Unauthorised purchases from AH

90 Orc Warrior
16640
My account within the pat few days has had 3 unauthorized purchases from the AH.

135,423 gold
19,660 gold
53,142 gold

the items purchased were 2 brawler white quality items and a white quality level 1 axe.

I have an authenticator and a relatively difficult password.

What could have happened, and what recourse do I have? Will I ever see my gold again?
Reply Quote
90 Goblin Warlock
4660
My account within the pat few days has had 3 unauthorized purchases from the AH.

135,423 gold
19,660 gold
53,142 gold

the items purchased were 2 brawler white quality items and a white quality level 1 axe.

I have an authenticator and a relatively difficult password.

What could have happened, and what recourse do I have? Will I ever see my gold again?


Somebody with access to your password and authenticator is gaining access to your account.

If you believe your account has been compromised report it by opening a support ticket. Please understand if your account was accessed from a normal location the likelihood of your gold being returned is nearly zero.

Specific items names might be helpful. Be sure you change the i registered email and password and tell NOBODY of the change.
Reply Quote
8 Orc Hunter
0
Do you have the remote AH/Armory app on a smart phone?

It's possible you've picked up malware on your phone...

If that's not the case, and you have an authenticator on your account - the likelihood of you getting your gold back is extremely slim - because the likelihood of you actually being compromised with an authenticator on your account is so limited it's almost impossible. (there are theoretical cases, but none documented in regards to wow)

Open a ticket, and Blizzard will investigate the actions taken by the account.

Be aware, they check a number of things... log in patterns, ip addresses, chat logs, trades...
Reply Quote
12 Blood Elf Priest
30
If you have an authenticator, my guess is that you gave somebody your password (a friend, a family member?) and they unfortunately took advantage of that trust by stealing from you.

Either way, I recommend filing a ticket. Blizzard can follow the money trail and see where it goes. As for seeing your gold again, that almost certainly depends on what they find when they look into it.
Reply Quote
90 Orc Warrior
16640
i tell nobody my password (and its a pain in the !@#$ password different from all other systems i have)

I have an authenticator

I have the mobile armory app, on iPhone.

items that were purchased from the AH:
Brawler's Vest - 135,423g
Brawler's Pants - 19,660g
Worn Battleaxe - 53,142g

3 of my high level chars on the one server were hit.

The items are still in my mailbox, no way am i taking them. The person who was selling all 3 items... <<NAME EDITED OUT>> . a level 1 char on Barth.

A ticket has been raised. but wanted the communities feel for how likely it would be to get my gold back. After speaking with a rep, I'm likely going to disable the remote armory app.
Edited by Abidah on 6/22/2013 4:55 AM PDT
Reply Quote
90 Human Paladin
14135
If you have an authenticator, my guess is that you gave somebody your password (a friend, a family member?) and they unfortunately took advantage of that trust by stealing from you.

Either way, I recommend filing a ticket. Blizzard can follow the money trail and see where it goes. As for seeing your gold again, that almost certainly depends on what they find when they look into it.


I agree sounds like one of the people who he shares the account with bought the stuff.
Reply Quote
90 Orc Warrior
16640
If you have an authenticator, my guess is that you gave somebody your password (a friend, a family member?) and they unfortunately took advantage of that trust by stealing from you.

Either way, I recommend filing a ticket. Blizzard can follow the money trail and see where it goes. As for seeing your gold again, that almost certainly depends on what they find when they look into it.


I agree sounds like one of the people who he shares the account with bought the stuff.


If i account shared, that would be perfectly reasonable, but I do not.
Reply Quote
90 Blood Elf Hunter
15080
Currently there are only 3 known ways an account with a properly attached Authenticator on it can get hacked;. However there is 1 old method, which is no loner possible(that is unless the hacker has a copy of your photo ID). In addition there is a theoretical way, that never yet happened, and most likely never will.

First the one old method that is no loner possible:

It use to be that hackers could gather enough information, to pose as the player and tricks Blizzard into removing the authenticator. In those cases the player fell for a phishing email, some other social engineering; Or they had an active keylogger on their computer when they added their authenticator. The hackers then were able to gleam enough information to get it removed(real name address, S.S.N, CD key, Authenticator's serial Number, etc...) All they need to do is contact Blizzard, pretending to be the account holder, and claiming they lost their Authenticator.

However Blizzard has since change the procedure on how they removed an authenticator. They now require the player to send them a copy of a government issued Photo ID, before they will remove it. .

WARNING: If copies of your government issued Photo ID are out in the "Wild" hackers can still use it to remover your Authenticator.

Some Gold Seller &/or Power Leveling service, will require their clients to send them copies of their photo Ids; to prove they are, who they say they are, to the Credit Card companies. If you have ever used one of these services and they required this of you, then you account is at risk. As they can, and eventually will use it to remove your Authenticator, to hack your account. Where do you think they get the gold they sell in the 1st place.

In the unlikely case of the hacker having access to a copy of your photo ID, as well as all of your information, you have a lot more to worry about then a game account.

Next The 3 know ways:

1. The most likely and common way; A Spiteful or mischievous household member who has access to both the Authenticator and Log in information(little brothers/sisters can be such a pain). I personally know of a girl friend of a player who was jealous on the time he spent on the game. She accessed his account, disbanding his guild and deleted all of his toon. I also know of another case where the cousin of a player, who was visiting, accessed his account and robbed both his and his guild’s bank.

2. Next most likely but are fairly rare; They have Jailbroken/Rooted, their Droid/I-Phone that they have the authenticator App on. This makes it possible for the cell phone and the authenticator app to be Cloned. If they then keeps a back up on the same computer they play on, and it get compromised; Hackers were then able to obtain all of the information they needed to clone Authenticator. Thereby giving them access to the account. However the odds of everything coming together are against it.

3 Least likely extremely rare a Man-in-the-Middle attack. That has only happening to a very small handful of WoW players, and to my knowledge the have been confirmed case of it, in over 3 years.

A “Man in the Middle Attack,” is a Trojan that works by blocking your access to the real log in server, and redirecting you to a spoof Log in screen/site. They then harvest all of your log in information, in real time, including your one time use Authenticator code. The hackers then very quickly uses this info to access your in game account, before the Authenticator code expires. Because your Authenticator code is only good once, this attack only allows the hackers a one time access to your account. Once they log off, or are kicked off they can not re-access your account. Unless you still have this MitM Trojan, on your computer, and try logging in again, thereby giving them a new code, they can not get back into your account.

Hackers can not use this attack to remove your Authenticator. In order to remove an Authenticator you have to: 1st go into your account administration page in which you have to enter one Authenticator code; You then have to enter 2 different Authenticator codes to remove it from your account. That is a total of 3 different code, and since the hacker only has one short term, one time use code, they just can’t do it.

As I said "Man In the Middle," Attacks were very, very rare. I have been following WoW CS forum almost every day, for over 5 years now, and as far as I know there hasn't been a confirmed case of one in over 3 years. In fact there has only a very small hand full of confirm cases at all. They require a very big hole in your internet security, and very good timing on the hackers part. The main thing the handful of players that had their accounts hacked had in common were: They all went to a fake/spoof wowmatrix, curse, and other spoofed addon sites, and down loading the spoof site's auto addon updater; They hadn't up dated their Windows fire walls, and or running a bootleg copy of Windows. So if you are careful about the sites you visit, and keep your computer security up dated, including your firewall, there is a low risk that this happened to you.

Again: This is a very large nasty piece of malware, it is not something you can get from a Flash exploit. You have to actively down load an executable file with it in it. As I said the people that got it went to a fake/spoof wowmatrix site by mistake, and downloaded a fake/spoof wowmatrix auto addon updater, that contained the infected file.

The other thing they had in common; 4 of the 5 people that got it were running a bootlegged copy of windows. Because it was a bootlegged copy they could not up date their fire wall. The 5th person actually overrode his firewall's warning, when he down loaded the fake client.

Also as I said this happened about 3 to 4 years ago, most if not all anti-malware programs are now offering protection from it. That malware took a lot of time and effort on the part of the hacker to write, and only yielded about 5 accounts.

That is not much of a return for their time and effort, when players give away their details so easily, through conventional means. So while it is possible for a hacker to develop a new Man-in-the-Middle attack; they are unlikely going to waste their time to do so.

The one theoretical way, that never yet happened, is very similar to the MitM attack, in that it would require a big piece of nasty malware on the player's computer. It would basically involve the Hacker having total remote access to the last computer, the player logged into B-Net, or game on. This method would also be dependent on if the player is not requiring that the Authenticator be used for all logins.

When Blizzard First made the change to the authenticator system over 2 years ago, to not requiring the Authenticator on every login; there was a lot of discussions and concerns about the remote access possibility. However players were reassured by Blizzard that this could not happen as "Warden" would be able to detect it and block the computer's access. Since so far this has never happened, it is unlikely it ever will. However in response to players concerns they added to option for you to require to authenticate on every log in.

Lastly: There is one other possibility; The account holder themselves removed their Authenticator, for one reason or the other, and then forgetting to reattach it, or are a bit too slow in doing so. Hacker have been know to trick account holders into removing their authenticator, They do this in one of 2 main ways.

One is a very old lock out trick that hackers use; They get a hold of the account holder's account name(email address) and password and tries to log into the account, but are blocked by the Authenticator. After a few tries to get into the account the system would locked it up, to where even the account holder could not get in. So out frustration the account holder has the Authenticator removed. However hacker has a bot that still trying to access the account, and now is able to access it.

The second way is a fairly new piece of malware. This malware acts a bit like the Man-in-the-Middle attack(see above), but it does not harvesting the authenticator code in real time. As such it really isn't the same, and doesn't require as big of a file. It works by blocking the game client, and putting up sign in errors. This makes the account holder think, there is a problem with their Authenticator, causing them to remove it.

While both of these ways don't require the hacker to have access/control of account holders email account, it does make it easier for them, As they can know that the Authenticator has been removed, from the notification email. As it allows them to block and delay the new verification email, when the authenticator is reattached.

