Salutations,

Today I received an email of my first account that had the password reset. Somehow the person got into my email and then changed the password to his. I logged on that character and no items, no gold and stuck in Astrannar with no money (@ 28 ) >< to fly. I made the long walk back and changed the passwords on all accounts. I deleted all internet history files and ran mcafee, nothing found. I am very frightened at the thought of all my progress going in the drain, let alone the cost of it all (given that the hacker has my secret word because he had retrieved the password). Are there any other precautions I can take, if it was or wasnt a keylogger? Also, I do wish to recognize the fact of my usage of the term hacker, I am sorry if I offended anyone by the term, for I meant it as in malicious hacker, not one who is just talented with software.

On the same note, I found a lvl 6 hunter on the same server that had been leveled by the hacker, odd enough huh? Ill keep you posted to see if the password is changed again, but any suggestions to ridding the potential of the keylogger is greatly appreciated.

Qlimax

backup important data and reformat the hard drive(s), then reinstall the OS, etc. That is by far the best way to make sure you get rid of something like that.

Use firefox and noscript for internet browsing, run manual adaware scans after installing each addon or downloading, reinstall now, contact Blizzard over the account to get the secret question changed and email address changed immediately. Keep in mind they will most likely lock down the account if they feel you did not adequately secure it, but can get to work restoring items.

Hackers just don't happen :S It was a keylogger, or the eventual conclusion of account sharing :(

Make sure you have a firewall , and good up to date spy, virus blocker. Do use your account on any other PCs. only yours

I had my account hacked.. level 70 rogue.. never leveled up my lockpicking or mining... got it back.. lockpicking and mining maxed out.. and 3k gold... all my stuff pretty much sold off on alts..

I put in a GM ticket and got all of my stuff back.. and they took 800 gold from me.. cause thats all that was left :D

I would make sure you delete you Interface folder and WTF folder just to be sure...

I got my 3 70's hacked a long time ago after downloading an addon from a no-name site. My buddy got hacked at the same time and he downloaded the same addon. Just becareful what addons you put on the system and where you get it.

Most definitely file an in-game ticket about the hack ASAP, and either wipe the machine or unload all the anti-virus protection and scanning devices you can on it. (I prefer to just wipe the machine) Remember to include dates in your in-game ticket (i.e. I last used the account on <this> day and the password was changed on <this> day and I regained control of the account on <this> day) -- this can help the GM identify that indeed your account was not under your control if the hacker did anything nefarious while you were on it.

GMs can do restorations in order to get your gear/money back, but there will be an investigation involved and it will likely take a few weeks. Check the customer service forums (on a different computer, since you have to put your account name/password in there to log in) for help -- they have some stickies as well as GMs that can answer your questions.

Don't be surprised if you get a late ban for exploiting/spamming -- Blizzard often detects account compromise late and will ban the account for your (the original owner's) safety in case the hacker still has access to your account.

I had my account hacked.. level 70 rogue.. never leveled up my lockpicking or mining... got it back.. lockpicking and mining maxed out.. and 3k gold... all my stuff pretty much sold off on alts..

I put in a GM ticket and got all of my stuff back.. and they took 800 gold from me.. cause thats all that was left :D

I would make sure you delete you Interface folder and WTF folder just to be sure...

My priest got hacked once. Kid farmed 2k gold in DM.

The account got suspended due to it being compromised, but I got it and the gold back.

I appreciate all your help, and I have taken the provided advice and applied it. I am currently in the process of trying to isolate the problem area, but I do believe I will 'wipe' the machine eventually. As a technically impaired individual, when you say 'wipe' the harddrive, do you mean reformat it and re-install the OS, or something else? I use McAfee Anti-Virus, Nvidia Firewall, System Mechanic and removed everything they could. Unforunately I had not downloaded any file, nor go to any questionable site, other than the website of the popular youtube character, Athene. This is the only thing I can think of that may have lead to the interceoption of the virus. Is there anyway to find out if I had removed it in the spyware, antivirus waves other than not getting "hacked" again? I greatly appreciate this, and I am sorry to the others who have had to experience this.
Qlimax

My priest got hacked once. Kid farmed 2k gold in DM.

