Seeking Help: One of my Accounts Hacked

[Unholy[S]haman]

I suggest that before downloading addons first check and see if there is a Download count for it, to tell you how many times people have downloaded it and if there is a star rating of any sort. Most addon sites have a place for people to place comments about it below as well.

Personally I only download addons form curse, wow interfact, ace etc. All the well know, top google reslt searchs.

I suggest if your looking for an addon, don't go to google and search the addon name, rather search for "world of warcraft up-to-date addons", then go to one of the top sites listed there and then search for the addon via that site.

But yeah, contact Blizzard, ingame and out then the waiting game starts. I'm afraid sometimes blizz can take a few months to restore you items.

[Ken]

[...] GMs can do restorations in order to get your gear/money back[...]

I'm usually not that positive about Blizzard's support, but that is just awesome!


btw: your icon is the cutest

[Chorizotarian]

Did you reformat your harddrive or did you just hit it with antivirus and spyware?

I'd reformat. Given the proliforation of rootkits these days I'd never trust the machine again until I did. You could try running RootkitRevealer:
http://www.microsoft.com/technet/sys...t.svl=featured

[Ozbert]

Use firefox and noscript for internet browsing,

Agreed.

Until recently, I foolishly thought Firefox alone would be enough to protect me from malicious websites, but then I heard of people getting their accounts ripped off even though they claimed to be secure. I've since added AdBlock and NoScript addons to ensure that my browser only downloads and runs what I tell it it can.

NoScript is pretty damn useful but it can be a bit annoying when you first start using it, as it'll be very spammy with warnings about javascript or flash on nearly every website you visit, but as time goes by and you allow/block sites it'll quieten down.

One example of how to use it:

Visit http://www.wowhead.com/ for example.
The Wowhead homepage will load up with a big message saying that "This site makes extensive use of JavaScript. Please enable JavaScript in your browser". JavaScript is probably already enabled but NoScript has prevented the scripts from running.
Then look at the notification bar that has popped up at the bottom of your browser window. Click the 'Options' button and a menu will pop up, with the following entries:

Allow wowhead.com
Temporarily allow wowhead.com
-
Allow google-analytics.com
Temporarily allow google-analytics.com
-
Allow quantserv.com
Temporarily allow quantserv.com

The key here is to allow only those script sources that are required for the wowhead site to function correctly, so I start by allowing wowhead.com. This is sufficient for wowhead to work fully, so I leave the other two script sources blocked. Google-analytics is probably trustworthy, but I would guess it's something to do with analysing web usage, which I don't really care about so it can stay blocked. No idea what quantserv.com does, so I leave that blocked too.

For most websites, you'll have to make similar decisions. Often you'll need to allow scripts coming from the website that you're actually visiting, but scripts from third parties are probably better left blocked.

NoScript also blocks Flash objects, so if you visit youtube for example, no videos will be displayed because they're delivered using Flash. You'd need to allow "youtube.com" and "ytimg.com" on the NoScript options menu for that site to work properly.

Using AdBlock alongside NoScript will block a lot of Flash ad's before NoScript even sees them, so it'll reduce the number of scripts/objects that you need to consider allowing or denying.

Hope this is useful.

[leukos]

Some notes in no particular order:


- Wiping the machine: Use a tool like Darik's Boot and Nuke (http://dban.sourceforge.net/). It writes zero's across the entire hard drive.
- Always use a trusted source for software installations: I try to keep anything I install from a CD that came from the manufacturer, and it still gets scanned with anti-virus software. I lose out on flavor of the week software, but I have also saved myself from numerous problems.
- Use Virtual Machines for web browsing: Create a virtual machine and then use the snapshot feature of your virtual machine software. Do all your web browsing from this machine. When you are done, revert back to the snapshot. Extra points if you use a separate virtual machine for your banking and dual-boxing.com forum browsing.
- Hardware multiboxing Advantage: My hardware machines are used for one purpose, and one purpose only, warcraft. I use my mac and virtual machines for everything else. I guess if I really wanted to I could put quick-swap hard drive trays in and use them for something else, but my mac mini can handle everything except gaming and CAD.

- Hardware based firewall to compliment the Hardware Multiboxing Advantage: My hardware machines are also behind a LinkSys WRT54L with OpenWrt firmware on it. This gives me the ability to define inbound and outbound filtering rules. The only destinations those boxes can send to is Blizzard, and they only accept traffic from Blizzard as well. Even if something did manage to make its way on to those boxes, the "something" would have a hard time calling home with my password. The firewall will drop the network traffic and make a note of it in the logs.

- Computer security isn't simple, consulting companies make millions selling snake oil and actual solutions. I've found the best solutions involve a very expensive component - training.

- Buy a mac: No this one won't really solve your problems, but I spend my days working in the Windows world. It is really nice coming home to a computer that just works.

[Enshredder]

I'd like to clear up a few misconceptions here regarding addons containing keyloggers. I've been part of writing quite a few addons, and I work as a software engineer. Take that as you will for my experience on the subject.

WoW has limited access to what it can write out to or read from an OS's file. All mmo's that allow lua in the UI or in modding also follow this rule. They do not have free reign over your computer and are not able to do whatever they want to do like some people seem to think. That is one of the reasons mp3 player addons are so inaccurate, because of the way it has to try and guess the song's length and such.

An addon itself can NOT contain a keylogger that does anything. I could write an addon that has 500 keyloggers in it, then have you download it, but those keyloggers would not be able to do anything. This is because of the way LUA is designed and the way WoW handles compiling and loading those addons at startup when your character first logs into the world. LUA can not run without a compiler executing it and telling it to run. Just writing it out on notepad or a programming IDE does absolutely nothing. There needs to be a way for said keylogger to be executed.

Not only that, but Blizzard's compiler is extremely, and I mean extremely smart - almost robot AI smart like and will block a shit load of LUA code. Anything that even looks nefarious will get blocked because the LUA code is being compiled by WoW. Many of the times this is what leads to errors for authors - the code works fine, but the compiler thinks it is nefarious so it will give you errors.

The WoW compiler only loads up said addons after your character has already logged in. So, the addons themselves, even if they found a way to get a keylogger to work in an addon would not make a difference because they would not be executed until after your character was already in game - which brings back the previous point of WoW having very little access and permissions to what it can do to your computer and OS outside of WoW, and the addons themselves are being compiled by WoW. As soon as you log back to the character select screen - the addons are shut back off again. The contents of the WTF folder are nothing more than saved variables. If you open those files - you will see server names, character names and saved options. These files follow the same routine as the interface folder and only get loaded at the point of your character entering the world.

The addons that let you view stuff or interact with them offline - they are quite a bit different, like the bank ones that let you see the inventory or talents of all your characters while offline. These have a possibility of containing a keylogger, BUT there would have to be a script executed first, and the only way for something like to happen would be with one of those boxes popping up saying xxxx is trying to run yyyy script - allow this yes or no, and you click yes would be the only way to allow that to happen.

Despite what many people want to think about blizzard and think they may be dumb, etc. etc. etc. - they were actually very smart in quite a few ways with their UI design. The ONLY way a keylogger can run off of an addon is if you tell it that it is allowed to run a script outside of WoW. Let me reiterate that - you have to actually click yes to the question of to allow xxxx to run yyyy script or not. This will execute the keylogger outside of WoW, but without clicking yes, there is no way for the script to execute outside of WoW and no way for it to get onto your computer.

If you want my opinion - I think you got it from the website itself, not the actual addon. I am also very suspect of the AceUpdater and is why I update all my addons by manual download and not the AceUpdater. Anything that is automated like the updater is going to be running some kind of script on your pc, and be running it from outside of WoW. There was that big scare not too long ago from the thottbot, and wowhead websites and such where anyone that visited the websites was getting infected. I'd think it would be something like this.

[OzPhoenix]

Hope you get it all sorted out.

Personally, as much as I enjoy my Shammy team, if I got hacked, my first call is to my bank, not Blizzard. That said, my bank uses a screen keyboard with randomized key-positions for my login. If my bank were to use Blizzards two hack-me-now text boxes for logging in, there's no way I'd use that bank for Internet banking. Despite every precaution listed here - and they're all worthy steps to be taken - there is ultimately no way to completely protect yourself, short of going offline and never reconnecting to the Internet. I've worked in IT for 20 years now, the last 6 at IBM, and I am always amazed (and a little disturbed...lol) by what the hacker-heads over in our Security competentcies are able to get past, through, over, under or around.