One more thing:
Are you sure you properly attached the authenticator to you account? You will be surprise on how many people think, that all the need to do is to download the app to their cell phone, and never actually attach it to their account.
Edited by Ewing on 6/22/2013 4:10 AM PDT
Reply Quote
90 Orc Warrior
16640
I require an authenticator to log on to WoW once per week. I will now be changing this to requiring an authenticator on each login.

Have confirmed authenticator is on account, each logon to WoW page requires authenticator and have verified on account page authenticator is setup.

my phone is up to date. my phone is not jailbroken. my phone has both the authenticator and the remote AH.

I do not live with anybody and do not share my login details with anybody, under any circumstance, they are also not recorded anywhere.

my OS is up to date. as is anti-virus and firewall.

only 3 of my high level chars were targeted. my low level bank char (with guild bank) wasn't even targeted with gold and items in the bank. no other item was lost.

my ISP assigns sticky (NOT static) IPs. I have had the same IP for several months, have not rebooted router in several months either. 2 locations i have logged into remote armory app:
at home
at work - work wireless requires LDAP login credentials as such it is not easily target-able, however, i guess it is possible for the armory app to have stayed logged in fur the drive home.
Reply Quote
14 Blood Elf Priest
0
Unfortunately Abidah, hackers don't use your gold to buy stuff. They steal it and send it off your account. Either you're mistaken with how you're using the AH and you've actually bid on the items and successfully won them, or you're forgetting that you purchased them.

Especially if your account is as secure as it sounds like it is.

A hacker would NEVER spend gold, it's much too valuable to do something as silly as that!
Reply Quote
90 Orc Shaman
10620
Unfortunately Abidah, hackers don't use your gold to buy stuff. They steal it and send it off your account. Either you're mistaken with how you're using the AH and you've actually bid on the items and successfully won them, or you're forgetting that you purchased them.

Especially if your account is as secure as it sounds like it is.

A hacker would NEVER spend gold, it's much too valuable to do something as silly as that!


Actually, gold sellers will do this. If they can get into your account via the remote AH, they will "buy" really expensive white items. It's just a way that they transfer gold around.
Reply Quote
90 Blood Elf Hunter
15080
Unfortunately Abidah, hackers don't use your gold to buy stuff. They steal it and send it off your account. Either you're mistaken with how you're using the AH and you've actually bid on the items and successfully won them, or you're forgetting that you purchased them.

Especially if your account is as secure as it sounds like it is.

A hacker would NEVER spend gold, it's much too valuable to do something as silly as that!


Hackers use the AH as a way to launder gold, and as a way to transfer Gold to their Buyer.
Edited by Ewing on 6/22/2013 4:37 AM PDT
Reply Quote
14 Blood Elf Priest
0
I could be wrong, but I believe that the items they listed are only on the BMAH and that gold would only go to Blizzard no?

A hacker is more likely to buy a loaf of bread for 20k.
Reply Quote
90 Blood Elf Hunter
15080
I could be wrong, but I believe that the items they listed are only on the BMAH and that gold would only go to Blizzard no?

A hacker is more likely to buy a loaf of bread for 20k.


Don't let the word "Brawler" in the Item's name fool you. They are level 1 items, that are not sold on the BMAH, and only vender for 1 copper.
Edited by Ewing on 6/22/2013 4:41 AM PDT
Reply Quote
90 Orc Warrior
16640
the items listed were from an actual WoW player, << NAME EDITED OUT>> - char was level 1 troll

there's no way in hell i would buy these items from AH, at ANY price. the items appear to be starter armour pieces, not even worth the value for mogging. which i've never done.
Edited by Abidah on 6/22/2013 4:56 AM PDT
Reply Quote
12 Blood Elf Priest
30
Those 3 items are the starting set for a warrior (orc, troll, and tauren, I believe) or at least they used to be. Haven't rolled a warrior in awhile.
Reply Quote
90 Blood Elf Paladin
11675
Please edit out the other player's name in both posts that mention it, Abidah. We're not allowed to call out other players in such fashion.
Reply Quote
90 Orc Shaman
10620
Please edit out the other player's name in both posts that mention it, Abidah. We're not allowed to call out other players in such fashion.


This and open a ticket. This is basically the same thing as an account compromise. You need to follow the standard compromise procedures...scan for malware, change password/email/etc. Because someone has your information.
Reply Quote
90 Orc Warrior
16640
bah, ill edit the name out, though as a level 1 character, not much to "protect".

ticket was already raise a few minutes before forum post. looks like this case might be a bit unique and gold recovery tough to get :(
Reply Quote
90 Night Elf Druid
16395
I just had this. Just lost £156k gold on 1 peice of "frybread" that was sitting in my mailbox with the toons name that i allegedly bought it from. My actual account wasnt logged on so it has to be from remote. Noone knows my information and my phone was on my table as i was in bed when it happened. The ONLY thing that is "out there" as i recruit for my guild is my battletag ID. No passwords. I am lost to understand how this happened. They targeted only my main account, still left £110k across the otehr chars.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]