Trojan program hijacks World of Warcraft accounts despite two-factor authentication
http://pixel.quantserve.com/pixel/p-89EKCgBk8MZdE.gif
IDG News Service – A new Trojan program is targeting users of the popular online role-playing game World of Warcraft and is capable of hijacking
accounts even if their owners use two-factor authentication.
“We’ve been receiving reports regarding a dangerous Trojan that is being used to compromise players’ accounts even if they
are using an authenticator for protection,” a technical support representative from Blizzard Entertainment, the game’s developer,
said Friday in a message on the Battle.net forums. “The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the
time you enter them.”
Battle.net is Blizzard’s online gaming service and the Battle.net Authenticator is a physical token or a mobile application that generates unique codes used as a second factor of authentication in addition
to the user password.
By intercepting Battle.net log-in attempts on infected computers, the Trojan program can capture both the regular user names
and passwords and the unique codes generated by authenticators. Since the latter are essentially one-time passwords that expire
after being used, the legitimate log-in attempts are blocked by the malware, so while victims try to figure out what went
wrong, the captured information is sent to the attackers who can then hijack the accounts.
This is similar to how other Trojan programs allow attackers to defeat two-factor authentication used by Internet banking
sites.
Signs of infection with this new malware include the presence of a program called “Disker” or “Disker64″ in the Windows start-up
list. Users can view this list by generating a MSInfo report using instructions on the Battle.net site and then look under the “Startup Program” section.
In a later update on the Battle.net forum, another Blizzard tech support representative said that the company tracked down the source of infection
to a fake, but working Curse Client distributed from a fake website. The Curse Client is a third-party application that can
be used to install add-ons and modifications for several games including World of Warcraft.
Users who suspect their computers have been infected with this Trojan program were advised to uninstall the Curse Client and
then run a scan with Malwarebytes, an anti-malware tool that has a free version. However, most security products should be
able to detect the Trojan program by now, the Blizzard representative said.
Uninstalling the rogue Curse Client is an important step because the client is actively trying to hide the malware’s presence.
“For those of you interested in these MitM [man-in-the-middle] style attacks, this is the only confirmed case we’ve seen in
several years outside of the ‘Configuring/HIMYM’ trojan in early 2012 that hit a handful of accounts,” the Blizzard representative
said. “These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time.”
Read more about Trojan program hijacks World of Warcraft accounts despite two-factor authentication and other interesting subjects concerning NSA at TheDailyNewsReport.com
No comments:
Post a Comment