WoW account hacked (and questions for experts)

First off, to those in the World of Warcraft Qt3 guild on Arathor: my account was hacked either yesterday or today. Whoever did it cleaned out most of my characters as well as the guild vault. I got the password changed through Blizzard’s lost-password automated system, and emailed them about it. I hope and assume they’ll just roll everything back a couple of days, but I’ll let folks know when I know more.

Some questions for people who know more stuff about this than me: I don’t run any mods (and haven’t for about a year), and I’ve never given my password to anybody. That said, the password wouldn’t be hard to get in some sort of brute-force dictionary-type attack, since it was just a proper noun with “99” at the end. On the one hand, I find it hard to believe that you could do that – I would assume that if someone tried to log into my account 200 times in 5 minutes that Blizzard would notice and would shut it down or freeze it or something. On the other hand, I don’t know how else they could have done it.

Obviously my big fear is that somehow a keylogger or something was installed on my computer. I download lots of stuff – demos, utility programs, etc. – all from sites I think I can trust (game companies, etc.), but what do I know. I do a ton of stuff online – banking, shopping, paying bills, anything I can do online instead of with other people, I do. My bank accounts are all fine, so I assume that means that the security breach is limited to WoW and doesn’t affect my entire computer. But is there some way to be sure? I upped my firewall from Low to Medium, and I’m about to rerun Search & Destroy and AdAware (which I do from time to time, but not on any rigid schedule). Suggestions?

Reroll Alliance.

Keylogger, most likely. It happens. As far as your in-game stuff, go contact Blizzard and see if they can help you. They probably can restore some of your junk, though don’t expect to get everything back.

Take off and format everything from orbit.

It’s the only way to be sure.

Stroker, you’re an asshat.

Reformat computer and change all your passwords to everything, that’s my advice.

This happened to an officer in my guild last week. Blizz was able to return the entire contents of the guild bank to him along with all of his stuff. It did take about a week and a half to get it all back, I think…

Yikes, that’s scary, Rywill. I can only imagine what a bummer it must be, so condolences. Let us know what you find out.

-Tom, off to run AdAware and S&D

You have a keylogger on your system.

You really, really, really want to do some virus and spyware scans, then change your online banking and any other important passwords.

WoW… just not that important at this point.

It’s absolutely critical that you find and remove a keylogger, reformatting is not an option if you can’t. Brute force attacks are so unlikely that you can probably ignore that option even if you didn’t have to for other reasons. I know someone in my guild who was hacked, removed a bunch of stuff with a program and didn’t really check what was removed. He didn’t reformat and was hacked again once he had gotten his gear back and enchanted/gemmed again.

Our guild website once got implanted via MySQL bug with some trojan that got installed when you checked the DKP standings. Whatever you do to fix this mess, the first thing you should do is USE A DIFFERENT COMPUTER to change all of your passwords.

In a lot of WoW account loss cases ive seen, its primarily with keyloggers. That being said, its not always on the computer that plays WoW. A few times, that said person used a non-safe comp to check email or something and their acct/pass was the same as their WoW.

Right I remember that now. There was a vulnerability with eqdkp 1.3.0 that allowed access just as described. I had this happen on my site as well. It has a sleeper code somewhere that rewrites the page footers with an inline frame to abuse an IE exploit. I actually believe it is still on my site somewhere, but I have since changed the naming conventions of most of my board/dkp files and the attacks stopped.

I believe I checked my host for top search queries and one was listed as “Powered by EQdkp 1.3.0”

Yeah, I’d imagine that people would be very interested to know what download from where caused this, if you ever manage to figure it out.

Erm…thought I would d/l AdAware and S&D before realising that these aren’t free anymore. Anyone recommend a good free alternative?

AVG and SpyBot

Galadial, I’m running a scan right now with a free version of AdAware that I just downloaded.

I’ve never had a WoW account hacked, but I did have someone purchase a house in Atlanta with my name and all my private info including SS#, driver’s license #, etc. Needless to say, it was a bit of a hassle to clean up that mess.

Happened to me too. I got about everything back. The greens they just reroll for you since they are random. I’m sure you had a keylogger – that’s what got me. I still don’t know how I got it.

I hope things work out for you - when my account was hacked, Blizzard was completely unhelpful. Admittedly, my situation was farther gone. I’d been off WoW for some months and didn’t know anything had happened until I tried to resubscribe and found my account banned.

So, yes, I can sort of understand that they might have trouble believing I wasn’t the one running whatever it was that got my account done in, but they were so unhelpful and uncommunicative that I will never have anything to do with WoW again. Or any other MMO they should launch…at least in theory (my willpower may not be that strong.)

Yeah, with identity theft you’re definitely considered guilty until you bust your ass to prove yourself innocent.

Both good choices. Kaspersky Anti-virus is awesome, too.

Rywill - OUCH man. Definitely seems like a keylogger. My suggestions:

  1. Hey say what you will about Vista, it really does legitimately have far fewer security holes that can let this kind of crap happen to you. At least, not without your explicit action (downloading and running infected warez, disabling UAC, whatever). And windows defender isn’t a “real” antivirus program but it is an honestly useful tool against a lot of malware. So maybe it’s not a terrible idea to upgrade, if your computer is pretty good.

  2. If your computer is plugged directly into your cable modem or DSL, holy shit, you need to stop doing that right away. You never, never want your computer’s IP address to be the actual IP your ISP has assigned to you. Being behind a router and having a 192.168.xx.xx type of internal-only address, and accessing the 'net through NAT (network address translation) is an extraordinarily effective first line of defense against worms, bots, and other stuff. A lot of that junk simply looks for computers with open ports at known IP ranges, and if it’s your router and not your computer that truly exists at that IP, your computer will be “hidden” from the vast majority of them. Honestly, if you’re behind NAT (meaning you’re connected to a router and aren’t cloning IP addresses or anything funky), it’s going to be hard for your computer to get infected unless you do it yourself by opening a bad email, running a page with a bad script, running an infected executable, etc. Go buy a damn router if you don’t have one.

  3. As everyone mentioned here, you want to run some antivirus and spyware/malware detection stuff. I recommend the kaspersky I linked.

  4. You want to go change every password you can, from a different computer that you know is not infected, as soon as possible.

I had this happen to me last year.

You most likely have a keylogger. The good news is that you came here instead of asking about it on the WoW forums. Because on the WoW forums you would just get ten pages of people calling you names for having gotten a keylogger. People there seem to think that keyloggers just aren’t real until it happens to them.

Do as everyone suggests. Go as scorched earth as you feel you can until you get rid of every bit of spyware on your PC. Then change up all your passwords.

Blizzard takes one to three weeks to get your characters back to you with your stuff. You will get back all unique items (including blues and purples) but any non-unique ‘of the eagle’ or ‘of the tiger’ stuff that you might have had will not come back to you the way you lost it. It’ll be the same quality/level range, but if it was ‘of stamina’ before, it might be ‘of the bear’ now. They just can’t be more precise than that.