[Theory] Account Scam using realmlist switch.

**Gamer** · 12-01-2008

Note 1: I couldn't see anything similar to this, but if it has been posted please delete.
Note 2: I don't know whether this should go in this section or the questions section, please move accordingly.

When I was building my awesomely original (:P) realm list switcher, I recognized the potential of a similar program to be used for devious purposes.

The idea:

Get the user to download and run a exe file. (doesn't seem hard based on the number of gamecard duplicators etc. are using).

In the background, this program will modify the user's realmlist.wtf file to a private server. Not your average private server though, one specially designed just to capture all password attempts sent in. It doesn't actually need to have the game, just record login attempts to a file and always return invalid password.

They will feel safe, as they didn't need to enter their password/gamecard details, they are just playing WoW as usual. The program will also test negative to keyloggers.

"So, if I don't have a keylogger, and I don't type my password/info into someone elses app I'm fine right?" Not if your WoW client is sending info to another server.

Implementation:

Now the realmlist program is very easy to make. The part I have no experience with is the private server part. But if people can make fully functioning servers, then just making a login server that writes all attempts to a file shouldn't be too hard.

Please post feedback/criticism. Basically if anyone knows how/can be arsed/thinks its worthwhile making this work, I'm happy to provide the program.

**Apoc** · 12-01-2008

Actually a pretty damned good idea. Easily coded, and the server is easily made.

**Gamer** · 12-01-2008

Originally Posted by Apoc

Actually a pretty damned good idea. Easily coded, and the server is easily made.

Why thank you. What an honour coming from you

As I said, if anyone wants to make a server, I'm happy to make the program. Just tell me what you want it to be disguised as.

**Apoc** · 12-01-2008

Already wrote the program

(Took some already existing code, and just changed it a bit

)

The server part is easy. Just check the login logs for the server. (Maybe change it a bit to output the password too)

**Gamer** · 12-01-2008

Ahh well, I'm sure a legendary user such as yourself could pull it off.

About the server, I think I fully fledged private server would be overkill, you only really need th e login server.

And another thought about this I had. If they panic, see their pwd isn't working, they might check on the WoW site and find it still works. Which will confuse the hell out of them, and may lead to them changing this password before it can be used.

So if possible, rather than returning invalid password, just return server down, or unable to connect.

**Apoc** · 12-01-2008

I'm thinking of making it return unable to connect, then "throwing an error" (just killing the process), then putting the realmlist back to what it was, and letting them think it was just a weird bug. ^^

**Gamer** · 12-01-2008

Yeah, thats a much better idea. It's best if they never knew what hit them xD...

Then as they cry for help, all virus scans will strangely return blank, and they will claim that they didn't enter their password anywhere but the official WOW Client :P

**Opalis** · 12-27-2008

changing the realmlist back to the original might be helpful, if they ever think to look at the realmlist afterwards; you don't want your server address incriminating you lol

@Apoc: did you get this to work at all?

**MrNothing** · 12-27-2008

epic idea!!! very nice!!

**Rec Alpam** · 12-27-2008

So someone planning to make it and release it to public ;D?

**Anotherfox** · 12-27-2008

I've been using something similar for a wee while now, and it gives MASSIVE results.

On New Years Eve I'll post 2008 accounts (though no idea how to post that many!)

+Rep from me.

**Gamer** · 12-29-2008

Originally Posted by didadonny

So someone planning to make it and release it to public ;D?

You can already do the server part as Apoc said, by reading the login logs, although it may require modification for displaying the password. As for the program, very easy to create, simply write one line to a file.

Which part did you need help with? The program I can release if required, the server modification is a bit out of my league

Originally Posted by Anotherfox

I've been using something similar for a wee while now, and it gives MASSIVE results.

On New Years Eve I'll post 2008 accounts (though no idea how to post that many!)

+Rep from me.

Haha, that's great to hear. Are you using a modified private server? Or a application that just collects login attempts?