Account Hacked - Blue Tracker

#0 - Aug. 8, 2010, 8:47 p.m.

I canceled my account over a month ago, and now im getting signs it was hacked.

After I stopped the billing on the account, 2 weeks later i got a Beta invite for Cata (it was legit, i went through the account management page to download the client, and i did not click anything in the email)

Then on 8/8 I got a suspension warning and my password was reset. Now there's unknown billing information on the account and the characters are all deleted.

and there's 20+ lvl 1 toons across multiple servers.

I have scanned my PCS and found 0 infections.

If anyone else gets hacked here is what i suggest.

1. DO not blame blizzard, you will just get thrashed by the community, and it will turn your forum thread into unreadable trash

2. DO scan your systems with Avira, Antirootkit, Malwarebytes, and ComboFIX and look at their logs for infections. If you do come up clean, you were still infected at some point, even if you have no proof.

That is what i have learned from the forum on this occasion.

Orlyia

#87 - Aug. 9, 2010, 7:16 a.m.

Soulsinger,

We cannot tell you how this happened, I can tell you - it wasn't from our side.

Now, I'm looking back over your account. How many points of access has their been to this account?

Do you play from the office, school - friends house on occasion?

I'm seeing what looks like 2 very distinct access points here, nothing out of the ordinary there or 'bad', but it could be either of those systems (if indeed there are multiple ones) that have an issue with security.

About May 12th I see a 3rd - and it was only two days after that I'm seeing the first obvious foreign malicious access. They may have done nothing to the account at that time except stockpile it, but I'd bank one one of the systems used having malware.

Orlyia

#103 - Aug. 9, 2010, 7:47 a.m.

Q u o t e:

your hitting the forums early, thx for the reply.

The 2 main points of access are the office and home. All 3 machines were scanned for infections viral and malware with 0 hits.

so in your history of my account, you can atest that the 2 main subnets were the only ones being used to access the account prior to the may 12th~ access?
what about when the billing info was added? was that done on the same ip/subnet that you suspect was malicious?

Well, it wasn't done from yours, and then the password was immediately changed by a malicious party.

Also, keep in mind they don't always access an account immediately. It's not uncommon for them to sit on information until they have a need on a particular realm. It's a common misconception that once compromised and account is immediately accessed - that isn't always true.

Orlyia

#110 - Aug. 9, 2010, 7:59 a.m.

Two options here Soul.

You were compromised - or you turned your account over to a malicious 3rd party willingly.

Really no other options because it WAS accessed by a malicious 3rd party.

Didn't come from us, but it appears you may have multiple systems that need investigating.

Orlyia

#112 - Aug. 9, 2010, 8 p.m.

Q u o t e:

Right thats why i was interested in the dates, I can reference the date against my logs and see if i can find anything now. As i said before just looking through Months of data wasnt going to show me much other then weird connections (connections to my desktops at early hours when they are powered off, connection attempt logs..ect)

I know you cannot give me ip addresses that were used, but can another blizzard department? perhaps over the phone or email?

No, that's not information we'd be able to share.

I can tell you they should stick out like a sore thumb though.

Orlyia

#122 - Aug. 9, 2010, 8:35 p.m.

Enough is really, truly enough folks.

I do believe Soul has enough information to do further investigation with now.