Hacked account, how did they do it?

[alcattle]

The only reason I wouldn't do it this way myself is that if you don't log in with all your accounts every time you type in your authenticator code you leave the idle account(s) open to attack.

Once you put the authenticator on each account, it cannot be logged into without one. There is no "idle" risk.

[Targ]

Once you put the authenticator on each account, it cannot be logged into without one. There is no "idle" risk.

If you log on to 2 of your 5 accounts, and the hacker is key logging you.
The hacker can log on to the remaining 3 "idle" accounts using the just typed authenticator code.

There is a risk, pretty small risk IMO but a risk.
The hacker has to know your a multiboxer and the relationship of the accounts.
I doubt Multiboxers are a large enough population for hackers to target.

[jinkobi]

The only reason I wouldn't do it this way myself is that if you don't log in with all your accounts every time you type in your authenticator code you leave the idle account(s) open to attack.

Why wouldn't you log into your account once you typed in the authenticator code immediately?

Authenticators are a layer of protection and we've hashed it out on these boards time and time again. You're safer with an authenticator than without one.

There's been like 1-2 claims ever of someone being hacked with an authenticator on their account. Those claims weren't even verified to be real or if that's how they were hacked. There seem to be an anti-authenticator army that goes around that spread lots of nonsense.

Bottom line buy an authenticator and be safe or run without one and take your chances.

[Maxion]

If you have your accounts on multiple battle net account you can log them all in with one authenticator code, no problem.

If you have all your accounts on the same battle net account you will need a new code to log each account in (takes 30 seconds between each one, goes by faster than you may think).
As long as you hit enter after typing it in and log in with it, even a keylogger (except the infamous man in the middle attack) would not be able to use to code to log in anywhere else (unless your accounts were on different battle net accounts). But if you have a keylogger on your computer you should not keep logging in anyway.
When you are logging each account in, stop each one at the character selection screen until all are at it if you are worried about getting attacked in pvp when you log in, then when everyone is at the char select screen, broadcast hitting enter to all log fully into the game at the same time.

[Tutunkommon]

Authenticator save my accounts from being hacked about 2 weeks ago. I had been hacked a couple years back, which prompted my buying the auth. in the first place.

Interestingly, my gmail account was hacked, and the hacker did a password reset, picked it up out of my mail, and tried to log in. The auth page stopped them, obviously. Google reported that my gmail account had been accessed from China, New York, and Alabama all within a 12 hour period.

Now I use KeePass as an extra layer of protection for all my non-wow accounts. The authenticator still works to protect that. I wish I could get an authenticator that I could bind to other things like my bank, email, etc.

With the authenticator now available as a free app for iPhone, et al. there is no real justifiable reason to not have on, IMHO.

--Tutunkommon


*Note: Why is there no "preview post" button on the quick reply?

[outdrsyguy1]

I just started getting a ton of VERY GOOD phishing emails over the past couple weeks. These are getting GOOD. I honestly can't tell if some are real or not other than I login directly to battle.net or my wow account and don't see any thing out of whack. I get notices of server transfers in progress, faction transfers, account password changes, and other mysterious activity. I DO have an authenticator and I suspect they just picked up my email some how. I doubt i have a keylogger because I do have one account I use that doesn't have an authenticator and it has not been hacked yet.

[crowdx]

I think one thing that helps with Phishing emails is to setup a brand new email account that is only used for WoW, never use it for anything else. You will notice that all the phishing emails will go to the old WoW email but not the new one.
I did this following being hacked (believe it was a trojan but no viruse scanner caught it) and I never get email on the WoW account, TONS on the old account masquerading as Blizz.

[ElectronDF]

I just started getting a ton of VERY GOOD phishing emails over the past couple weeks. These are getting GOOD. I honestly can't tell if some are real or not other than I login directly to battle.net or my wow account and don't see any thing out of whack. I get notices of server transfers in progress, faction transfers, account password changes, and other mysterious activity. I DO have an authenticator and I suspect they just picked up my email some how. I doubt i have a keylogger because I do have one account I use that doesn't have an authenticator and it has not been hacked yet.

Not sure what email program you use, but I use Outlook Express. In "Edit", there is an option (yeah, like 3 other ways to get to it) to see "View Source". It lets you see 100% of the email, not just the pretty stuff. Guess what shows up as the orginaltion of fake emails, the domain of the person starting it. Always overseas. If you EVER get an email from Blizzard view source it. It only takes like 10 secs. Also, like others have said:

DON"T click links in emails, ever. EVER. Just go to the place they tell you to go. Type in blizzard.net, type in ebay.com, etc.

DON"T use a normal email for WOW or SC2. It isn't worth it. Just get a new email address from the same place. Think of it like a business, would you put your business funds in your personal bank account? Then get a different one to keep it in.

GET an authenticator. You might not like it, but until you a show numbers of people getting hacked with an authenticator, it is doing way more than you people without one were doing before. Think of it like this, how bad do you want your stuff. If you leave your stuff unlocked, you must not want it really bad. Don't get mad at people that wanted your stuff more than you tried to stop them. Try to stop them harder.

