[Alert] Blizzard Authenticator Compromised!

[Sneakylemons]

Anyone who has an authenticator attached to their account should run a search (and probably an antivirus scan in case it's on the threat list already) immediately and ensure the file emcor.dll does not exist on your computer. This file is one reported to be allowing hackers to access World of Warcraft accounts that have authenticators attached to them. It's also possible there are other variations of these suspicious files, so if anyone has additional information please respond in the comments.

Based on this thread, the file may be found in /users/username/appdata/Temp. Since the file is fairly new (first mentions of it are only a few days ago), and the common source is unknown, I urge everyone to not log in to World of Warcraft or the account management site until you've run a scan. Confirm your computer is secure before using your authenticator, because this DLL file is allowing hackers to crack through it and access your account.

A warning sign that you're currently infected with this keylogger is that WoW will say your authentication code is incorrect, even if you know for sure you typed in the correct code.

Here are some additional follow up details about the authenticator situation.

First of all, Blizzard has confirmed this as a man in the middle attack:

Official Blizzard Quote:
[Blizzard Source]

After looking into this, it has been escalated, but it is a Man in the Middle attack.
Man-in-the-middle attack - Wikipedia, the free encyclopedia

This is still perpetrated by key loggers, and no method is always 100% secure.

Additionally, Cameron, a World of Raids user, has done some digging into the file and discovered the following information to potentially help you if you've been infected. Here are the details from his digging:

Firewall IP Block
You may be able to block the IP 205.209.181.111 to help prevent your information from reaching the hackers. This is of course something that may change after they find out they've been discovered, but it should offer some temporary help while you get rid of all the files.

Quote:

This info is preliminary. If you use it you should also take the steps you do normally

The keylogger will send the data to:
Host: 205.209.181.111
Port: 1068

The keylogger data file can be found in /users/username/appdata/Temp along with the DLL

Update 1:

The keylogger sends the "current tick" to the server. Presumably so it can tell how long it has to use the code.

Brought to you by bored geek.

Keylogger Server Details
This information was also discovered by Cameron, and is essentially the "known" location of the server collecting data sent by the keylogger.

Quote:

The keylogger is a standard windows based keylogger which uses SetWindowsHookEx hooking as a debug hook (WH_DEBUG) so it gets first dibbs on typed data (Although for some reason it does pass on the data to other hooks and not block them...)

The data is set to:
Host: 205.209.181.111
Port: 1068

OrgName: Managed Solutions Group, Inc. (Known spamming server)
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US

This was taken straight from the arena junkies front page, i just wanted everyone to know about this so they can keep their accounts safe, because i am not sure how many people actually visit AJ. Hope this helps

-Sneakylemons

[kys89012345]

thankx be safe

[Nightfinger]

Their is no safety.. Their is nothing left..What now!?!!

[Woodlauncher]

Their is no safety.. Their is nothing left..What now!?!!

What is that supposed to mean?

[void07]

The title of this thread is incorrect and misleading.

Authenticators have not been compromised in any way. Computers have been infected with a trojan/keylogger that intercepts your authenticator code and immediately sends it off to the hacker.

Systems will almost always be subject to Man-in-the-middle attacks.

Any computers running a decent antivirus should have this on pop on them.

[ragex1980]

in lamens terms man in middie is actualy a situation like this


enter data---> sent to hacker----> relayed to corect destination

hacker just logs etc etc

thats the correct design of man in the middle attack

it is different to logging and sending the logs to hackers server, thats just plain loging

kthx

[Raskel]

With this method the hacker will only have access to your account until you login or he disconnects though. The code changes every 30 seconds so he only has a 30 second gap. When he logs out he will have to guess or hijack the code again.

He will also never be able to remove the authenticator as it needs 2 codes to be removed.

Basically he has time until you cleaned your pc and access your account again.

[SpaZMonKeY]

With this method the hacker will only have access to your account until you login or he disconnects though. The code changes every 30 seconds so he only has a 30 second gap. When he logs out he will have to guess or hijack the code again.

He will also never be able to remove the authenticator as it needs 2 codes to be removed.

Basically he has time until you cleaned your pc and access your account again.

This is perfectly accurate. +Rep!

[Raskel]

This is perfectly accurate. +Rep!

Mighty thanks

I'm still sticking to my authenticator

[asherbourne]

anything is possible >.<

[Azylum]

Thought about this when i got mine. Knew it was possible but wth... The authenticator provides some extra security anyways.

[mmodame]

I was hoping this thread might have some info on what's going on because there must be some way around the autheticator. I had an authenticator on my account and was hacked after I hadn't played for over a month so it couldn't have been a man in the middle attack...how is that possible?

Of course all Blizzard said was that autheticators aren't guarenteed and I should check my PC for keyloggers etc etc...

[dwsj]

I do not see any problem with this, because of the fact that the authenticator cannot be removed, and that the haxxzor needs time to bypass through everytime, theres not much he can do, and besides 11million WoW accounts and max of 100 haxxors means its probably going to be awhile until your even considered a target

[Oloty]

Thanx! +rep for you!

[Tranquility [X]]

This doesn't worry me too much tbqh because of various points made above.