Trojan succesfully hacks Authenticator Protected Accounts

[Daeri]

Is there any information on how this virus has started to spread ? malicious banner ? infected "addon" ?

[crowdx]

So basically if the people that wrote the trojan made it to hack a wow account (not sure if that is what it was designed for) then they also would have a script which would automatically log onto you battlenet account and disable the authenticator all in a few seconds of getting the code.
As for trying to log in and getting an error and immediately on the second try calling blizzard or believing your account has been hacked, personally I have entered wrong passwords more than once on my WoW accounts and so getting it wrong twice would not be a red flag.
I do know that I just added an authenticator just last week due to my virus scanner finding a trojan on my machine which I instantly deleted and then waited until the authenticator was in place before logging onto WoW (I had the autheticator from Christmas but had not used it) .
This was the first time in many years that I have gotten infected, I never open attachments etc and not 100% sure where it came from, only possiblity is that one of the other family members used my machine (they are banned from it but for some reason my maching does not always prompt for it's password when it comes out of screen saver mode).
Overall, security is always only one step away from the hackers, sometimes the hacker is ahead and sometimes the security, just a game of cat and mouse.

[Aenar]

which would automatically log onto you battlenet account and disable the authenticator all in a few seconds of getting the code.

If someone wishes to remove an Authenticator from the account, don't they need to enter the Serial Number of the device before its cleared? I haven't tried, so I may be wrong.

[Daeri]

If someone wishes to remove an Authenticator from the account, don't they need to enter the Serial Number of the device before its cleared? I haven't tried, so I may be wrong.

Indeed, the faq says so.

[crowdx]

Then what is the point of getting the code? There is no way for a hacker to get the serial and with only a minute or so of opportunity to log onto the hacked account it would mean that the hacker would have to have a bot or some like to auto log into the account and automatically go throught the toons, disenchanting the gear and mailing gold and mats to their own toons?
Having said that, i think I read it here somewhere that it is a bot that is used to clear out hacked accounts?

[Pycno]

crowdx, Obviously if you are infected and try to log in again your login attempt will fail again.. Not everyone has a secondary (clean) computer they can use to login with after 30 seconds (when they get a new code on authenticator).

Using retrieve password after every logout should make your account as safe as your mailbox is, which would help abit.

[crowdx]

I lost you somewhere Pycno, I am not understanding your point

[Targ]

The point is they have a lot more than a minute or two. As long as you keep logging in on the effected computer your login will fail. So they have untill you get feed up and call Blizzard, maybe an hour maybe a day.

And each time you try to log in you give them another authenticator code to do more damage to your account with.

Likely they use the first one to change your password so you can't log in via the Internet.

Then the next time you try to log onto your account they use that auth code to log into the game and start clearing your account out.

[Gomotron]

If someone wishes to remove an Authenticator from the account, don't they need to enter the Serial Number of the device before its cleared? I haven't tried, so I may be wrong.

To manually remove the authenticator from an account from the Battle.net site, you do not need to have the serial number to the authenticator.

However, you do need to input 2 consecutive authenticator keys. That protection makes this type of attack nearly impossible to carry out. Not impossible, just nearly so.

In order to remove the authenticator from a Battle.net account when you no longer have access to the authenticator is a bit more problematic. I have had 2 iPhones crap out taking the authenticator program with it, and since the authenticator program uses the serial number of the phone itself as a portion of the key generation algorithm, this means that a restore to a new iPhone does not result in the correct key being produced. I have had to fax in a form to Blizzard with specific account information and also a photocopy of my government issued ID card (for me a driver's license) and they then removed the authenticator from the account.

Just FYI.

[daviddoran]

To manually remove the authenticator from an account from the Battle.net site, you do not need to have the serial number to the authenticator.

However, you do need to input 2 consecutive authenticator keys. That protection makes this type of attack nearly impossible to carry out. Not impossible, just nearly so.

In order to remove the authenticator from a Battle.net account when you no longer have access to the authenticator is a bit more problematic. I have had 2 iPhones crap out taking the authenticator program with it, and since the authenticator program uses the serial number of the phone itself as a portion of the key generation algorithm, this means that a restore to a new iPhone does not result in the correct key being produced. I have had to fax in a form to Blizzard with specific account information and also a photocopy of my government issued ID card (for me a driver's license) and they then removed the authenticator from the account.

Just FYI.

This is why i use a hardware authenticator instead of an iPhone app.