12 comments

[ 2.2 ms ] story [ 37.7 ms ] thread
To my knowledge, this is the first attack that is in the wild against RSA and similar SecurID token type devices. Basically, the virus intercepts your keystrokes while you are logging in, instantly submitting (your constantly changing code) to Blizzard, and removing the authenticator device from your account.

I read before that the average World of Warcraft account is worth about $10 on the black market, much higher than a credit card number, so that explains why it is one of the first targets for new and innovative hacks that are designed to thwart 2 factor authentication.

WoW authenticator tokens are single-use with a 30-second lifetime. On one hand, it's a testament to Blizzard's effectiveness in pushing them on the playerbase - the fact that enough accounts are protected by them now that the bad guys have to target them specifically is pretty impressive. On the other hand, it's scary that we're at the point now that the bad guys are developing attacks against hardware token-protected accounts.

I've read the same thing about a WoW account - it's worth more than a stolen credit card, and is significantly easier to get ahold of. Not what I'd expect, at all, but given the lengths the bad guys go to in order to steal accounts, it seems like it lines up.

It's not the first time this type of attack has been seen in the wild: http://bits.blogs.nytimes.com/2009/08/20/how-hackers-snatch-.... This article cites a reported cases in 2008. The first case was probably even earlier. It's not a novel attack; what's interesting is that WoW accounts are valuable enough to attract this type of attack.
It must be fascinating to work on the anti-goldseller/theft/fraud team at Blizzard. I would imagine they're the largest target for this sort of activity, and get to see some seriously crazy stuff.
There has to be a way to fix this through changing their process when dropping your authenticator.

One solution off the top of my head is to add an additional special question to admin tasks. Users very rarely if ever go to the blizzard admin page and thus won't be typing a special question in when they are just logging in to the game. Another solution is to confirm such authenticator drops through email or text. Both of these could be quickly implemented. And both could be used to alert blizzard and the user that they are infected.

The real problem here are rootkits + trojans that are just trouncing these unpatched old windows boxes.

I still haven't figured out how people end up with these trojans. Everyone that I know who plays wow is deathly afraid of getting "infected". Yet they still don't all have authenticators and they still manage to run trojans. Hmm. I blame porn ~ I don't know what else it could be.

EDIT: elaboration. paragraph 2 sentence 5 if you must know.

Good thinking. I think the best way to "fix" this is to remove the authenticator from the account, you are given a 5 minute timeout and must put in another code generated by the token after that period. That way, the original code stolen by the keylogger is no longer valid.
The vast majority of infections are due to Flash-based ads targeting older Flash installs, which are then targeted to be run on gaming sites. The days of opening emails with attached .SCR files are long behind us.

Blizzard does require that you provide two consecutive codes when removing an authenticator from an account, so I'm not quite sure how you'd coerce a user into providing two codes back-to-back, unless they just keep spamming tokens into the system. You could get around that by introducing, say, a 15-minute email-based delay that asks for a second auth code:

1) Log into account management (token required), request authenticator be dropped.

2) Request authenticator token. Validate token.

3) Stick request on the queue.

4) In 15 minutes, email the user with a link that includes a URL token validating the request. The link takes them to a page that asks for another token.

5) The authenticator is dropped upon receipt of the second valid token.

Most players, no matter how impatient, aren't going to sit at their computers for 15 minutes punching in auth codes. They'll give up after 3 or 4, max. The additional email ownership verification step, with the time delay between code entry should at least buffer you against authenticator-drop attacks.

a second auth step through email would just be added into the trojan to capture. they'd go ahead and run the first token for you and display a fake message that it was successful on your machine. then when you get the e-mail in 2nd stage it'd just mitm that too and finish the auth on its side. text would be more difficult to attack with a trojan, and banks use it; i don't see why WoW couldn't.

you get trojans via botnets. very effective covert 0-day kits hidden in vulnerable sites, and not everyone keeps up with all security updates all the time - and all it takes is once.

Hooray for having a Mac, a platform it's relatively unprofitable to develop viruses and malware for!
Same for Linux. Regarding fraud profitabililty, I wonder whether it's really that a good idea to evangelize to get Windows users to switch platforms.
Afaik this isn't a man in the middle attack. This was only possible because the host was infected, allowing capturing of the token before it was sent over a secure (eg SSL) line.

Capturing the token wouldn't really be necessary. The Attackers could just use the session created by the user to do their stuff (use the infected machine as a proxy). Capturing the token is just simpler, that's all.

It's clasically MITM. MITM is just a "man in the middle" intercepting data and changing it before it gets reported to either side, then using the original data to their own benefit. There isn't a defined "middle" point, other than "in between the source and the destination"; if the "middle" is on the victim's machine, it's still a valid MITM.