Phishers Break WoW’s Magic Spell Over Gamers

WoW

While I’ve touched on the subject of World of Warcraft phishers (and the Trojans they attempt to spread) a handful of times in the past several months, it’s worth mentioning the ongoing problems phishing posts cause both players and Blizzard, the game’s operator.

To recap, the official message board for World of Warcraft is under constant attack by phishers, who use stolen credentials to post message board articles containing malicious links under the names of the innocent players whose passwords have been stolen.

The links, which can be tied to virtually any kind of social engineering tease, typically point to Web sites that contain scripting code which either pushes a WoW-credential-stealing keylogger down to the victim’s computer, or aggressively “suggests” that the victim should download and install some purportedly missing component (often, a fake Flash player update) that does the same thing.

20100112-wow-flashplayer_dialog1

The authors who plague the forums, in-game chat and email with these posts containing malicious links are a crew of dimwits, but they aren’t so thick that they fail to recognize an opportunity when they see it. Beginning in early December, for instance, they took full advantage of the incredibly busy state of the official forums, which were filled with posts tied to the release of a highly anticipated update to the game, and rumors about “beta testing” access to the update.

The heavier-than-normal traffic kept forum moderators busier, and subsequently the phishing posts remained active on the forums much longer before administrators deleted them. A longer exposure time means it’s more likely that victims will click through the malicious links, and with the customer support staff busy solving patch-related issues, compromised accounts remain compromised — keeping paying players locked out of the game — for even longer than they normally would. The problems have become so overwhelming that even Blizzard itself has been forced to acknowledge the scale of the problem.

20100112-wow-forum-new

Here’s a typical example, the screenshot taken today on the message board for the “Skullcrusher” server. Clicking any of the three links posted in the message takes visitors to a page they aren’t expecting.

20100112-wow-tube8

The fake video page attempts to push down an executable file to the victim’s PC, claiming the file is an update to the installed Flash plugin. As you probably could guess, this only installs a keylogger component, which attempts to steal gaming credentials. Of course, we can remove the keylogger, and our client’s Communications Shield also blocks the URL where the spy attempts to send the stolen passwords.

As a tactic to help reduce the number of account compromises, Blizzard offers players who spend $6.50 to buy a Blizzard Authenticator device — a two-factor authentication gizmo that generates a six-digit code the player uses at login time –  a bonus in-game pet. Last March, Blizzard began offering a 99-cent Mobile Authenticator app for the iPhone and a growing number of mobile phones that performs the same function.

But this isn’t enough to sway every customer to purchase an Authenticator, and it won’t necessarily reverse the mindset of many in the WoW community who have convinced themselves that such additional security measures are unnecessary. These justifications range from “I use a Mac, I’m not vulnerable to getting hacked” to “I am smarter than these people that need authenticators, I don’t need extra security.”

Sure, you don’t. Tell that to the malware authors, who appear to be more active (and successful) than ever. As I’ve said many times, you don’t have to have a malware infection before your account becomes compromised. According to players I’ve spoken to, getting involved in shady gold-buying transactions often leads to account details being stolen—regardless of the platform the gamer uses to play the game.

That’s one reason why, according to reports, Blizzard may make some form of two-factor authentication mandatory in the near future, even over the objections of some gamers. Personally, I think it’s a move that’s long overdue, not only for Blizzard but all the large MMO publishers.  It’ll be interesting to see how the creators of game phishing Trojans (and Blizzard’s game industry competitors) respond if Blizzard turns up the security heat.

Andrew Brandt researches malware for Webroot Software, and contributes to the Webroot Threat Blog. As a member of the Threat Research team, he and his colleagues help identify malicious software trends and improve the Webroot Antivirus with Antispyware product. Andrew joined the team in 2006. Prior to coming to Webroot, he worked for PC World magazine as a Senior Associate Editor, covering computer security and privacy issues for nearly a decade. In that role, he also wrote the Privacy Watch column. He lives in Boulder, Colorado.

Our latest thought leaders

What would you like to submit?

Byline Article

Press Release