Hi all,
well woke up this morning and most of my main 5 accounts had been cleared, blah blad blah. So my question is, what software did you guys use that found the keylogger/trojan? I use Bitdefender and so far it has not found anything on either machine which I use to game on.
Also following being hacked like this, have you all contiuned to use the hacked machines once you found the offending app or have people done fresh installs to make sure that they are clear?
All help welcome :(

Nuke it, from orbit.

Do a clean install of everything, full format (get that MBR just in case) and reinstall everything. Don't put any data from the old system (backup files) until you've scanned it with some kind of anti virus / malware.

Most importantly, once you've gotten a clean / safe system, Change every single password you have.

Sorry to hear about your theft crowd :( Makes me angry every time I hear about those thieves hurting good people.

I use Spybot/Hijackthis which is free from-

http://www.safer-networking.org/en/home/index.html

What Super recommends is the 100% way to be safe. Just a clean format... In the future try and have things backed up so a full format isn't as traumatic. Because we all know it sucks losing stuff.

Before you format though you should try and at least track down the source of your hack. Then format- secure yourself- buy an authenticator too.

Yes I am gonna change all passwords, I nornamally use Roboform for entering passwords which avoids typing passwords but I will still change everything to be sure I am secure again.
One thing I did think to myself was, if there was an authenticator on the accounts (I removed it last week while I was leveling mutliple teams to speed up logging in, FACEPALM) then most likely I would not know my maching was hacked until either the antivirus found it or some other accont got hacked, THAT is kinda scarey.
This must be costing blizzard a LOT fo money :(

One last thought, is the deleting of toons by the hackers just a way of insulting the player or is there a reason?

I would think they do it to make sure that the strip all the toons...

Well there were only 3 of my 80s deleted, the other accounts were just stripped and no toons deleted and my final account was untouched, i really think I logged in as they were still stripping the accounts.

My friend got hacked Sunday morning. Readin the Blizz forums it sounds like another waves of attacks have started. Who knows how long they've been collecting & storing PWs, just to use them now in an all-in-one burst. I got the keychain coder but anyone who doesn't may consider changing PWs asap to be safe. Could have visited a page 6 months ago that got you're info & is using it now. :mad:

two words... blizzard authenticator.
if you can get an authenticator or have an iphone application. ( not sure if other phones can do it ).
I made 5 battlenet accounts and assigned a wow to each so I can do 5 logons at once, if you have all of your accounts on one battlenet account then you will have to logon one at a time (which sux since you have to wait for a new number for each logon ).

android phones can do the authenticator too.

if you haven't got any trojan/virus on your pc it is most likely that they "hacked" some forum/shop/site where you are registered with the same credentials as your wow accounts :-)

So one last issue I have, blizzard said they have sent a password reset email for the affected accounts. In my gmail the emails have all hit the spam filter, is there a way to go directly to the password reset page without using the link in the email or must I follow that link?
Thanks for the help

Of course, as I'm reading this thread, I get a sinking feeling and check my email. BAM! Three hour account suspension for spamming. Only thing is, I haven't logged in for four days. Tried to access battle.net. My password doesn't work anymore. Bah!

Reset the password to the accounts, so at least they can't do anything else. But, since I'm at work, I need to wait until I get home to see what damage was done (as well as for the three hour ban to expire).

Bah!

My friend got hacked Sunday morning. Readin the Blizz forums it sounds like another waves of attacks have started. Who knows how long they've been collecting & storing PWs, just to use them now in an all-in-one burst. I got the keychain coder but anyone who doesn't may consider changing PWs asap to be safe. Could have visited a page 6 months ago that got you're info & is using it now. :mad:
Geez, I have to admit that I had not even thought of that. It can make it really difficult to figure out when your account got compromised if they decide to work that way.

Well I went home at lunch and so far the virus scanners have not picked up anything as yet.
A question for those that have been through the hacked trauma, the care package that blizz offers, what does this include? Do they restore the gear and x gold or is no gear restored? What does the restore package cover?
I prefer a full restore but I really do not care about mats on the accounts, I more care about gold (about 32k across the 5 accounts) and the gear for the toons.

Just got a few emails supposedly from Blizzard informing me of unsuccessful paid character transfers on my accounts. Wondering now has the account been newly compromised or is this a delay from this morning. I added an authenticator straight away at the time I found the account hacked and so wondering what is happening :(

if you are looking to clean the machine of trojans/ keyloggers use both malwarebytes and ccleaner

we use roboforms at work and if you don't encrypt / password the keycard, the file is basically a text file on the file system. the wow account name is passed along in the tcp stream as plain text and the characters you see when you get into your main character selection screen as also passed along to your computer in plain text. not that the hackers had a tip on your network on anything, but alot of information can be datamined by someone who knows what they are looking for. I can say that the packets passed along to the server after your username appear to be encrypted...

beware authentacators is all I have to say on that matter....


if you are looking to clean the machine of trojans/ keyloggers use both malwarebytes and ccleaner

unless you can verify that you don't see any strange packets out of your computer by monitoring an entire conversation from a network port mirror or a tip linked to an unknow monitoring device you can't assume you got it. av software is just meant to make you feel good about browsing the network and it may not catch what actually infected the system even if they catch other things, svper has really the best advice. blast from afar and reinstall straight from your dvd's or from web downloader.


