How to loose 3,000,000+ gold and don't get it back... The story of the magical hack.

[ketrish]

Thanks for support folks.
The thing is that I had restoration only in like 10%. That means my chars got free race change + migration to original realm but that's it. I had to manually restore items via feature on website [still ****ing running with cata legendary daggers on my rogue - had choice run without weapon as hunt or run with daggers on my rogue]. Missed few items [had them too ****ing many to remember anything or everything]. I've been told [after 3 web chats, 3 tickets & 1 phone call] that : everything what could be restored - has been. Ekhm....Missing:
* 280 pets [1-25 lvl, every which could be caged was stolen]
* Access to my private guildbanks [ still don't know what they stole and i won't be fucing able to check that even after demise cause theft demised my bankers to lowest ranks ]
* gold [3.2m in liquid gold and around 1.5m from guildbanks in items more or less] <- worth above/around 5k euro

Over the phone I've asked if providing logs [cause I've got them] prooving that I didn't do it [as for instance banks, mails etc] - nope : they're using only internal logs.
I've got only I think - appeal but seriously I don't have idea what to write there down. Any tips ?

[ketrish]

A little update of mine.
So some time ago I've got logs in terms of my mailbox. They've pointed 3 connections outside my living zone - Asia. There is too much data to get through so I followed one. I've checked both [in/out] logs of activity from my PC. One was let's say good enough - pointed same city [could be coincidence]. So let's dig more [few days of digging of infinite amount of data and more or less figured it out]. Those 3 connections pointed at 3 different cities which according to googled articles are in bigger or lesser level living from gold/curriencies in mmo games [including WoW].
If you do remember what I've said - Blizz told me that gold was "untraceable so not refundable". Not completely true but.... If you ever tested google in terms of geolocation then you'd prolly know that it's accurate. Some people can say it's too accurate [it locates for this instances my phone to 10-15m]. By comparing my logs with mail's ones I've received exactly the same Xs,Ys. So let's follow reverse-engineering things [this is where it's becomming interesting]. Backtrack allowed me to find things like domains registered, yahoo etc etc. With one specific data I was able to drag out some more info - a name [99.99% faked nickname]. This name typed in google provided one post from 2012 [hm....] in which that asian guy was known to Blizz back then....[hmm.....]. It really takes some time to get through everything since google caches entire clearnet but...
Dropping above - over all I've made 3 tickets, 3 web chats, 1 phone call in results of which I've figured those things:

1. My guilds are lost [prolly] because theft demoted me to lower possible rank so demise is not an option.
1.1. Still don't know what are demages in my guildbanks [demote, look above].
2. BN friendlist is not stored on blizz's servers so make manual backups for yourselfs.
3. After the merge realms:
3.1. Pets won't/aren't refundable/restorable.
3.2. Gold is not traceable.
4. Some achievs [missing few] didn't come back to me but meh... Also few items [irony in this is that they're in restoration service but if I have for instance running hunt without weapon or rogue then it's srsly ****ed up - need to wait another 30 days for another restoration].
5. [This is fun] One of GMs told me that @ account is not needed to take over the account [bn].
5.1. So it needed only my passes [BN/auth] and auth code.
5.2. Passes could be restored via @ [irony isn't it] and still don't know how they got auth code.
5.3. Why am I so sure that there was no malware. I've used [kind of stupidity & blessing now - you'll understand it soon] passes in levels. That means most precious accounts got prio in passes. For instance only BN acc & bank had exactly the same pass. If there would be malware - avoiding bank's possibility as theft ? O.o ?
5.4. GM also told me that there was no In/Out info from/to them in terms of my BN/@ account.
5.4.1. Then if you don't need @/bn to **** up account then what really left on the field ? Because there are : customer[me], service[human/system]. System. How to exploit system to get account stolen ? I had no idea untill GM said something as I think was like offtopic to our conversation. SoR accounts.
5.4.1.1. I had 1 mini take over the account in the past [still was something between compromised/hack but I was enable to protect myself back then]. After I've took back control over my account there were SoR accounts. So what to do with trash that you don't want to ? You ask GM to help you out. And then the pain came... After few [3+] tickets to remove them/move them somewhere else I've been asked to write letter to Paris [Once in TBC I did when CE system didn't work and You had to send them something from box to proove that you have CE and then they would add you a CE's pet] so I've passed [since my last letter and answer for it took I think 2-4 weeks] - what can happen reaaaaaly with SoRs ? Nothing right ? Not exactly people.
5.4.1.2. Why I mentioned above ? Cause on phone call GM mentioned 1 thing which gave me some toughts. Those SoRs which I didn't remove somehow had claims for them [hmmm....]. So we have SoRs which went away this time and claims - do the math because I don't have any other ideas.
[Bonus question which I've asked over the phone] For question : with those serucity which I'm currently using - will you be able to restore things via for instance snapshoot [more or less] ? Answer was more or less : You're secure.
The irony of the merge is that there was not at all any information about that kind of troubles with restoration.
I've kind of figured another more secure system than Blizz's one. Have 2 BN accounts - separated/created on different machines. On B[the secure one] make char[same realm on which you're playing] which you will send gold and forget about this account. On main account [since guildbanks are not safe anymore etc] send gold to B's account chars gold. This way you've got double auths, double mobile phones, double @ & passes but of course you can be banned for allegedly gold selling trading. There is also 1 disadvantage of this - 1 day window. After 30 days it will be resended to you by the system and of course you can be compromised somehow in this specific day.
I think that only appeal left for me but never done it before. Are there any guides for this or links [or just create another ticket] ?


