Malware hijacks World of Warcraft accounts despite two-factor authentication
Trojan program is bundled with a fake Curse Client, game developer says
IDG News Service - A new Trojan program is targeting users of the popular online role-playing game World of Warcraft and is capable of hijacking accounts even if their owners use two-factor authentication.
"We've been receiving reports regarding a dangerous Trojan that is being used to compromise players' accounts even if they are using an authenticator for protection," a technical support representative from Blizzard Entertainment, the game's developer, said Friday in a message on the Battle.net forums. "The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them."
Battle.net is Blizzard's online gaming service and the Battle.net Authenticator is a physical token or a mobile application that generates unique codes used as a second factor of authentication in addition to the user password.
By intercepting Battle.net log-in attempts on infected computers, the Trojan program can capture both the regular user names and passwords and the unique codes generated by authenticators. Since the latter are essentially one-time passwords that expire after being used, the legitimate log-in attempts are blocked by the malware, so while victims try to figure out what went wrong, the captured information is sent to the attackers who can then hijack the accounts.
This is similar to how other Trojan programs allow attackers to defeat two-factor authentication used by Internet banking sites.
Signs of infection with this new malware include the presence of a program called "Disker" or "Disker64" in the Windows start-up list. Users can view this list by generating a MSInfo report using instructions on the Battle.net site and then look under the "Startup Program" section.
In a later update on the Battle.net forum, another Blizzard tech support representative said that the company tracked down the source of infection to a fake, but working Curse Client distributed from a fake website. The Curse Client is a third-party application that can be used to install add-ons and modifications for several games including World of Warcraft.
Users who suspect their computers have been infected with this Trojan program were advised to uninstall the Curse Client and then run a scan with Malwarebytes, an anti-malware tool that has a free version. However, most security products should be able to detect the Trojan program by now, the Blizzard representative said.
Uninstalling the rogue Curse Client is an important step because the client is actively trying to hide the malware's presence.
"For those of you interested in these MitM [man-in-the-middle] style attacks, this is the only confirmed case we've seen in several years outside of the 'Configuring/HIMYM' trojan in early 2012 that hit a handful of accounts," the Blizzard representative said. "These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time."
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts