After getting my accounts taken and finally got everything back I have noticed a troubling trend. This morning I got kicked from the server to the login screen. Now I have changed my email address, pw and added the authenticator. I also wiped my HD and installed a new operating system (win7).
This happened a few times this morning. The first time I just figured the server burped and kicked a few people. By the third time my hackles were raising. In all it happened four times. I haven't noticed anything missing on my guys, so I'm hoping that it's just my paranoia.
What I figure has happened, if anything is possible, is that I did not get rid of the trojan when I reformatted my HD. Now that they have my new login and pw they are just brute forcing my authenticator code. Is this possible?

After getting my accounts taken and finally got everything back I have noticed a troubling trend. This morning I got kicked from the server to the login screen. Now I have changed my email address, pw and added the authenticator. I also wiped my HD and installed a new operating system (win7).
This happened a few times this morning. The first time I just figured the server burped and kicked a few people. By the third time my hackles were raising. In all it happened four times. I haven't noticed anything missing on my guys, so I'm hoping that it's just my paranoia.
What I figure has happened, if anything is possible, is that I did not get rid of the trojan when I reformatted my HD. Now that they have my new login and pw they are just brute forcing my authenticator code. Is this possible?

Yes, plenty of people with authenticators still get hacked.

Google "wow authenticator hack" theres a DLL that hides in your computer you need to delete.

Google "wow authenticator hack" theres a DLL that hides in your computer you need to delete.

But emcor.dll is a man in the middle attack. Unless I googled it wrong. The problem I have is that minutes after I log into my guy I get booted to the login screen. Which is not the way man in the middle works. I'm just wondering if someone is trying to brute force my account since they have two of the three pieces needed to login.

hum.. the authenticator generated codes are only valid once, so if you manage to log on that code is gone and can't be reused..
can't see how they would login (and boot you out) without the authenticator *after you successfully logged in*
but then again, i don't know much.

brute forcing a 6 digit code would take a little while. Maybe go to another (clean) machine and change your pwd there.

I use my phone to access my account. However changing pw on it won't accomplish anything if they have a Trojan on my comp.

if it's a trojan, then the authenticator will take care of it
if it's a man in the middle, then you shouldn't be able to log in (iirc) as they'd snatch your details on the way to the server.

try and log in, but instead of typing your password correctly, type a variation (anagram) and then use the clipboard to move the correct letters in the right spot :-)
example, let's say your password is "multibocks", then type "ocksbultim" and copy paste the letters back in place (use the mouse to position them). i'd like to see a trojan log that.
and brute forcing 2 independent codes of 6+ characters should take some time >.<

if you still get disconnected, i reckon it's something else (network? addon? etc)
if you don't get dc'd, make sure you clean your machine well.
that's what i would try anyway.

It's been happening to me on Steamwheedle Cartel EU quite often since last patch. Get random DC's and major lag problems sometimes, but other times it's fine.

Don't thinki you have a security issue mate ;)

Ok thank god I was freaking out. I kept thinking, shit if an authenticator can't save me then why bother playing anymore if it's all just gonna get sharded.

I get kicked sometimes for no reason too man, even when loading between continents (outland, nr and azeroth)

man in the middle attack doesn't work anymore... the key expires on use (To the same battlnet) they would record it on the way there, not totally redirect it, and then login behind you. The key is also required to be entered prior to logging in on the forums, which is also no good. Pretty sure the virus was a MiTM- conducting a replay attack.

It's been happening to me on Steamwheedle Cartel EU quite often since last patch. Get random DC's and major lag problems sometimes, but other times it's fine.

Don't thinki you have a security issue mate ;)

I've been having this recently too.

If you still got a/the trojan on your PC they most definitely can try to brute force your authenticator code.

Blizzard has no auto-block feature that blocks your IP after you unsuccessfully tried to log in X times.

The chance of them hitting it is about as small as winning the lottery... but they can still be trying ;p

Either way you should make sure that your PC is clean by running decent programs to check it.

Never rely on just your authenticator to keep you safe.

man in the middle attack doesn't work anymore... the key expires on use (To the same battlnet) they would record it on the way there, not totally redirect it, and then login behind you. The key is also required to be entered prior to logging in on the forums, which is also no good. Pretty sure the virus was a MiTM- conducting a replay attack.

I'm pretty sure this isn't how the current man-in-middle attack works.

Your first attempt will be captured and used to log in. You will just be thinking you made a typo and enter a new code again and you can log in. They do not let you use the first code entered as the expiration has been present for a long time... we have posts about that on the forum here going way back when they made this change. You can still log in on multiple accounts with the same authenticator code at the same time.

In the mean time they will be messing around on the website doing whatever. Granted they can't do too much besides changing your password. But the next time you try to log in they will use your authenticator code to actually log in to the game and rip it.

It's been happening to me on Steamwheedle Cartel EU quite often since last patch. Get random DC's and major lag problems sometimes, but other times it's fine.

Don't thinki you have a security issue mate ;)


If it happens again, run a ping test. My latency gets bad a few times (stupid ISP) and I get issues where some or all of my guys get logged off every minute or so. When it first happened, I totally thought I was being hacked.