[Khatovar]

To view headers in Gmail, there's a little arrow directly to the right of the Reply icon at the top of the message. For Yahoo, it's under Actions




These are the headers of a FAKE email -

Delivered-To: REMOVED
Received: by IP REMOVED with SMTP id f62cs270219wec;
Tue, 17 Aug 2010 14:54:02 -0700 (PDT)
Received: by IP REMOVED with SMTP id k13mr6478922ebd.77.1282082042224;
Tue, 17 Aug 2010 14:54:02 -0700 (PDT)
Return-Path: <USERIDREMOVED@hotmail.com>
Received: from blu0-omc4-s23.blu0.hotmail.com (blu0-omc4-s23.blu0.hotmail.com [65.55.111.162])
by mx.google.com with ESMTP id q12si19534313eeh.65.2010.08.17.14.54.01;
Tue, 17 Aug 2010 14:54:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of USERIDREMOVED@hotmail.com designates 65.55.111.162 as permitted sender) client-ip=65.55.111.162;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of USERIDREMOVED@hotmail.com designates 65.55.111.162 as permitted sender) smtp.mail=USERIDREMOVED@hotmail.com
Received: from BLU0-SMTP68 ([65.55.111.137]) by blu0-omc4-s23.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 17 Aug 2010 14:53:25 -0700
X-Originating-IP: [222.69.163.23]
X-Originating-Email: [USERIDREMOVED@hotmail.com]
Message-ID: <BLU0-SMTP6874809CB35A732CF51708EE9C0@phx.gbl>
Return-Path: USERIDREMOVED @hotmail.com
Received: from mq ([222.69.163.23]) by BLU0-SMTP68.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 17 Aug 2010 14:53:21 -0700
Reply-To: <wowaccountadmin@blizzard.com>
From: "Blizzard Entertainment" <wowaccountadmin@blizzard.com>
To: REMOVED
Subject: Suspicious Activity - Illegal IP Warning
Date: Tue, 17 Aug 2010 15:32:40 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;

This is a header from a REAL Blizzard email

Delivered-To: REMOVED
Received: by IP REMOVED with SMTP id b16cs934fap;
Thu, 12 Aug 2010 22:37:57 -0700 (PDT)
Received: by IP REMOVED with SMTP id e20mr930194wfd.83.1281677876071;
Thu, 12 Aug 2010 22:37:56 -0700 (PDT)
Return-Path: <donotreply@blizzard.com>
Received: from mx1.blizzard.com (mx1.blizzard.com [12.130.201.11])
by mx.google.com with ESMTP id l15si5191818wfe.92.2010.08.12.22.37.55;
Thu, 12 Aug 2010 22:37:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of donotreply@blizzard.com designates 12.130.201.11 as permitted sender) client-ip=12.130.201.11;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of donotreply@blizzard.com designates 12.130.201.11 as permitted sender) smtp.mail=donotreply@blizzard.com
X-IronPort-AV: E=Sophos;i="4.55,361,1278313200";
d="scan'208";a="52117341"
Received: from irvex202-nlb.corp.blizzard.net (HELO IRVEX202.corp.blizzard.net) ([10.130.14.22])
by mx1.blizzard.com with ESMTP; 12 Aug 2010 22:37:55 -0700
Received: from IRVEX012.corp.blizzard.net (10.130.0.217) by
IRVEX202.corp.blizzard.net (10.130.14.21) with Microsoft SMTP Server (TLS) id
8.2.254.0; Thu, 12 Aug 2010 22:37:55 -0700
Received: from NAMX01.blizzard.com (192.168.69.10) by
IRVEX012.corp.blizzard.net (10.130.0.217) with Microsoft SMTP Server id
8.2.254.0; Thu, 12 Aug 2010 22:37:54 -0700
Received: from ob4.blizzard.com ([192.168.69.10]) by NAMX01.blizzard.com with
Microsoft SMTPSVC(6.0.3790.3959); Thu, 12 Aug 2010 22:37:54 -0700
Received: from yourjvrgp4jtdb ([10.44.1.61]) by ob4.blizzard.com with
Microsoft SMTPSVC(6.0.3790.3959); Thu, 12 Aug 2010 22:37:54 -0700
thread-index: Acs6qOCKOmlNHpkaQFSfJo3584BW5A==
Thread-Topic: Blizzard Entertainment Hacks/Piracy Report
From: <donotreply@blizzard.com>
To: REMOVED
CC:
BCC:
Subject: Blizzard Entertainment Hacks/Piracy Report
Date: Thu, 12 Aug 2010 22:32:10 -0700
Message-ID: <cd80a01cb3aa8$e08a0710$3d012c0a@yourjvrgp4jtdb>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Return-Path: donotreply @blizzard.com
X-OriginalArrivalTime: 13 Aug 2010 05:37:54.0523 (UTC) FILETIME=[AD84B2B0:01CB3AA9]

You should see a valid Blizzard address in the Return-Path and Received: from should reflect Blizzard servers. Blizzard doesn't use freemail, they have enough money and tech to run their own mail servers.

You can also hover your mouse over the links in the email that you receive. While the link in the email may look like a Blizzard site, your browser's status bar will show you the REAL address it's sending you to. See here and here. Better safe than sorry, always manually access your account by going to an official Blizzard site instead of following links in emails.

Scam emails can be forwarded with full headers to hacks@blizzard.com.

[alcattle]

also Yahoo have it on the bottom of the message screen. Yahoo has let several of these into my account, but none of my WoW are linked to Yahoo. I tried to send one of the plishes to Blizzard and yahoo refused the forward as it's spam filter did not like it. Cool, one way filters......Wrong WAY ..... Yahoo=fail