Menu
Trojan program hijacks World of Warcraft accounts despite two-factor authentication

Trojan program hijacks World of Warcraft accounts despite two-factor authentication

The malware is bundled with a fake Curse Client, the game developer said

A new Trojan program is targeting users of the popular online role-playing game World of Warcraft and is capable of hijacking accounts even if their owners use two-factor authentication.

"We've been receiving reports regarding a dangerous Trojan that is being used to compromise players' accounts even if they are using an authenticator for protection," a technical support representative from Blizzard Entertainment, the game's developer, said Friday in a message on the Battle.net forums. "The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them."

Battle.net is Blizzard's online gaming service and the Battle.net Authenticator is a physical token or a mobile application that generates unique codes used as a second factor of authentication in addition to the user password.

By intercepting Battle.net log-in attempts on infected computers, the Trojan program can capture both the regular user names and passwords and the unique codes generated by authenticators. Since the latter are essentially one-time passwords that expire after being used, the legitimate log-in attempts are blocked by the malware, so while victims try to figure out what went wrong, the captured information is sent to the attackers who can then hijack the accounts.

This is similar to how other Trojan programs allow attackers to defeat two-factor authentication used by Internet banking sites.

Signs of infection with this new malware include the presence of a program called "Disker" or "Disker64" in the Windows start-up list. Users can view this list by generating a MSInfo report using instructions on the Battle.net site and then look under the "Startup Program" section.

In a later update on the Battle.net forum, another Blizzard tech support representative said that the company tracked down the source of infection to a fake, but working Curse Client distributed from a fake website. The Curse Client is a third-party application that can be used to install add-ons and modifications for several games including World of Warcraft.

Users who suspect their computers have been infected with this Trojan program were advised to uninstall the Curse Client and then run a scan with Malwarebytes, an anti-malware tool that has a free version. However, most security products should be able to detect the Trojan program by now, the Blizzard representative said.

Uninstalling the rogue Curse Client is an important step because the client is actively trying to hide the malware's presence.

"For those of you interested in these MitM [man-in-the-middle] style attacks, this is the only confirmed case we've seen in several years outside of the 'Configuring/HIMYM' trojan in early 2012 that hit a handful of accounts," the Blizzard representative said. "These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time."


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags Blizzard Entertainmentonline safetysecurityAccess control and authenticationmalware

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Show Comments