The account got suspended due to it being compromised, but I got it and the gold back.

Did you reformat your harddrive or did you just hit it with antivirus and spyware?

I suggest that before downloading addons first check and see if there is a Download count for it, to tell you how many times people have downloaded it and if there is a star rating of any sort. Most addon sites have a place for people to place comments about it below as well.

Personally I only download addons form curse, wow interfact, ace etc. All the well know, top google reslt searchs.

I suggest if your looking for an addon, don't go to google and search the addon name, rather search for "world of warcraft up-to-date addons", then go to one of the top sites listed there and then search for the addon via that site.

But yeah, contact Blizzard, ingame and out then the waiting game starts. I'm afraid sometimes blizz can take a few months to restore you items.

[...] GMs can do restorations in order to get your gear/money back[...]
I'm usually not that positive about Blizzard's support, but that is just awesome!


btw: your icon is the cutest

Did you reformat your harddrive or did you just hit it with antivirus and spyware?

I'd reformat. Given the proliforation of rootkits these days I'd never trust the machine again until I did. You could try running RootkitRevealer:
http://www.microsoft.com/technet/sysinternals/securityutilities.mspx?wt.svl=featured

Use firefox and noscript for internet browsing,

Agreed.

Until recently, I foolishly thought Firefox alone would be enough to protect me from malicious websites, but then I heard of people getting their accounts ripped off even though they claimed to be secure. I've since added AdBlock and NoScript addons to ensure that my browser only downloads and runs what I tell it it can.

NoScript is pretty damn useful but it can be a bit annoying when you first start using it, as it'll be very spammy with warnings about javascript or flash on nearly every website you visit, but as time goes by and you allow/block sites it'll quieten down.

One example of how to use it:

Visit http://www.wowhead.com/ for example.
The Wowhead homepage will load up with a big message saying that "This site makes extensive use of JavaScript. Please enable JavaScript in your browser". JavaScript is probably already enabled but NoScript has prevented the scripts from running.
Then look at the notification bar that has popped up at the bottom of your browser window. Click the 'Options' button and a menu will pop up, with the following entries:

Allow wowhead.com
Temporarily allow wowhead.com
-
Allow google-analytics.com
Temporarily allow google-analytics.com
-
Allow quantserv.com
Temporarily allow quantserv.com

The key here is to allow only those script sources that are required for the wowhead site to function correctly, so I start by allowing wowhead.com. This is sufficient for wowhead to work fully, so I leave the other two script sources blocked. Google-analytics is probably trustworthy, but I would guess it's something to do with analysing web usage, which I don't really care about so it can stay blocked. No idea what quantserv.com does, so I leave that blocked too.

For most websites, you'll have to make similar decisions. Often you'll need to allow scripts coming from the website that you're actually visiting, but scripts from third parties are probably better left blocked.

NoScript also blocks Flash objects, so if you visit youtube for example, no videos will be displayed because they're delivered using Flash. You'd need to allow "youtube.com" and "ytimg.com" on the NoScript options menu for that site to work properly.

Using AdBlock alongside NoScript will block a lot of Flash ad's before NoScript even sees them, so it'll reduce the number of scripts/objects that you need to consider allowing or denying.

Hope this is useful.

Some notes in no particular order:


- Wiping the machine: Use a tool like Darik's Boot and Nuke (http://dban.sourceforge.net/). It writes zero's across the entire hard drive.
- Always use a trusted source for software installations: I try to keep anything I install from a CD that came from the manufacturer, and it still gets scanned with anti-virus software. I lose out on flavor of the week software, but I have also saved myself from numerous problems.
- Use Virtual Machines for web browsing: Create a virtual machine and then use the snapshot feature of your virtual machine software. Do all your web browsing from this machine. When you are done, revert back to the snapshot. Extra points if you use a separate virtual machine for your banking and dual-boxing.com forum browsing.
- Hardware multiboxing Advantage: My hardware machines are used for one purpose, and one purpose only, warcraft. I use my mac and virtual machines for everything else. I guess if I really wanted to I could put quick-swap hard drive trays in and use them for something else, but my mac mini can handle everything except gaming and CAD.