So one last issue I have, blizzard said they have sent a password reset email for the affected accounts. In my gmail the emails have all hit the spam filter, is there a way to go directly to the password reset page without using the link in the email or must I follow that link?
Thanks for the help


well, you call always hover over the link in the e-mail to see where it goes. if it goes to a straight up bliz page, then you are good.. the reset page is on the same server your battle.net accounts goto so if the first portion of the URL is off even by just a letter, chances it a phinse. you really can't go around it cause there are security tokens in the e-mail link that bliz is expecting for like a 24 hour period before they expire. chances are that if the message came in after a few minuets from being on the phone or from requesting it, its leggit.

bliz is really good about restoring ppl cause they want to keep you and also they want to keep you from saying how you quit the game after you got hacked. I wouldn't expect a hacked account that was able to be recovered to contineu to pay their membership subscription.

remember, by not keeping you account safe, you are admitting to a TOS violation which under current case law is a copyright infrindgment. so never approach bliz with a large stick on this one. their stick is larger.....

Well I went home at lunch and so far the virus scanners have not picked up anything as yet.
A question for those that have been through the hacked trauma, the care package that blizz offers, what does this include? Do they restore the gear and x gold or is no gear restored? What does the restore package cover?
I prefer a full restore but I really do not care about mats on the accounts, I more care about gold (about 32k across the 5 accounts) and the gear for the toons.


Don't ever take the package, request a full restore. The package is frost badges and 2k or 3k gold.

One of my guildies second account (with all his bank toons on it, not his playing toons) got hacked yesterday.

As soon as they hit it, the hackers put an authenticator on it and changed the password.

I think that him and his brother are going to be investing in authenticators for their accounts. At least I am going to tell them to do it :)

So as an update, I nuked all my machine's OS's and did clean installs from a format ( I have the OS on a seperate partition). I then used multiple pieces of software to scan the existing drives for any keyloggers or trojans and so far I seem to be clean.
I also setup a new email address and moved my battlenet account onto it and as some have said on the forum before, I will keep this email address solely for WoW. I then did another update on my password and then logged back into the game. What seems to have happened is that they did not delete any of my toons, instead they transferred 3 of them to other realms, when I am restored, will blizz automatically move these toons back or do I have to add this to my ticket?
I did question the failed paid transfers with a GM and he said it happened after I submitted my ticket, what I am wondering here was, were they logged into my bnet account when I logged in and so it allowed them to do the transfers while I was logged on, not sure. Anyhow, all the above steps to clean my machines were taken later in the day and so I am hoping I am clear of the mess.

So now I think I am into the waiting game to have the accounts restored, luckily I have one account untouched which is the account that I have my tanks on and was using to powerlevel some alts and so the wait for restore will not affect my gaming at all.

Overall, a pain to have to do fresh installs etc but I am glad that I got hacked on my WoW account and not some other real world bank accounts or some such which I have also now changed all the passwords for.

Still no idea where the compromise came from but I think one of the posters here may have been correct in stating that the hack may have been a few months ago and the hackers are just doing mass onslaught on people's accounts, I suppose the logic might be to overwhelm blizzards support and so inexperienced users may be left vunerable longer due to trying to call blizzard etc instead of taking immediate action.

You might have got hacked through 2 recent techniques listed on MMO Champion. The Flash player or the Google Ads vulnerabilities.

http://www.mmo-champion.com/

For the whole story check out MMO champions front page and read these 2 sections below.

Important - Adobe Flash Player Vulnerability

Quote from: Lucytr (Source (http://forums.worldofwarcraft.com/thread.html?topicId=25170612979&sid=1))
A critical vulnerability has been discovered in Adobe Flash Player 10.0.45.2 and Adobe Reader/Acrobat 9.x, and could potentially be used to target World of Warcraft players and accounts. The newest available version of Adobe Flash 10.1, Release Candidate 7 (available at http://labs.adobe.com/technologies/flashplayer10/ (http://labs.adobe.com/technologies/flashplayer10/)), does not appear to contain this vulnerability, and we recommend that everyone upgrade their Flash player as soon as possible. Earlier versions of Adobe Reader and Acrobat, specifically version 8.x, do not appear to contain this vulnerability, either.

