How Phishers Target WoW Players

By Andrew Brandt, Curtis Fechner, and Grayson Milbourne

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

orc_80_flash_cropYesterday, at the opening of our BlizzCon coverage, we showed you just how commonly phishers target WoW players by posting innocuous-looking links in message board or forums frequented by players. Today, we’ve produced a really short video that shows exactly how someone infects their computer with a phishing Trojan.

As you can see in the video (even through the “censorship”), the page the victim eventually ends up on emulates the appearance of a Flash-video-based porn site. Every single link on the page links to the malware installer, which means that no matter where on the page the victim clicks, he or she is presented with a download dialog box. Check it out.

This simple social engineering trick, so commonly used of late by Koobface to fool social network users, still manages to convince people to execute the malware installer in order to view the video.

We’d all like to take a moment to give one simple piece of advice: If you follow a link and end up on a site you clearly weren’t intending to go to, stop. Don’t download any executable files—and absolutely don’t run any executable files if you happen to download them. If you have to, hit the Alt-F4 keyboard combination to kill the browser right there, but just don’t run anything else.

Misled gamers who download and run the flash “installer” won’t see any obvious difference on their computers to indicate that they are infected. At this point, the Trojan is ready to start stealing login credentials. These infections are often fairly simple in their configuration, though as with all malware there are much more complex versions that can steal the passwords for multiple games.

The installer executable simply drops a DLL file onto the victim’s hard drive, typically to the System32 or another Windows subdirectory. That file performs the keystroke logging, then sends that data to the phisher behind the scam. The installer also modifies the Registry so the DLL loads with every startup.

Keyloggers aren’t the only threats targeting online games. Others include spam phishing-type posts on the public forums for individual guilds, malicious URLs communicated through the in-game chat channels, and even exploits against security weaknesses in Web sites and message boards frequented by members of the WoW playing community.

For example, the Warcraft III version 1.24 update, released by Blizzard a few weeks ago, fixes a very nasty, underhanded malware game exploit not commonly seen in MMORPG games. The patch fixed a vulnerability within the custom maps function where, simply by joining a custom game hosted with a specially-crafted, malicious map, players’ computers could become infected with malware. Because custom maps are so popular with Warcraft III players, the existence of this vulnerability created a lot of fuss among the community.

In this case, hackers really created fake maps that used the same file extension/directory as normal custom maps. These malicious maps (malmaps?) targeted the most popular custom game, Defense of the Ancients (or just DotA). What makes this exploit particularly nasty is the fact that your PC gets infected the moment you join a game where the infected DotA map is in use. And because automatically downloads new maps, and the infected maps are very small, the user doesn’t have enough time to exit the custom game before the download completes. Once downloaded, the game automatically unpacks the infected map and executes the malicious code.

What kind of malicious code? Based on previous targeted attacks against Blizzard games, it would be safe to assume the infection is looking to steal your license key and/or account information, though we would not be surprised if it also installs a backdoor, which lets someone remotely control your PC.

But what can you do? You’re just one guy among the cybercriminals, right? Well, there are multiple ways to protect yourself. An excellent anti-malware solution is a step in the right direction, and should form the cornerstone of any gamer’s defense of their PC. You can also sign up for Blizzard’s Authenticator, which is great to have if you want to add an extra layer of security to your account. Nobody can access your WoW or account without physical access to this device.

And even if you only occasionally browse the forums related to the games you play, be mindful that not everyone is there to be helpful or considerate. First reports of new infections or malicious links often come from the forum’s members.

The gamers – er, rather Threat Research experts — here at Webroot will keep watch for malware on WoW and other online gaming sites to keep you (and ourselves) safer while we rampage through middle Earth.

wordpress blog stats

10 thoughts on “How Phishers Target WoW Players

  1. Pingback: Scammers step up attacks on Warcraft players - Computer Forums

  2. Pingback: Phishing WoW, mode d’emploi | DrLegendary

  3. Pingback: Phishers Break WoW’s Magic Spell Over Gamers « Webroot Threat Blog

  4. Pingback: Phishers Break WoW's Magic Spell Over Gamers | Business Computing World

  5. Pingback: Cover Your Assets on Data Privacy Day « Webroot Threat Blog

  6. Pingback: Play it Safe on Safer Internet Day « Webroot Threat Blog

  7. Pingback: WoW Expansion Beta Likely to Spawn Phishers, Scams « Webroot Threat Blog

  8. I can’t count how many times I have seen dodgy stuff like that going on especially in world of warcraft. I don’t know what it is, maybe because there are many computer geeks in there that know this kind of stuff but in any case I guess we just need to follow the standard rule when it comes to downloading stuff

  9. Pingback: Game Trojans’ Biggest Tricks in 2010 « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s