Ps Don't get me wrong - their service people seemed fine etc so I don't blame them but I'm blaming a system because of which players are ****ed up not from their fault.
Ps2 I've offered them to provide them logs of mine [to proove that it isn't one big scam] like mail or bank - they refused ;/.

So this is prolly how I've lost stuff worth 4-5k e.

As always
Best regards
- Ket

[Epicprices]

Sad story.

[Hazzbazzy]

Interesting story, I had something close to that happen. I logged out over the weekend, with nothing strange going on, had about 280k on me. Woke up the next morning from a text that was from my brother asking if I was pulling an all nighter on wow. Looked at the comp and logged in, strange, found my mage in SW when I know she was in the shrine the night before. Then realized that everything was gone, but caught them in the middle of it, secured the comp, ran a scan found 1 piece of malware, but I guess where ours differ was the GM's restored everything on my account within 4 hours after doing the live chat method via battlenet.

Good luck though.

Late reply, but next time prior to scanning your machine run RKill.exe; it's a program by BP that stops most virus processes and informs you of them. Even if it reports nothing was stopped, it typically does prevent malware from hiding itself from AV.

http://www.bleepingcomputer.com/download/rkill/
Edit: changed link from direct download to informative page.

[pmb116]

Late reply, but next time prior to scanning your machine run RKill.exe; it's a program by BP that stops most virus processes and informs you of them. Even if it reports nothing was stopped, it typically does prevent malware from hiding itself from AV.

http://www.bleepingcomputer.com/download/rkill/
Edit: changed link from direct download to informative page.

Just to add on. RKill is a rootkit virus scanner and should be run as well as AV programs.

Sent from my LG-D802 using Tapatalk

[lutja]

I dont trust your story, there is something you are not saying :-)

btw 5M is not 5k€.

[ketrish]

Sorry that I've been so out for so time but had to deal with some stuff...5M is not worth 5kE - I do agree with that but if you have brain instead box then inflation would do 95% of the work for You.

Code:

Rkill 2.6.8 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html


Program started at: 11/02/2014 09:47:56 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1


Checking for Windows services to stop:


 * No malware services found to stop.


Checking for processes to terminate:


 * No malware processes found to kill.


Checking Registry for malware related settings:


 * No issues found in the Registry.


Resetting .EXE, .COM, & .BAT associations in the Windows Registry.


Performing miscellaneous checks:


 * No issues found.


Checking Windows Service Integrity: 


 * WMPNetworkSvc [Missing Service]


Searching for Missing Digital Signatures: 


 * No issues found.


Checking HOSTS File: 


 * HOSTS file entries found: 


  127.0.0.1       localhost


Program finished at: 11/02/2014 09:52:01 PM
Execution time: 0 hours(s), 4 minute(s), and 4 seconds(s)

Like I said before - I knew that there was nothing there and I do know that it was system's failure not mine [getting my datas].

[scylla]

I see stuff like this all of the time where people can't find what did it to them. If you haven't found your infection or whatever, these guys might be able to help.

Majorgeeks Malware Removal - Forums

[alexiaalice11]

reputation 666, wonderful.

[s1gnal]

"I've arleady had scheduled 500-700k to spend on 'services' from boosters"

Using boosting services makes your account unsafe. There you got your answer

[ketrish]

"I've arleady had scheduled 500-700k to spend on 'services' from boosters"

Using boosting services makes your account unsafe. There you got your answer

realm #1, world #100 and higher.... sure... xD