I have random dc's but it's always when loading in or changing zones/instances. It happens maybe once to a few times a night at most.

Just as a note Multi, I did all the nuke from teh sky and clean format and what I believe was still happening to my accounts was that they were tracking the connection IP and using remote desktop protocals to get back onto the machine. What finally cleared me was to power down my cable modem for about 15 minutes and then it got a new IP when it restarted. This was the only thing that got me clear.
As a side note, my issue was that they kept changing the account password (one of the trial accounts that I had at the time) which I had not put an authenticator on due tothe account being about to expire.

ah good idea I'll do that now

You can still log in on multiple accounts with the same authenticator code at the same time.



Using innerspace keybroadcasting I can't login with the same code, others can do this?

Using innerspace keybroadcasting I can't login with the same code, others can do this?

Mutiple b.net accounts. All my accounts are on their own individual b.net account.

You can link your authenicator to any account. Hell I even linked it to an account that wasnt even mine while linked to my accounts at the same time.

Mutiple b.net accounts. All my accounts are on their own individual b.net account.

You can link your authenicator to any account. Hell I even linked it to an account that wasnt even mine while linked to my accounts at the same time.

Indeed, still can't if all your accounts are on the same battle net account though.

I even linked it to an account that wasnt even mine while linked to my accounts at the same time.

Yup. My husband and I each have separate Bnet accounts using the same authenticator. This way you don't have to buy individual authenticators for each member of your family.

In order to remove an authenticator they require 2 sequential authenticator codes.

The obvious solution to avoiding a man-in-the-middle attack is, when you fail to authenticate, to wait 30 seconds and completely skip the next code. If it was just a typo, well, you only wasted 30 seconds of your life. If it was a MITM attack, well, you just spent 30 seconds to save a whole bunch of time with their account retrieval team.

I'm pretty sure this isn't how the current man-in-middle attack works.

Your first attempt will be captured and used to log in. You will just be thinking you made a typo and enter a new code again and you can log in. They do not let you use the first code entered as the expiration has been present for a long time... we have posts about that on the forum here going way back when they made this change. You can still log in on multiple accounts with the same authenticator code at the same time.

In the mean time they will be messing around on the website doing whatever. Granted they can't do too much besides changing your password. But the next time you try to log in they will use your authenticator code to actually log in to the game and rip it.

The old attacks were replay attacks, and they were capturing the battlnet authentication via a trojan. They were not actively blocking the data going from you to blizzard, they were just listening to it, and then replaying it. That's when blizzard changed it to a single log in from one key.

The old attacks were replay attacks, and they were capturing the battlnet authentication via a trojan. They were not actively blocking the data going from you to blizzard, they were just listening to it, and then replaying it. That's when blizzard changed it to a single log in from one key.

Fair enough... I was thinking more about the current method ;p

It all comes down to keeping your computer safe.

If you insist on visiting certain types of sites then it would be wise to run your internet explorer in a sandbox (certain firewall software can also do this for you like comodo) or seperate virtual environment. This way you completely separate your "shady" browsing from your overly important gaming stuffs ;p

Fair enough... I was thinking more about the current method ;p

It all comes down to keeping your computer safe.

If you insist on visiting certain types of sites then it would be wise to run your internet explorer in a sandbox (certain firewall software can also do this for you like comodo) or seperate virtual environment. This way you completely separate your "shady" browsing from your overly important gaming stuffs ;p

Or just use firefox with the noscript addon since internet explorer is so riddled with security holes that it is like running a program designed to be a big back door to your computer.

Or just use firefox with the noscript addon since internet explorer is so riddled with security holes that it is like running a program designed to be a big back door to your computer.

I use that too yes... but it's still not protecting you from sites you do give "access" to because you want to visit it.

It's better then IE security-wise in any case ;p

I have a DSL and cable connection. My DSL was from a local company instead of a national one. I LOVED my DSL from SWBell. It was fast, never blocked (email, P2P, webserver, etc), fast, and reliable. It never went down in 5 years. My cable in the past would go out once every 6 months for like 5 mins up to 2 hours. Hence my reason for having both. Now, my DSL is not reliable, drops connection like once a day for like 10 secs and then comes back. Guess what happens to my WOWs when the internet goes away....

I am just offering some thought. You internet doesn't have to go away forever for WOW to dump you. You might watch the modem's connection lights. Or check on its status page for time connected. Or check internet connection uptime. Whatever the phrase or place is it, might tell you if your connection is the problem. If it hapens to me, I just repair the network connection and it finds my cable modem first (most reliable now) and all is fixed.

I too had a first thought that it was a hacker. But I have an authenticator and have for a while, so I don't feel that way anymore. I just think it is Blizzard's servers kicking off random people. You know AT&T hosts WOW, right? No, no one has ever had a dropped call off a cell phone. They are good, but wouldn't put it past them to keep 99.9% of people online constantly. But what is .1% of 200,000. That could be you.

Sounds like you are having d/c issue not a hacking issue.

Check your connection/phone line/addons. Especially addons, I was having d/c issues on my main account caused purely by using out of date addons.