I would very much like to see Blizzard use an on-screen keyboard - as a purely optional login method for those that want it - as I know I'd be quite happy to log in via this way. As much as my Shaman team is light years behind other more critical internet transactions I make, I'd still like to add another layer of protection if I could.

Still, do what the previous posters have said - while you may never make your computer impervious (and anyone who thinks they have is kidding themselves), at the very least, you shouldn't make it easy either.

[zanthor]

[quote='leukos',index.php?page=Thread&postID=64598# post64598]- Wiping the machine: Use a tool like Darik's Boot and Nuke ([url]http://dban.sourceforge.net/[/url]). It writes zero's across the entire hard drive.[/quote]Overkill. Complete and utter overkill. You are wasting hours of time when a simple removal of partitions would suffice. The ONLY reason to run DBAN is if you want to scrub the system for disposal. To reinstall, just make sure you delete all partitions before you reinstall. Create a new partition and install on it, the filesystem won't be in tact and the applications previously there would take a heroic effort to reclaim from the void.
[quote='leukos',index.php?page=Thread&postID=64598# post64598]- Use Virtual Machines for web browsing: Create a virtual machine and then use the snapshot feature of your virtual machine software. Do all your web browsing from this machine. When you are done, revert back to the snapshot. Extra points if you use a separate virtual machine for your banking and dual-boxing.com forum browsing.[/quote]This isn't a bad idea at all, if you are simply web-browsing there are even easier solutions. Download a [url='http://www.knopper.net/knoppix-mirrors/index-en.html']Knoppix[/url] ISO and you can boot this in a virtual machine and surf away with impunity. Since the environment is rebuilt every boot, there is no possibility of a keylogger or some such... since ti's a VM it can't bone your system.

- Buy a mac: No this one won't really solve your problems, but I spend my days working in the Windows world. It is really nice coming home to a computer that just works.

There was a day in not too recent history I would have flamed you for this sort of mentality. But I have to admit, a computer that simply works is an absurd idea... I hope that as Mac gains market share that they can prevent the absurd amount of spyware that has infested the PC world. As their market share grows, so will the target on their back.

----------------

That said, no UI mod can give you a keylogger. Can a keylogger be packaged with a UI mod? Yes. Can a Keylogger INSTALL a UI mod? Yes.

The biggest tip I have for you in this case... open my computer... click tools menu (press alt in vista to make the menu's appear), options (folder options in vista), click on the view tab. Find Hide extensions for known file types and UNCHECK IT. Hit OK and then go about your life.

With this option checked...

Niftyscreenshot.jpg.exe will show up as Niftyscreenshot.jpg and most people won't think anything of it... they'll run the EXE thinking it's a pretty picture... and if the nasty bastard has any skill, he'll even show you a .JPG.

Learn what file extensions do what... a .JPG is harmless, a .exe or .com or .vbs aren't... the list goes on... .zip.exe will .bend.you.over while a .zip is harmless (though it may contain nastyness.)

Learn a little about the tools you use... a guy walks into a wood shop and cuts his thumb off because he doesn't know how to use a table saw... we don't blame the manufacturer of the table saw... we blame the idiot who shoved his thumb into it without reading the directions...

[Havelcek]

Unless I'm missing something the OP also said that his secret question got stolen as well, in which case my first suspicion would be of real-life folks who have access to my information. I can understand getting your WoW login keylogged, but getting your secret question logged out of your browser on worldofwarcraft.com is another story entirely.

[Chorizotarian]

Knoppix[/url] ISO and you can boot this in a virtual machine and surf away with impunity. Since the environment is rebuilt every boot, there is no possibility of a keylogger or some such... since ti's a VM it can't bone your system.

I used to think this too, but there have been several reports of virus authors using buffer overruns in VM software to infect the host OS. If you think about it there is nothing magic about running in a VM. If the virus can own the virtual OS then it gets to treat your main OS as just a bunch of files on disk. No system file protection, no Defender, etc. Given the limited user base of VM software, a VM is probably more likely to have unpatched critical vulnerabilities than Vista/XP/Mac OS running on native hardware.

Anytime anyone tells you that X will make you safe from viruses try typing this into your preferred search engine: "X critical vulnerability". It's an equal-opportunity way to piss off fanboys of Firefox, MAC OS, virtual machines, ... you name it! :P