For more information, please visit Adobe.com: http://www.adobe.com/support/security/advisories/apsa10-01.html (http://www.adobe.com/support/security/advisories/apsa10-01.html)

Get an Authenticator if you haven't got one already. Get your very own guard dog and secure your account at the same time. Visit http://us.battle.net/security (http://us.battle.net/security) for more info!

I would also like to add that this is NOT a virus. The only way to protect yourself from this kind of vulnerability is to keep your system up-to-date in all ways, including Flash.



Curse Client Google Ad Scam
A few months ago a couple of people got hacked because of malicious google ads redirecting to fake armory pages. (See this news (http://www.mmo-champion.com/news-2/armory-scams-blue-posts-free-character-moves-147499/))

The same problem is now affecting the Curse.com (http://www.curse.com/) client that many of you use to update and download addon.

Well I use the Curse Client to update my add ons, I have never used any link from the client but I do use it to update my addons.
My machines run windows updates automatically each day but I am not 100% sure about the Adobe stuff, they may have not been 100% up to date, but I do not surf a lot on these computers and so I would think the vulnerability is when these apps hit sites that take advantage of the exploit?
I have been using Bitdefender as a virus scanner but after the hack I tried a few others including AVG and NOD32, I do not like McAfee and Norton so stayed clear of them. I also used a couple of the previously listed apps in this thread for trojans and keyloggers.

So the plot thickens, I was busy boosting toons in scholo and the RAF accounts got disconnected. When I tried to log in it kept giving me an incorrect password. When I checked the email associated with the account it reflected that there was a password reset request.
I quickly did a second reset got back into the account and changed the password. When I then went to log back into the toons it told me that the accounts were suspended.

So my confusion here is that I did a fresh install, changed all the Bnet passwords and the main accounts email (did not change the RAF email) and ran multiple virus scanners including several of the ones listed in this thread.

Maybe they just tried to reset the password to get into the account? There is an authenticator on all accounts and so maybe that is all they got to do from previously collected data?

This has been very traumatic, and when I try to call I get a message to just call back later, so much for customer service!!!

FRUSTRATED!!

When you do your system scans have the wow login screen up and type in some jibberish. Some of the malware won't show itself until wow.exe is active.

So the plot thickens, I was busy boosting toons in scholo and the RAF accounts got disconnected. When I tried to log in it kept giving me an incorrect password. When I checked the email associated with the account it reflected that there was a password reset request.
I quickly did a second reset got back into the account and changed the password. When I then went to log back into the toons it told me that the accounts were suspended.

So my confusion here is that I did a fresh install, changed all the Bnet passwords and the main accounts email (did not change the RAF email) and ran multiple virus scanners including several of the ones listed in this thread.

Maybe they just tried to reset the password to get into the account? There is an authenticator on all accounts and so maybe that is all they got to do from previously collected data?

This has been very traumatic, and when I try to call I get a message to just call back later, so much for customer service!!!

FRUSTRATED!!

This is some very weird stuff crowd...Especially if you formatted and everything I don't even know how it'd be physically possible unless you reinfected yourself from backups.

You need the help of the Customer Service forum then they can at least see where the logins are coming from and maybe more insight to what's going on.

This is some very weird stuff crowd...Especially if you formatted and everything I don't even know how it'd be physically possible unless you reinfected yourself from backups.

You need the help of the Customer Service forum then they can at least see where the logins are coming from and maybe more insight to what's going on.
I've been told a virus could potentially hide in the memory. That's why you're supposed to do a full system shutdown and flip the power switch off [or unplug the PSU] and wait like 30 seconds to make sure all the power was removed from the board. But infecting yourself from backups is quite possible too. :)

Well the really strange part to me is that to do a password reset on this latest Bnet account it needs a challenge question answered which I have not used in a long time and no would ever guess due to being an answer from back home when i was a child.
At this point I am wondering is it an issue with blizzards authentication servers.
I have tried multiple times to call them and keep getting a call back again later message, which is ridiculous.

Do you have any roommates or other people with access? Or gremlins, poltergeists, living on an indian burial ground? :D

I meant the Customer Service forum to at least get some feedback. The only way to get through by phone is spam redial then they put you in a queue where you wait. Spam redial like it's a radio contest.

nope, I am the only ones with access to these computers. :(

So the plot thickens, I was busy boosting toons in scholo and the RAF accounts got disconnected. When I tried to log in it kept giving me an incorrect password. When I checked the email associated with the account it reflected that there was a password reset request.
I quickly did a second reset got back into the account and changed the password. When I then went to log back into the toons it told me that the accounts were suspended.

So my confusion here is that I did a fresh install, changed all the Bnet passwords and the main accounts email (did not change the RAF email) and ran multiple virus scanners including several of the ones listed in this thread.

