Rae & Darq's accounts hacked -

Unfortunately, not many people come here, so I am glad I changed the guild note yesterday.

By now, many of you know Rae's account was hacked - password changed, and then they cleared out all her characters gear, money, banks. Used Cham to gut the guild bank of items, and withdrew all the money between Rae/Rockin & Cham.

Then, they put Raessa in for a transfer to another server.

Well, basically, Blizz reviewed the account logs, and say a specialist on monday will begin the character & guild vault restorations, as much as is possible. They know she was hacked, and will fix it as best as they can.

Today, I spent day trying to clean Rae's computer (I'm pretty good with that stuff).

While I was doing that, someone hacked my account, too. And basically did the same to me.

1/2 of darq's equip gear is gone. Rod & Rather are completley gutted - still there, but naked. Gatlin - the enchanter - is GONE from the game - probably put in for transfer, or deleted.

Taeraah seems to have been left alone; I haven't checked horde toon yet, but all under lvl 40. (& Rae's hordeside seem to have been left alone).

So, Blizz & the GMs got reports in from me & other gamers when it was happening. We can't risk logging in with Rae to file the complaints in game, but we are ok here.

So, this is end of Part 1. In the next part, I will tell you all how we think it was done, from what we research/GMs have told us -

ok, I can't say too much, because they are still trying to figure out the source, but here is what I do know:

It was a keylogger, and they use it ONLY to steal WoW accounts. There is a very regular pattern, but it seems to involve WoW-related websites, and addon-download sites.

And of course, there is lots of stuff for people who buy gold, powerlevel service (not like the fast-level guide we use/posted up here, which is legit).

What happens is people using IE or a not-too secure Firefox go to a site like Allakazam, or to d/l an addon from a semi-secure site, like Curse gaming. When you mouse over a ad window, or go to close a popup, or choose the wrong mirror, or enter login info for a forum, it happens.

The keylogger installs, and then waits for you to enter your info for either the game or WoW forums, or similar sites (LIKE FORUMS!!!! IF YOUR WOW LOGIN INFO IS SAME AS HERE, CHANGE WOW PW NOW!!!). It takes pictures, and sends it to the hacker.

then, here is what will probably happen:

a filter bot compares the info to Armory or other model/character sites (like wowhead). If it is a high-level or guild-leading type, an alert pops up - because the hacker gets THOUSANDS of hits every day; they have to choose the 'best' people to try to hack.

The hacker will log in - weekend is better, because less Blizz customer support - or at really offpeak time. First, they change password aAND your secret question, to buy time.

Now, they look for highest level enchanter, and start there.

All items will be DE-ed or vendored that can. gold raided. many things deleted just to be mean. An enchantre is chosen, hopefully one with guild bank access. If not, the person may drop a profession, and powerlevel enchanting and/or alchemy - so they can DE guild vault , bank and inventory items, or make stacks of potions to move out.

Then, it gets bad.

If 60+, they go to Shadow Lab or Slave pen, and use a speed/teleport hack to get to a chest. They try to open them & loot before dying, and reset. This is all probably done with botting programs. They want the blue items, and this is fastest way - again, for DEing. GMs catch them a lot at this point, at whcich time you will be banned for 'game mechanics exploitation.'

They may join high-level PUGs for the same purpose - to ninja & hearth.

Or they may just run around naked, cursing, harrassing. Or trying to spam gold buying/selling/powerleveling services. If you get banned, it just buys them more time while you have to figureout how to file a complaint through e-mail.

Sometimes, a high-level character will be put in for realm transfers - they are hoping to either sell it off, or to use it to commit more wow crime on another realm. If your credit card info is with wow, then the hacker can just do a 'paid realm transfer.' They did that with Rae (but she is on her way back to CC now), and they either deleted Gatlin, or tried to tranfer him (we are waiting to find out).

Or, they may just delete the character.

There are 2 known gangs doing this - 1 in China (college students) and 1 organize crime ring in Russia.

As of now, these hackers ONLY want wow stuffs - because it is a very low-ranked cybercrime; almost impossible to trace/prosecute internationally, and not as harsh punishment as stealing credit card info, driver ID, govt. ID, etc.

There are a few things you can do to help/reduce the chance, but not many - this is a VERY sophisticate attack plan!!!

End of Part 2 >.<

another explanation, cut from someone's blog -

The commonly held opinion is not that the addons themselves compromise you, nor even the websites you got them from, specifically.. what it seems to be is as follows... these legitimate sites (most purportedly curse gaming and thottbot) try to offset their cost with affiliate advertising. These advertisements, from their end, is basically just html code that says "advertisement goes here" to their advertising parters, and the ad company fills in the ads on the fly via javascript.

So what seems to happen is the hackers purchase advertising from the ad company to run on these legitimate sites, and the ad code itself that the hackers provide embeds malicious code inside the very advertisement, also in javascript, which exploits whatever security hole du jour has not been patched yet in IE or perhaps even XP itself to then execute code on your computer, which basically infects you with a 0-day keylogger (zero day meaning it's so freshly created that it doesn't even show up for most virus scanners because they don't even know to look for it yet). The keylogger then actively waits for you to log in to warcraft, copies your username and password and sends it home to the hacker. This is pure speculation on my part, but I would think at this point the keylogger would probably unload and delete itself so as to avoid detection and as such prevent an antivirus solution from being built to counteract it.

This makes for a tough nut to crack. The website you visit isn't strictly at fault because they can't control what advertisements their affiliate agency puts on their site. The affiliate agency can't disable scripting in their advertisements or else their whole ad structure stops working altogether. The antivirus companies can't get a copy of the malicious code in question because it's all largely memory resident and then gone after execution (no files to dissect and look for byte patterns to update their virus definitions with), and new vulnerabilities are found in windows as quickly as microsoft fixes them (and the hackers are willing and able to spend the time changing their code to exploit the new holes and abandon the old ones).

End of part 3 >.< However, part 4 offers some hope - some fixes/suggestions - have to walk dog w/ Rae; will do that next ~

hmmm - I think I will actually make a new topic/thread for this. (the protecting part)

We are having to re-establish/authorize our accounts - we just faxed off photocopy of our IDs today.

Gatlin has reappeared on Armory, but is stripped of all gear.

As for the guild bank? I will ask in my next letter out to Blizz (we are STILL waiting on Raessa to return!!!); you could try putting in a ticket to ask a GM (it should probably come from Plum), but i think they will handle it as our accounts are being resolved.

Right now, our accounts are locked, until our accounts are re-authorized, we set new questions/passwords, and put in a new credit card. It should be in next few days.

~D~

We miss you

We miss you all, too - but are also busy IRL, so if it had to happen, this is a good time.

Also, check the officer stuff - (about guild bank resto).

We will be back in today, after Rae wakes up. Got our new passwords, security/billing sorted out, etc.

Just want to wait for Rae to wake up, so we can log in together.

~D~

YAY!!!!!!
OMW to game to wait for you all

le booo - - -

After all that fussing, we got sent temp passwords, so we could log in to account page, reset passwords, and then log in to game.

And the passwords we got sent don't work for either account. >.<

So another mail to AccountAdmin, that we are waiting for answer to.

. . .

I hate this!!!

This is pissing me off... I'm driving down to blizz to kick somebody's ass!!!!

I need names

Okay, for as good as in game help is, THIS FUCKIN SUCKS!! Blizz needs to get their head out of their posterier and do something correctly. Not dick around with darq and rae. Don't they know who you are. Your very important people. The kind of people that makes things happen, movers and shaker people. I say if they don't get it right you fire them for incompitance with in doing their job for some oh my gawd important people.

ok, we JUST got new temp passwords, but it is 3 am, & Rae is asleep.

We will try logging in today our time.

Cross your fingers!

D & R