- Hardware based firewall to compliment the Hardware Multiboxing Advantage: My hardware machines are also behind a LinkSys WRT54L with OpenWrt firmware on it. This gives me the ability to define inbound and outbound filtering rules. The only destinations those boxes can send to is Blizzard, and they only accept traffic from Blizzard as well. Even if something did manage to make its way on to those boxes, the "something" would have a hard time calling home with my password. The firewall will drop the network traffic and make a note of it in the logs.

- Computer security isn't simple, consulting companies make millions selling snake oil and actual solutions. I've found the best solutions involve a very expensive component - training.

- Buy a mac: No this one won't really solve your problems, but I spend my days working in the Windows world. It is really nice coming home to a computer that just works.

I'd like to clear up a few misconceptions here regarding addons containing keyloggers. I've been part of writing quite a few addons, and I work as a software engineer. Take that as you will for my experience on the subject.

WoW has limited access to what it can write out to or read from an OS's file. All mmo's that allow lua in the UI or in modding also follow this rule. They do not have free reign over your computer and are not able to do whatever they want to do like some people seem to think. That is one of the reasons mp3 player addons are so inaccurate, because of the way it has to try and guess the song's length and such.

An addon itself can NOT contain a keylogger that does anything. I could write an addon that has 500 keyloggers in it, then have you download it, but those keyloggers would not be able to do anything. This is because of the way LUA is designed and the way WoW handles compiling and loading those addons at startup when your character first logs into the world. LUA can not run without a compiler executing it and telling it to run. Just writing it out on notepad or a programming IDE does absolutely nothing. There needs to be a way for said keylogger to be executed.

Not only that, but Blizzard's compiler is extremely, and I mean extremely smart - almost robot AI smart like and will block a shit load of LUA code. Anything that even looks nefarious will get blocked because the LUA code is being compiled by WoW. Many of the times this is what leads to errors for authors - the code works fine, but the compiler thinks it is nefarious so it will give you errors.

The WoW compiler only loads up said addons after your character has already logged in. So, the addons themselves, even if they found a way to get a keylogger to work in an addon would not make a difference because they would not be executed until after your character was already in game - which brings back the previous point of WoW having very little access and permissions to what it can do to your computer and OS outside of WoW, and the addons themselves are being compiled by WoW. As soon as you log back to the character select screen - the addons are shut back off again. The contents of the WTF folder are nothing more than saved variables. If you open those files - you will see server names, character names and saved options. These files follow the same routine as the interface folder and only get loaded at the point of your character entering the world.

The addons that let you view stuff or interact with them offline - they are quite a bit different, like the bank ones that let you see the inventory or talents of all your characters while offline. These have a possibility of containing a keylogger, BUT there would have to be a script executed first, and the only way for something like to happen would be with one of those boxes popping up saying xxxx is trying to run yyyy script - allow this yes or no, and you click yes would be the only way to allow that to happen.

Despite what many people want to think about blizzard and think they may be dumb, etc. etc. etc. - they were actually very smart in quite a few ways with their UI design. The ONLY way a keylogger can run off of an addon is if you tell it that it is allowed to run a script outside of WoW. Let me reiterate that - you have to actually click yes to the question of to allow xxxx to run yyyy script or not. This will execute the keylogger outside of WoW, but without clicking yes, there is no way for the script to execute outside of WoW and no way for it to get onto your computer.

If you want my opinion - I think you got it from the website itself, not the actual addon. I am also very suspect of the AceUpdater and is why I update all my addons by manual download and not the AceUpdater. Anything that is automated like the updater is going to be running some kind of script on your pc, and be running it from outside of WoW. There was that big scare not too long ago from the thottbot, and wowhead websites and such where anyone that visited the websites was getting infected. I'd think it would be something like this.

