Blizzard detected a virus, de-activated all my accounts.. how?

[heyaz]

I got an emails from Blizzard, for all 5 of my accounts, stating that they had evidence that I had a trojan/virus/keylogger. Double checked all the links, raw headers, etc - apparently legit. Their action was to de-activate all the accounts for 24 hours (which I guess means adding an authenticator to the account which doesn't exist - because now it asks for one).

Question is: how do they determine that I'm compromised? Even though there is zero evidence that I'm compromised (other than Blizzard's little warning email, nothing has happened), I ran anti-virus anyway - found nothing. I'm assuming Warden doesn't magically find malware that modern anti-virus can't. Could this simply be triggered by someone trying to log in from another country, or a false alarm?

Anyone else had something like this happen, or know what it's about?

[Knytestorme]

If the account is now asking for an authenticator and you didn't add one to it then you have been compromised, whether the email is legit or not.

Get ready to call up billing and have a boatload of details ready to get the auth taken off, and have either a physical or mobile one ready to go and add to your account as soon as you get it back.

[heyaz]

Ah yeah, I was afraid of that. I thought maybe Blizzard's way of deactivating an account was some kind of hack job that just put a non-existent authenticator on it.

So if the accounts were compromised, I still wonder, how the hell would Blizzard know that my PC was compromised, especially if AV shows no evidence. Could they have just guessed? Honestly I could really care less about the accounts, I play about 30 minutes a week, and I know they'll just restore all my stuff and I'll end up with more gold and items than I started with.

[jinkobi]

Sounds like you got tricked bro. Those emails can look very real sometimes but never ever ever follow any links in your email from someone claiming to be Blizzard. They also don't scan your PC for virus.

Scenario probably goes. You got the email- followed the link- got keylogged and they added an authenticator while they clean you out.

Customer service is open 24hrs I think. Sooner you get on it the better!

[heyaz]

Sounds like you got tricked bro. Those emails can look very real sometimes but never ever ever follow any links in your email from someone claiming to be Blizzard. They also don't scan your PC for virus.

Scenario probably goes. You got the email- followed the link- got keylogged and they added an authenticator while they clean you out.

Customer service is open 24hrs I think. Sooner you get on it the better!

I seriously doubt that; I'm a security analyst by profession and have done phishing campaigns myself. I loaded the emails in a VM and inspected the headers and links which all pointed to the official Blizzard sites - they would've had to have spoofed the content client-side via a rootkit level proxy, DNS or some other method. The accounts were locked out before I even read the emails. If they managed to trick me, honestly, they deserve it.

[Iceorbz]

Sounds like they got you bro.

No way blizzard would add an authenticator -- then they would have to make sure you got that *ONE* authenticator. I know other friends of mine who have gotten hacked, have had the same scenario happen.

Blizzard also does not scan for viruses, or trojans, or anything else really. Not even warden scans that crap.

[Ualaa]

Not sure on the validity of this claim, but one guy in trade chat was going on yesterday.

Basically said he had been hacked in the past, talked to billing on the phone.
And had them allow his account to be logged in from one of two IP addresses.
But made it impossible to log in, from any other IP.

Not sure if Blizzard has anything like this.
But if they do, that would be the ultimate in security.

[HPAVC]

1. Detected a virus, lolz? Well assuming that it did, I would think that the warden found that secureid snooping program running. Even if your not using the secureid authenticator warden would still be looking for it. I would assume warden wouldn't give you any specifics at all ever.

2. Yeah, you don't want to be logging in from two different ASN's at the same time. Possibly don't want to be logging yourself out from a different ASN either. You want to rethink having people use your account if that is going on.

3. I would advise not having your battle.net id be the same that you are using on various forums/blogs that you post as about wow or other geeky stuff. You will just get a steady stream of emails about your warcraft account being hacked / under investigation, password change request, etc etc. I would use a plus hack on gmail since it supports it "crypticthinghere+yourgmailhere@gmail.com" will go your account 'yourgmailhere' account. Or similar, since nobody should be using your "crypticthinghere".

[Daeri]

Launcher contains a very crude trojan detector. I know that upon startup it looks for a limited list of trojans and might prevent you from starting the game until you do some sort of cleaning. I didn't know it could send a signal to Blizzard thus allowing them to automatically deactivating an account and sending emails. Maybe a recent improvement ?

[SmartJelly]

I seriously doubt that; I'm a security analyst by profession...

Maybe your machine is clean but they detected some dodgy access your account from elsewhere and sent out the "you've been compromised" email, thus leaving your reputation intact