Man In The Middle Attacks Target World of Warcraft Accounts

As I mentioned previously, my World of Warcraft account got hacked back in February 2010. One of the things I did after wiping my computer and recovering my account was to add a Battle.net authenticator to my account to add Two Factor authentication. But, of course, even two factor authentication won’t stop a man in the middle attack, and apparently just such an exploit appeared in the wild targeted at World of Warcraft accounts.

To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.

Man in the middle attacks aren’t anything new, but what I do find fascinating is that World of Warcraft has become so popular that there are attacks that target just it. There are apparently, for example, viruses that lurk in your system and are extremely difficult to detect except when the World of Warcraft client is launched.

In my case, someone who managed to compromise my computer could have accessed any number of accounts that could have cost me a lot more than just the small amount of gold I lost from my WoW account. That a major focus of some folks is virtual heists from a game is yet more proof that we’re all living in a science fiction novel.

Edward Castronova on the Rise of RMTs in MMOs

Edward Castronova has a peculiar post on what he sees as the end of resistance to real-money trades in MMOs.

Castronova sites a study finding that people who want to role-play within MMOs are a decidedly small minority, and then concludes from this that RMTs are inevitable since, apparently, the only argument against RMTs was that they break the immersion that role-players want from a game.

As Fairfield notes, it is becoming weird now to insist on an RMT-free gaming experience. I freely trade money for time all day, every day. The community here in Bloomington finds this utterly normal and so does the most of the community in Azeroth. As devs will argue, they don’t make all this stuff for free; they have to get paid somehow, and given the general disinterest of their players in pure refuge, there is quite a lot of give along the immersion / cash spectrum. How can I oppose RMT?

But these events are worth noting from a social theory perspective: Even such strongly framed alternative environments have had little effect on the way people act. The fact that people do NOT role-play, that they do NOT treat dragons as monsters, the fact that they do NOT treat evil as Evil and good as Good, nor kings as Kings nor quests as Quests, the fact that if they change at all it is only to revert to strategies of mooning the whole world just for the adolescent joy of it (which, I respectfully and lovingly submit, turned out to be a special devotion of my gameplaying colleagues in academia), seems to reject social construction theories. Drop a society of 20th century people into World of Warcraft or Lord of the Rings Online, and you get a masked ball, only: A thoroughly unremarkable 20th-century society playing around with high-fantasy costumes. You cannot remake a people by changing the world in which they live.

What I don’t get about this is why Castronova and others would prefer to establish multiple identities (at a minimum, a real world identity and a virtual identity) but then restrict that virtual identity to just a single mode of interaction. Since MMOs involve dealing with multiple identities at the outset, it seems inevitable that rather than be constricted by some artificial restriction on identity (which is already an omnipresent feature of the “real world” for many of us), players would want to take both varying approaches over time to their virtual identity.

I see no conflict at all between logging on to World of Warcraft and roleplaying one moment, making a crude joke in the Trade Channel the next, and discussing some real world event that my guildies and I happen to have in common. In fact it seems kind of strange that Castronova and others would see as desirable a strict adherence to just the first identity given that MMOs tend to give players tools to easily manage multiple in-game identities.

So I don’t see how RMT transactions in-game detract from the immersiveness, anymore than does the fact that each month a $14.99 charge appears on my credit card, or that I have to boot up into Windows first before launching a game.

Briefly Banned By Blizzard

So on February 3, 2010, I checked my email on my way to work to find this lovely message,

From: WoWAccountAdmin@blizzard.com

To: brian@carnell.com

Subject: World of Warcraft — Account Closure Notification — Exploitative Activity Found

English speaking customers: Please refer to the start of this mail
Para los clientes españoles: Por favor vayan hasta el fin de este correo electrónico

***Notice of Account Closure***

Account Name: BRIANCARNELL

Reason for Closure: Terms of Use Violation — Exploitative Activity: Abuse of the Economy

This account was closed because one or more characters were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for “real-world” currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.

Even if this behavior is the result of a third party accessing the account instead of the registered user (for example, a friend, family member, or leveling service) then the account can still be held responsible for the penalty because of the impact it had on the game environment.

We’ve found the above behavior is many times directly related to groups responsible for compromising World of Warcraft accounts; we take these issues very seriously. To better understand our position against exploitative activity and the risks involved, please review this article: http://www.worldofwarcraft.com/info/basics/antigold.html

The exploitative activity that took place on this account violates the World of Warcraft Terms of Use. We ask you take a moment to review these terms at http://www.worldofwarcraft.com/legal/termsofuse.html. Any recurring subscriptions on this account have been suspended to prevent further monetary charges.

For any disputes of this action, please visit the Exploitative Activity FAQ and Contact page here: http://us.blizzard.com/support/article/exploitfaq

Regards,

Blizzard Entertainment
www.worldofwarcraft.com

My first thought was that this email was itself some sort of phishing attack, so I logged into my Battle.net account. Well, I tried to log into my Battle.net account, but was told that it had been shut down for exploitative activity.

Now I’m a very casual World of Warcraft player who pretty much sticks to soloing (I’ve been in one instance in 5 years of playing). Especially since the last two expansions, obtaining gold is trivial so I’m not even sure who the market is anymore for gold selling.

Anyway, since I hadn’t actually bought or sold any gold, the obvious conclusion was that someone had hacked my account. I always run anti-virus software, firewalls, etc., but someone probably managed to keylog me on a machine where I checked in to show someone the Armory.

My next reaction was a bunch of expletives. I’ve got more than 3,000 hours invested in the characters on that account and to some extent playing World of Warcraft is almost part of my lifestyle, not just another game. I simply can’t imagine not playing WoW or some successor to it at this point.

So I hit the link to appeal and explain that I’ve been playing for 5 years, never bought or sold gold, and as they can tell if they look at my account am a fairly casual player who just wants his account back. To Blizzard’s credit it took less than 24 hours for me to get the following reply:

From: wowaccountadmin@blizzard.com

To: brian@carnell.com

Subject: World of Warcraft – Account Recovery Instructions

Greetings,

We have determined that the World of Warcraft account BRIANCARNELL has been accessed by someone not authorized to do so by the World of Warcraft Terms of Use (http://www.worldofwarcraft.com/legal/termsofuse.html).

To protect your privacy and security, we have temporarily disabled this account. Any recurring subscriptions have been suspended to prevent further monetary charges. In order to regain access to the account, you must complete the steps below to secure the account and your computer.

Please keep this email for your reference until the account recovery process has been completed.

STEP 1: SECURE THE ACCOUNT, YOUR COMPUTER AND YOUR EMAIL ADDRESS
Account compromises most often occur when a player shares login information with an unauthorized third party or plays on a computer that has a virus, Trojan, or key-logger. We recommend you read and apply the following tips to protect yourself and the account.

- Unauthorized Account Access Policy: http://us.blizzard.com/support/article/20460
- World of Warcraft Account Security: http://us.blizzard.com/support/article/20572
- Computer Security: http://us.blizzard.com/support/article/21118
- Email Address Security: http://us.blizzard.com/support/article/28585

STEP 2: RECOVER THE ACCOUNT
We now provide a secure website for you to verify that you have taken the appropriate steps to secure the account, your computer, and your email address. Please go to this site and follow the instructions:

http://us.blizzard.com/support/article/securitywebform

STEP 3: VERIFY YOUR SUBMISSION WAS RECEIVED
We will contact you with further instructions once we have received and processed your submission. If you do not receive a reply within 5 business days of submitting this form, please resend it from the address listed above.

Please be aware that if unauthorized access to this account continues after the recovery process is complete, it may lead to further action against the account.

Sincerely,

Vaenixia
Account Administration
Blizzard Entertainment
www.blizzard.com

Whew. I took a couple weeks to get my account back, however. Even though I was fairly sure my personal laptop (the only machine I actually play World of Warcraft from) wasn’t compromised, I wasn’t about to take any chances. I wiped the hard drive and reinstalled Windows. Then along with the anti-virus/firewall package, I also added Secunia to help with keeping track of problems like unpatched versions of Adobe crapware.

Once I was certain my machine was exploit-free, I recovered my Battle.net account and then added a Mobile Authenticator to the account. Fortunately for me, a few weeks ago Blizzard added a Mobile Authenticator app for Android, so I could have that on my Nexus One (I’ve actually got several of the standalone authenticators, but worried before that I would lose them).

Now I was finally ready to log into my WoW account…where I found myself suspended in mid-air and watch while I fell to my death.

Whoever hacked the account must have been seriously disappointed. They took about 800 gold and cashed in about 20,000 honor points for some gems (which were still in my  inventory). The only thing I was really annoyed at was  they sold off all my Gigantique Bags and Portable Holes. I thought about petitioning to have that gear restored, but decided not to since, again, gold is so easy to come by in the game these days.