#0 - Sept. 6, 2010, 8:54 p.m.
I changed my password, added the authenticator, as well as now changed my email address via telephone for my battle.net account.
After this my character was restored and I continued playing... until last night I got logged off and couldn't log back in. I tried battle.net and it said my username and password didn't match. I then checked my email address and sure enough an email address change email had come to my address that my email for my account had been changed to 'y****@hotmail.com' - so obviously the person still somehow has access enough to make these kind of changes!
I ran 6 spyware/malware programs (Spybot, Ad-aware, Superantispyware, hijackthis, malwarebytes, ccleaner)...
I ran 2 anti virus programs (avg free, Kaspersky internet security 2010)
Now I didn't find anything - but like a fool when my account was compromised I ran an executable that 'gathered system specs'... (a decision I could have only made not in my right mind at 4am... doi!) - so I know it must have installed something!? Yet still I do not trust these results, so I'm formatting my computer.
My biggest question is HOW they changed my email address since I had changed my password and added the authenticator???
I dug a bit and thought this might be the culprit? - this is the header from my most recent password recovery email. (just made this after talking on the phone with support - scary...)
Q u o t e:
Delivered-To: [email protected]
Received: by 10.231.10.132 with SMTP id p4cs35356ibp;
Mon, 6 Sep 2010 12:01:53 -0700 (PDT)
Received: by 10.114.60.5 with SMTP id i5mr3645623waa.146.1283799713622;
Mon, 06 Sep 2010 12:01:53 -0700 (PDT)
Return-Path: <[email protected]>
Received: from smtp11.us.worldofwarcraft.com (ext-smtp11.us.battle.net [12.129.242.47])
by mx.google.com with ESMTP id c30si13390368wam.67.2010.09.06.12.01.53;
Mon, 06 Sep 2010 12:01:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 12.129.242.47 as permitted sender) client-ip=12.129.242.47;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 12.129.242.47 as permitted sender) [email protected]
Received: from uw1-web-35-blade01.wowadmin.net (uw1-web-35-blade01.wowadmin.net [10.48.58.61])
by smtp11.us.worldofwarcraft.com (8.13.8/8.13.8) with ESMTP id o86J1qgu005311
for <[email protected]>; Mon, 6 Sep 2010 19:01:53 GMT
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp11.us.worldofwarcraft.com o86J1qgu005311
Date: Mon, 6 Sep 2010 19:01:52 GMT
Message-ID: <653812361.1283799712929.JavaMail.tomcat@uw1-admin-smtp-vip.wowadmin.net>
From: Blizzard Entertainment <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Battle.net Account - Password Change Notice
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
I changed my email address to '[email protected]' here for security purposes.
My biggest fear here is the line:
Q u o t e:
Received: from uw1-web-35-blade01.wowadmin.net (uw1-web-35-blade01.wowadmin.net [10.48.58.61])
by smtp11.us.worldofwarcraft.com (8.13.8/8.13.8) with ESMTP id o86J1qgu005311
for <[email protected]>; Mon, 6 Sep 2010 19:01:53 GMT
What does this 'from uw1...wowadmin.net' mean???
Scary thing is I made these changes on a different computer...
So does this mean it's possible both my machines are compromised? Is that a fake email? The links seem to indeed link to battle.net (checked the hyperlinks... not the text).
Any advice?
