Menu
Trojan program hijacks World of Warcraft accounts despite two-factor authentication

Trojan program hijacks World of Warcraft accounts despite two-factor authentication

The malware is bundled with a fake Curse Client, the game developer said

A new Trojan program is targeting users of the popular online role-playing game World of Warcraft and is capable of hijacking accounts even if their owners use two-factor authentication.

"We've been receiving reports regarding a dangerous Trojan that is being used to compromise players' accounts even if they are using an authenticator for protection," a technical support representative from Blizzard Entertainment, the game's developer, said Friday in a message on the Battle.net forums. "The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them."

Battle.net is Blizzard's online gaming service and the Battle.net Authenticator is a physical token or a mobile application that generates unique codes used as a second factor of authentication in addition to the user password.

By intercepting Battle.net log-in attempts on infected computers, the Trojan program can capture both the regular user names and passwords and the unique codes generated by authenticators. Since the latter are essentially one-time passwords that expire after being used, the legitimate log-in attempts are blocked by the malware, so while victims try to figure out what went wrong, the captured information is sent to the attackers who can then hijack the accounts.

This is similar to how other Trojan programs allow attackers to defeat two-factor authentication used by Internet banking sites.

Signs of infection with this new malware include the presence of a program called "Disker" or "Disker64" in the Windows start-up list. Users can view this list by generating a MSInfo report using instructions on the Battle.net site and then look under the "Startup Program" section.

In a later update on the Battle.net forum, another Blizzard tech support representative said that the company tracked down the source of infection to a fake, but working Curse Client distributed from a fake website. The Curse Client is a third-party application that can be used to install add-ons and modifications for several games including World of Warcraft.

Users who suspect their computers have been infected with this Trojan program were advised to uninstall the Curse Client and then run a scan with Malwarebytes, an anti-malware tool that has a free version. However, most security products should be able to detect the Trojan program by now, the Blizzard representative said.

Uninstalling the rogue Curse Client is an important step because the client is actively trying to hide the malware's presence.

"For those of you interested in these MitM [man-in-the-middle] style attacks, this is the only confirmed case we've seen in several years outside of the 'Configuring/HIMYM' trojan in early 2012 that hit a handful of accounts," the Blizzard representative said. "These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwareonline safetyAccess control and authenticationBlizzard Entertainment

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments