Menu
Trojan program hijacks World of Warcraft accounts despite two-factor authentication

Trojan program hijacks World of Warcraft accounts despite two-factor authentication

The malware is bundled with a fake Curse Client, the game developer said

A new Trojan program is targeting users of the popular online role-playing game World of Warcraft and is capable of hijacking accounts even if their owners use two-factor authentication.

"We've been receiving reports regarding a dangerous Trojan that is being used to compromise players' accounts even if they are using an authenticator for protection," a technical support representative from Blizzard Entertainment, the game's developer, said Friday in a message on the Battle.net forums. "The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them."

Battle.net is Blizzard's online gaming service and the Battle.net Authenticator is a physical token or a mobile application that generates unique codes used as a second factor of authentication in addition to the user password.

By intercepting Battle.net log-in attempts on infected computers, the Trojan program can capture both the regular user names and passwords and the unique codes generated by authenticators. Since the latter are essentially one-time passwords that expire after being used, the legitimate log-in attempts are blocked by the malware, so while victims try to figure out what went wrong, the captured information is sent to the attackers who can then hijack the accounts.

This is similar to how other Trojan programs allow attackers to defeat two-factor authentication used by Internet banking sites.

Signs of infection with this new malware include the presence of a program called "Disker" or "Disker64" in the Windows start-up list. Users can view this list by generating a MSInfo report using instructions on the Battle.net site and then look under the "Startup Program" section.

In a later update on the Battle.net forum, another Blizzard tech support representative said that the company tracked down the source of infection to a fake, but working Curse Client distributed from a fake website. The Curse Client is a third-party application that can be used to install add-ons and modifications for several games including World of Warcraft.

Users who suspect their computers have been infected with this Trojan program were advised to uninstall the Curse Client and then run a scan with Malwarebytes, an anti-malware tool that has a free version. However, most security products should be able to detect the Trojan program by now, the Blizzard representative said.

Uninstalling the rogue Curse Client is an important step because the client is actively trying to hide the malware's presence.

"For those of you interested in these MitM [man-in-the-middle] style attacks, this is the only confirmed case we've seen in several years outside of the 'Configuring/HIMYM' trojan in early 2012 that hit a handful of accounts," the Blizzard representative said. "These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time."


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Blizzard Entertainmentonline safetysecurityAccess control and authenticationmalware

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments