Tuesday, November 25, 2008

Oh noez! Haxxored!

One of our officers got hacked this week, via a phishing scam. All his stuff was sold off for gold, except that which could not be sold. Fortunately, our GL had the wisdom to limit officers to 10 stacks in the guild bank, and our friend must have gotten paranoid when that happened because he only did it on one toon.

As a service to you, let me explain how this worked.

The e-mail

You get an email. It's "from" support@blizzard.com. It says "thanks for signing up for email notifications. Please log in and update your password. Here is the link to the password page."

The Link

The link, of course, doesn't go to anything on Blizzard's website.  It goes to a website that looks just like Blizzard's, but it isn't. It's hooked to a server that will accept your user name and password, and store them as "good" ones. Eventually, one of the professional thieves will come along, log in to your account, sell your stuff, and send the gold to someone that sells gold for a living.

Gold farmers don't care

I've heard that all gold farmers are not alike. That is most certainly true. But I think that I am safe in saying that few, if any, gold sellers care about where the gold came from. As long as they can sell 1000 gold for 29.99 US dollars, they're content.

How to protect yourself

The scam thus described is called a "phishing" scam. It is not limited to WoW accounts. The same methods apply to all such cases, whether it is WoW, Pay Pal, Amazon, or whatever.

To protect yourself, never click on a link in an email that appears to be from e.g. support@blizzard.com, support@paypal.com, etc. Look at where the link says it is sending you. If it says you are being sent to the user admin page, then open a browser and go there yourself. Bypass the email link completely. Remember, unless you review the source code of the email, you may not notice that it says it's sending you one place, but actually sending you to another.

How'd they get my address, anyway?

They didn't. Phishing scams rely on mass quantities - the shotgun effect. What they do is they harvest email addresses. They have no idea who's address it is. But they will use it over and over again in mass mailings. 500,000 emails are sent to all hotmail accounts in a file. 2000 have WoW accounts. 20 respond. They haul in 50,000 gold to sell at $29.99 per 1000, or 50 x 30 = roughly $1,500 USD.

It's plain old doo-dah luck. They will use the same 50,000 addresse for a paypal scam, e-trade, WaMu ... etc. They aren't smart. But they are efficient. Brute force + efficient == profit!

I better get an authenticator!

Don't bank on that working. At least one person has reported getting the authenticator decoupled from an account without permission from the legitimate owner. With the user password and access to the Blizzard user account page gained from a phishing email, it's possible that something could be faked up to sell over the phone. Once the authenticator is gone, your toons are forfeit.

No, technology does not relieve you of your responsibility to be prudent. You are still on the hook.

But, seriously? I think the authenticator is a great idea. It's just not the answer to all your security woes. You have to stay alert and watch what you do. Don't get lazy. They are depending on you being lazy. Don't.

And now for something different

Word has it that [Manual: Heavy Frostweave Bandage] only drops in instances. It does not. Running my very first Zul'Drak quest tonight, it dropped from a trash mob outside of any instance. So be advised: it's out there.