Maybe they just tried to reset the password to get into the account? There is an authenticator on all accounts and so maybe that is all they got to do from previously collected data?

This has been very traumatic, and when I try to call I get a message to just call back later, so much for customer service!!!

FRUSTRATED!!

Have you tried Kaspersky virus checker? You can get it for a free 30 day trial but I would consider it the best out there (switched from Norton years ago as it was finding viruses Norton couldn't see). If you want a thorough check I would recommend a full scan with that (I use the Internet Security version).

http://www.kaspersky.co.uk/trials

EDIT: I should add it does more than virus checking, it's also a full firewall and detects keylogging etc.

Ignore this mis-post...fat fingers and small keys.

I have used, AVG, NOD32 and Bitdefender (full version). I will try Kaspersky and see what it sees :P

Nuke it, from orbit.

/shrug

It's the only way to be sure. =P

So I just got off the phone with blizzard, took the advice above and just kept hitting redial.
The latest accounts which got suspended has been escalated to their next level because there is no evidence as to why the accounts have been flagged, no suspicious activity, nothing, so something is wrong on blizzards side.

As a side note, I took my notebook, formatted the drive, disconnected the battery for 5 minutes, reinstalled windows, did all the windows updates and now running a full scan with Kaspersky to see what it finds.

The rep says it will take about 8 - 10 days to restore my accounts and that they will be restored to the way they were before the attack.

On a side note I spoke to the rep about ip tracking and blizzard is working on ip filtering to flag accounts being accessed from outside of the US for US realms, he said they are working on a lot of modifications to help them more with these kind of issues.

So now it is the waiting game, I just want all the accounts playable so that I can contiunue to level my alts.

Just a quick update on this thread.
I finally on Friday (after multiple account pswd resets on a Bnet account) did a full format of my laptop due to getting an error when i tried to use remote desktop, telling me that a connection was already active.
I did a full format of the drive, delete all partitions etc. I then disconnected my cable modem for about 15 minutes so that it would pull a new ip (provider does not give fixed ips but the ip rarely changes unless there is a power outage). I then did another fresh install, and ran virus scans on any files I copied back to the machine. So far I seem to be clear.
The moral of the story as already stated above is that virus scanners etc were all pretty much useless, none of them caught what was attacking the machine and all of them reflected that there were no threats present.
Now I am just waiting hopefully that my toons are restored by blizzard, 7 days now since the original tickets was open :(

Do you need to petition on each one of your accounts if they are all under the same battle.net id? Or an each character that was lost? Or will they just look at the whole battle.net ID to do the restore?

My RAF runs out on the 20th for one of my accounts and the 1st of July for the rest. I'm worried I won't be able to get my stuff back in time.

On a somewhat related note... I had a level 1 bank alt that was going to get replaced with a RAF paladin (it's the last slot on my account, the rest are all 60+). The bank alt was stripped. I'm afraid that I can't delete it because it's got like 3K gold and a ton of stuff that would get restored, but if they don't restore before RAF runs out I'm in a world of hurt.

Do you guys think that if I petitioned they might do the refund/restore to a different character on the same account?

From speaking with Blizzard they said they would do a full research on the battle net account and not the individual accounts within it. They said that they would restore the accounts pre-hack once the investigation was complete. I am 8 days now from the original hack and still no sign of any restoration. From what people have posted here, I believe gear etc will be mailed to the toons and Blizz said they will take care of moving the toons which were transferred to other realms.

I think you may have to wait for the restoration before deleting your bank alt though, possibly worth calling blizz and asking them to extend your RAF expiration date? Not sure if they can do it, but worth a shot.

Hey crowd can we get an update?

The reason I ask is I was hacked this morning. Got to work, and had two emails:

one from a real life friend who is in my alt guild saying "dude you got hacked pick up your damn phone"
and one from blizzard saying "you are suspended 72 hours for abusing the in-game economy"


So I sent in the whole email, and such, and will try to call customer service when I can, but I was wondering if you had gotten it all sorted, and what kind of time-line I would be looking at here.

I'm basically in the same boat as you - don't use the comp for anything other than wow, Eve, and work (which requires no internet connectivity). I use barely any addons (jamba, dbm, macaroon, omen) and don't use the curse client. I have a laptop that I use for browsing. I am completely stumped as to how I was compromised, but I will be doing a full reformat when I get home today.

So did it all get squared away? If so how long did it take you?

On a side note I spoke to the rep about ip tracking and blizzard is working on ip filtering to flag accounts being accessed from outside of the US for US realms, he said they are working on a lot of modifications to help them more with these kind of issues..
... and suddenly all australians got their accounts blocked >.<
wouldn't surprise me if it happened actually, no one knows we exit. (and it's probably better like that :p)