tech nuisance.

I was going to make a pun about Tauren druids and cybersecurity, but I think I'll leave that "potential" to the community. :)
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]