Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

Trying to figure out how I got hacked

Forum Avatar
Fearen
#0 - May 23, 2010, 6:26 p.m.
Blizzard Post
As so many others on this forum and on the Technical support forum; I had my account hacked this week. First I noticed was yesterday evening, I tried to log in and got asked for an authenticator. Since I don't have one, I knew instantly what the story was.

They obviously cleaned out all my characters (about 18K in raw gold plus whatever they got from selling my inventory). They also created characters on my 3 wow accounts and presumably used those to spam /trade with advertising messages - which of course got the account locked.

Customer support was kind enough to unban the accounts and remove the authenticator and I'm currently sitting in the GM queue with my ticket to get my stuff back. My next step will be to get an authenticator; I learned my lesson. Like so many, I figured this would never happen to me - guess I was wrong.

Now: the question is... HOW did I get hacked? I've been working as an IT profession for 11+ years now and I know a thing or two about security. Here is what I did to scan my pcs:
- full virus scanner run (Avast 5) with updated definition files.
- a full boot-time scan.
- Full system scan with spybot
- Full system scan with Malwarebytes.
- Check for root-kits with SysInternal RootKitRevealer.

All came up empty and I didn't think they'd find anything anyway - if I need to try any software that I have questions about, I run it in a Virtual Machine first and reset the VM back to snapshot right after. No way a virus is getting out of that sandbox. And I'm behind a hardware based firewall.

I'm also pretty careful when I surf the web; I use Firefox with NoScript and Addblock Plus. As far as I can tell, my machines are totally clean. And obviously, I've never shared my username/password with anyone; even my wife doesn't know what it is. They also can't have access to my email - I don't use hotmail or gmail or anything like that; I'm on an IMAP server provided by my ISP.

That leaves but a few options:
1) There's a new worm/trojan out there that the scanners don't know about yet. If that's the case, there's not much I can do until they figure out what it is.
2) I got phished, somehow. Now, I know not to open any unsolicited emails or anything that appears to be from blizzard. However, I do remember following a link in the forums a few weeks back to sign up for the Beta-opt in. I did look at the url before signing in - it looked legit. But now I'm wondering... did they set up phishing site that looked like us.blizzard.com, steals your password and then forwards to the real site, somehow logging you in on their end? Seems far fetched but it's a possibility. That's the only time I logged into anything other than the game and the forums in the past 6 months.
3) Man-in-the-middle attack. Personally, I think this is most likely - just looking at the massive increase in hacked accounts in the past week; something is out of whack. Just go look at the support forums - there's literally thousands of people over the past 3 days that have been hacked, way more than normal. And all of them have had authenticators added to them.

It's highly unlikely that these hackers are sitting on thousands of authenticators - Blizzard would detect it if someone bought a few thousand authenticators with the same credit card (or even a few credit cards). I suspect instead the hackers have found a way to exploit the iPhone software authenticator - since you don't need to place an order with Blizzard for that thing; if they reverse engineer the software behind the soft-authenticator ,they can figure out what webservice or whatever to call to generate new authenticator seeds; and voila: an infinite supply of authenticators. They must also then have somehow compromised the connection in the middle - either at my ISP (but I doubt that since it seems to be people from all over) or, more likely, the ISP that operates Blizzard's infrastructure.

Or, even worse: they have a mole at Blizzard. If that's the case, then anyone without a authenticator is potentially screwed (and even the ones WITH an authenticator may not be safe).

I know this is all speculation. But it would be nice if someone from Blizzard could at least comment on whether there's an abnormally high volume of ongoing hacks - because it sure seems to be that way.
Forum Avatar
Malkorix
#33 - May 24, 2010, 7:38 p.m.
Blizzard Post
Q u o t e:
2) I got phished, somehow. Now, I know not to open any unsolicited emails or anything that appears to be from blizzard. However, I do remember following a link in the forums a few weeks back to sign up for the Beta-opt in. I did look at the url before signing in - it looked legit. But now I'm wondering... did they set up phishing site that looked like us.blizzard.com, steals your password and then forwards to the real site, somehow logging you in on their end? Seems far fetched but it's a possibility. That's the only time I logged into anything other than the game and the forums in the past 6 months.


I think that might be an important clue. Did you follow a link to the beta opt-in from an official Blizzard Entertainment post, or a link provided by another player? This might also illustrate how even a very knowledgeable and savvy individual might be snared by a phishing site - assuming that the link did not originate from one of our posts, that is.

Q u o t e:
did they set up phishing site that looked like us.blizzard.com, steals your password and then forwards to the real site, somehow logging you in on their end? Seems far fetched but it's a possibility.


That surprisingly detailed phishing sites exist is not so far fetched as one might presume (though I don't think that any continue to forward information to official sites). These account thieves regularly create sites that look identical or nearly identical to official sites, with URLs that appear very similar to official Blizzard Entertainment URLs; then they advertise attractive promotions (such as beta opt-ins) via various channels with the intent to snare the unwary. While we aggressively pursue and eliminate these sites on a regular basis, more are created all the time. If you should happen to run across a malicious URL, you can report it directly to our investigators at [email protected].
Forum Avatar
Malkorix
#48 - May 24, 2010, 10:38 p.m.
Blizzard Post
Q u o t e:
At the same time, I think there's 3 things Blizzard could do to help us out and make the lives of hackers harder (suggested this in another thread as well):

1) Introduce the concept of a "forum/battle.net" account and an actual "game" account with different credentials. That makes it a LOT harder to phish the "game" account and pretty much just leaves Trojans (which are harder to get on someone's machine than a good old social engineering phishing scam).

2) Either roll back or at least investigate the software-based mobile authenticators. The interesting question is how the hackers behind this recent swath of attacks are getting all these authenticators to add to the hacked accounts. The Blizz store does not allow you to buy more than two authenticators per credit card - ergo, I think it's a pretty safe bet to assume that they've reverse engineered the iPhone authenticator and figured out how to get an unlimited set of new seeds for an unlimited amount of new authenticators. In way, the mobile authenticators violate the design principle behind single-use hardware based token authenticators: i.e. you need a physical device for security.

3) When a hacked user opens a GM ticket to get their stuff back, the GM should not reset the password again without at least explicitly notifying the user. That's exactly what happened to me yesterday - the GM reviewed the ticket, file it without ever contacting me and then reset my password. End result: I see an email indicating my password has been reset - which led me to believe again (wrongly, this time) that my account had been compromised again.

Only 15 minutes later did I get an email from a GM (which ended up in Junk, I might add) that as part of the investigation, they would reset my account.

I would suggest that the GM, upon reviewing the ticket, sends a tell to the user like this:

"We're reviewing your situation and it's been forwarded to the appropriate team. I am resetting your password now as an extra security feature. Don't reply to this message". Or something to that effect.

It's confusing for users when GMs reset their passwords without warning- that's exactly what hackers do.


Thank you for coming back to the thread! I hope that we've drawn closer to an explanation for your compromise, and I'm glad to hear that you're interested in investing in an Authenticator. While I am unable to speak to your ideas directly, please do contribute them via a post on our Suggestions forum if you have not already. This will enable our Development staff to review them and take your perspectives into account.