Hope you get it all sorted out.

Personally, as much as I enjoy my Shammy team, if I got hacked, my first call is to my bank, not Blizzard. That said, my bank uses a screen keyboard with randomized key-positions for my login. If my bank were to use Blizzards two hack-me-now text boxes for logging in, there's no way I'd use that bank for Internet banking. Despite every precaution listed here - and they're all worthy steps to be taken - there is ultimately no way to completely protect yourself, short of going offline and never reconnecting to the Internet. I've worked in IT for 20 years now, the last 6 at IBM, and I am always amazed (and a little disturbed...lol) by what the hacker-heads over in our Security competentcies are able to get past, through, over, under or around.

I would very much like to see Blizzard use an on-screen keyboard - as a purely optional login method for those that want it - as I know I'd be quite happy to log in via this way. As much as my Shaman team is light years behind other more critical internet transactions I make, I'd still like to add another layer of protection if I could.

Still, do what the previous posters have said - while you may never make your computer impervious (and anyone who thinks they have is kidding themselves), at the very least, you shouldn't make it easy either.

- Wiping the machine: Use a tool like Darik's Boot and Nuke (http://dban.sourceforge.net/). It writes zero's across the entire hard drive.Overkill. Complete and utter overkill. You are wasting hours of time when a simple removal of partitions would suffice. The ONLY reason to run DBAN is if you want to scrub the system for disposal. To reinstall, just make sure you delete all partitions before you reinstall. Create a new partition and install on it, the filesystem won't be in tact and the applications previously there would take a heroic effort to reclaim from the void.

- Use Virtual Machines for web browsing: Create a virtual machine and then use the snapshot feature of your virtual machine software. Do all your web browsing from this machine. When you are done, revert back to the snapshot. Extra points if you use a separate virtual machine for your banking and dual-boxing.com forum browsing.This isn't a bad idea at all, if you are simply web-browsing there are even easier solutions. Download a Knoppix ('http://www.knopper.net/knoppix-mirrors/index-en.html') ISO and you can boot this in a virtual machine and surf away with impunity. Since the environment is rebuilt every boot, there is no possibility of a keylogger or some such... since ti's a VM it can't bone your system.

- Buy a mac: No this one won't really solve your problems, but I spend my days working in the Windows world. It is really nice coming home to a computer that just works.There was a day in not too recent history I would have flamed you for this sort of mentality. But I have to admit, a computer that simply works is an absurd idea... I hope that as Mac gains market share that they can prevent the absurd amount of spyware that has infested the PC world. As their market share grows, so will the target on their back.

----------------

That said, no UI mod can give you a keylogger. Can a keylogger be packaged with a UI mod? Yes. Can a Keylogger INSTALL a UI mod? Yes.

The biggest tip I have for you in this case... open my computer... click tools menu (press alt in vista to make the menu's appear), options (folder options in vista), click on the view tab. Find Hide extensions for known file types and UNCHECK IT. Hit OK and then go about your life.

With this option checked...

Niftyscreenshot.jpg.exe will show up as Niftyscreenshot.jpg and most people won't think anything of it... they'll run the EXE thinking it's a pretty picture... and if the nasty bastard has any skill, he'll even show you a .JPG.

Learn what file extensions do what... a .JPG is harmless, a .exe or .com or .vbs aren't... the list goes on... .zip.exe will .bend.you.over while a .zip is harmless (though it may contain nastyness.)

Learn a little about the tools you use... a guy walks into a wood shop and cuts his thumb off because he doesn't know how to use a table saw... we don't blame the manufacturer of the table saw... we blame the idiot who shoved his thumb into it without reading the directions...

Unless I'm missing something the OP also said that his secret question got stolen as well, in which case my first suspicion would be of real-life folks who have access to my information. I can understand getting your WoW login keylogged, but getting your secret question logged out of your browser on worldofwarcraft.com is another story entirely.

Download a Knoppix ('http://www.knopper.net/knoppix-mirrors/index-en.html') ISO and you can boot this in a virtual machine and surf away with impunity. Since the environment is rebuilt every boot, there is no possibility of a keylogger or some such... since ti's a VM it can't bone your system.

I used to think this too, but there have been several reports of virus authors using buffer overruns in VM software to infect the host OS. If you think about it there is nothing magic about running in a VM. If the virus can own the virtual OS then it gets to treat your main OS as just a bunch of files on disk. No system file protection, no Defender, etc. Given the limited user base of VM software, a VM is probably more likely to have unpatched critical vulnerabilities than Vista/XP/Mac OS running on native hardware.

Anytime anyone tells you that X will make you safe from viruses try typing this into your preferred search engine: "X critical vulnerability". It's an equal-opportunity way to piss off fanboys of Firefox, MAC OS, virtual machines, ... you name it! :P

[...] GMs can do restorations in order to get your gear/money back[...]
I'm usually not that positive about Blizzard's support, but that is just awesome!

Yeah, I hear there is some hoop-jumping involved, but if you can show them that there was a definite IP change in the time that you were not in control of your account, it should just take them the time to verify that you're not tryign to manipulate the system and you can usually get everything back. They don't guarantee the process, but I hear that people typically get back all of their gems/enchants and stuff down to the last piece of netherweave. :)



btw: your icon is the cutest

Thanks! That's my kitten Lilu -- we loosely named her after the female character in the movie "the 5th element". She hated the sound of Suvega's camera shutter, so she ran off immediately after this pic was taken. Hence the "deer in the headlights" look.

It would be nice if Blizzard offered up an option to purchase something like the PayPal Security Key for each account. Then again, logging in all the clones would get more interesting, and it would be five more things for the cat to hide.


Best of luck getting everything sorted out Qlimax ('http://www.dual-boxing.com/forums/index.php?page=User&userID=5693').

Good news, well at least peace of mind on my part. I reformatted, purchased System Mechanic Pro, setup the new firewalls and anti-virus. Reloaded all drivers and everything seems to be working fine. Sent in a petition to Blizzard stating that I was not requesting the gear back, I am level 31 and it was mostly bad gear ( we don't need to waste gold when there is 5 of us =P ), telling them that I was not in qontrol of the account at that time. I appreciate all your help, and I must say, out of all the bad experiences one must face in life, this is a great one to really brush up or learn about internet security and I thank this community for making my experience more knowledge oriented.

Qlimax

Use firefox and noscript for internet browsing,



Visit http://www.wowhead.com/ for example.
The Wowhead homepage will load up with a big message saying that "This site makes extensive use of JavaScript. Please enable JavaScript in your browser". JavaScript is probably already enabled but NoScript has prevented the scripts from running.
Then look at the notification bar that has popped up at the bottom of your browser window. Click the 'Options' button and a menu will pop up, with the following entries:

Allow wowhead.com
Temporarily allow wowhead.com
-
Allow google-analytics.com
Temporarily allow google-analytics.com
-
Allow quantserv.com
Temporarily allow quantserv.com




Just to put my 2 cents instead of allow everything for a site I suggest allow only the site url first. the example above yeh should only allow wowhead.com then when something doesnt work the way it should add more in.

One of the problem with the addon is if is an executable. Or if the sites says download this for auto updating addons. I only install addons that come in a nice zip format.

Well, it's a damn shame, that things like Trojans, Viruses, Keyloggers etc even exist... I just think, in the case of account hacking, that some people get jealous of others and manipulate things.. but why the hell hacking in a god-damn game account? It's just a game after all, even if I pay money for playing online... it'd be the same, if someone hacked onto my computer and manipulate some offline's game's account/savegame... It's just BS, imo..

And concerning Addon downloading: NEVER download them from pages you don't really trust, i.e. no-name pages, and if you download them, make sure you check them for any malicious things, such as keyloggers etc....rename .exe into .zip and try to open them with either WinZip, WinRAR or the Windows Explorer or any other archiver...

Hope you get it all sorted out.

Personally, as much as I enjoy my Shammy team, if I got hacked, my first call is to my bank, not Blizzard. That said, my bank uses a screen keyboard with randomized key-positions for my login. If my bank were to use Blizzards two hack-me-now text boxes for logging in, there's no way I'd use that bank for Internet banking. Despite every precaution listed here - and they're all worthy steps to be taken - there is ultimately no way to completely protect yourself, short of going offline and never reconnecting to the Internet. I've worked in IT for 20 years now, the last 6 at IBM, and I am always amazed (and a little disturbed...lol) by what the hacker-heads over in our Security competentcies are able to get past, through, over, under or around.

I would very much like to see Blizzard use an on-screen keyboard - as a purely optional login method for those that want it - as I know I'd be quite happy to log in via this way. As much as my Shaman team is light years behind other more critical internet transactions I make, I'd still like to add another layer of protection if I could.

Still, do what the previous posters have said - while you may never make your computer impervious (and anyone who thinks they have is kidding themselves), at the very least, you shouldn't make it easy either.




Blizzard's client does have the potential to use the 'onscreen' keyboard thing with randomized placement of digits. Just like inputting a pin number when you go to the ATM.

It also has the potential for a Matrix Card. On the right side the digits 1-0 are placed in a circular fashion and they spin quickly when the mouse is far away and slows down gradually when the mouse reaches the wheel. Once your mouse moves over a button all the digits are cleared so no one can see what you're clicking on.

I don't know why people on US servers aren't able to enhance account security with these features.




http://i281.photobucket.com/albums/kk201/emrys2/matrix-1.jpg

Learn what file extensions do what... a .JPG is harmless, a .exe or .com or .vbs aren't... the list goes on... .zip.exe will .bend.you.over while a .zip is harmless (though it may contain nastyness.)
I have to disagree with that statement. "Picture" files have recently become a more common attack vector for hackers. To quote Microsoft from the April security alert (aka: patch Tuesday):

Bulletin Identifier
Microsoft Security Bulletin MS08-021
Bulletin Title
Vulnerabilities in GDI Could Allow Remote Code Execution (948590) ('http://go.microsoft.com/fwlink/?LinkId=111955')
Executive Summary
This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Maximum Severity Rating
Critical ('http://go.microsoft.com/fwlink/?LinkId=21140')
Impact of Vulnerability
Remote Code Execution
Detection
Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software
Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Also a zip is not necessarily harmless. A buffer overrun in a common shareware package like WinZip or WinRar could easily be used to constuct an attack vector.

To avoid Key loggers .. I'm copy/pasting all my passwords ...

the only keys the trojans can intercepts is some ctrl+v

hope it's enough ...

To avoid Key loggers .. I'm copy/pasting all my passwords ...

the only keys the trojans can intercepts is some ctrl+v

hope it's enough ...
That is not really true. Most modern and half decent keyloggers can read your notepad or wordpad. Anything that you might highlight and use ctrl+c or right click copy and paste can still be read by keyloggers. Whenver you go to copy something - you are storing it somewhere to be pasted. Any half decent programmer with an understanding of how these things work can and will be able to get into the storage area and be able to read whatever he wants off of it.

If you are really dead set on protecting yourself at all costs against them, then the best thing you can do is read up on them and understand how they work. Having a thorough and intimate understanding of their inner workings is the best way to make sure you are absolutely safeguarded against them.

Otherwise, keep your virus definitions up to date, have a firewall whether it be software or hardware via router or some other way, and dont download any funny or unkown files from miscellaneous sites.

when I was hacked (stupid free wi-fi hotspot, and I logged into armory) it took them a week to restore EVERTHING even the guild bank and money from it. the GM was very nice to work with and even helped me with an alt on another server that got deleted that I found weeks later. they got an A+ from me