Thursday, August 19, 2010

WoW account hacking and phishing - Some indirect evidence

Wilhem2451's made some intersting posts over at the Ancient Gaming Noob recently about WoW account hacking. The problem appears to be absolutely massive with Wilhelm's back of envelope calculation suggesting that up to a quarter of accounts may have been hacked. I naively assumed that all hacking was due to people falling for phising scams or being otherwise promiscuous with their passwords but a commenter on Wilhelm's blog opened my eyes when they pointed out that after a major web forum (to which I subscribe) was recently hacked a    lot of users subsequently had their WoW accounts hacked using the same usernames and passwords.  It appears that WoW is now on the the goto list for purchasers of illicit usernames and passwords so if you get hacked anywhere you can bet that your user details will be tried out on WoW next.

This was brought home to me recently when I got a WoW phishing email addressed to my runes of magic account. In an unusual for me  fit of security consciousness I set up a separate email alias for Runes of Magic and I have never used it anywhere other than to log into the game. The phishing attempt was crude but how the hell did these people get that email address?

I know we have long been warned to use separate usernames and passwords for every website but how many of us do?


Tesh said...

"The phishing attempt was crude but how the hell did these people get that email address?"

Indeed. I've received three phishing WoW emails to my filter email in the last few days. That email was never used for anything other than a trial account four years ago.

I almost wonder if these spammers/phishers are just carpet bombing hotmail email addresses, sending them out to one and all in the hopes that some fall on fertile soil.

I think this because other emails I've used for other past WoW trials don't get those phishing emails, and the one I used for my "real" account (for all of a month) hasn't received phishing spam either. Maybe my mild online paranoia paid off there. (And yes, where possible, I use different emails, passwords and such. Sometimes, I have to write 'em down to keep everything straight, though.)

Cap'n John said...

It just lends further credence to my suspicion that someone within Blizzard is selling their customers' email addresses.

That said, I still have not yet received any phishing emails in my WoW-only email account. When I do, I'll know for sure that it's Blizzard themselves who have a security leak.

Anonymous said...

I've lost 2 WoW accounts to hackers/phishers, both of them had several max level characters with lots of time invested. I'm convinced of keyloggers that get your info from the login screen and from the WoW forums.

My third account used a separate email used only for WoW, and that account still gets at least 10 phishing attempts in that email per day. PER DAY! There are literally thousands of these emails, that's all that's in the account!

Besides that, I also started pasting my password at the login screen (I have it typed in a .txt document hidden in a whole paragraph of text), stayed away from the forums, and stayed paranoid as hell, and I managed to avoid having that one stolen from me. Thus far....

mbp said...

@anonymous it sounds like you should look into that security gadget you can get for your Wow account. My wife has one from her work and it seems pretty foolproof. You gave to enter the number on the gadget as well as your password. The number on the gadget changes in some pseudo random sequence so it would be very difficult to guess.