Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Role Playing (Games)

WoW Players Targeted By Windows Flaw Exploit 130

grimwell writes "The BBC is carrying the story that the ANI flaw is being used to target World of Warcraft players, as hackers search for account details. 'Analysis of that malicious software showed that it lay dormant on a victims machine until they ran World of Warcraft (WoW) at which point it captured login data and sent it to the hacking group ... Research by security firm Symantec suggests that the raw value of a WoW account is now higher than a credit card and its associated verification data.'" Doubtless, any compromised accounts would quickly see their equipment sold, and the resulting gold transferred to another account. This gold would then be sold for US currency to Real Money Traders like the company IGE.
This discussion has been archived. No new comments can be posted.

WoW Players Targeted By Windows Flaw Exploit

Comments Filter:
  • A cold day in Hell.. (Score:5, Interesting)

    by zyl0x ( 987342 ) on Thursday April 05, 2007 @09:38AM (#18619571)
    World of Warcraft is considered a better target for theft than a credit card. What kind of nerds are running those crime syndicates these days? Maybe if Blizzard came down on more of these gold-selling, account-selling, and item-selling service providers, this kind of nonsense wouldn't even be an issue.
    • Re: (Score:2, Redundant)

      Maybe if Blizzard came down on more of these gold-selling, account-selling, and item-selling service providers, this kind of nonsense wouldn't even be an issue.

      I wasn't aware of these fantastic new police powers granted to Deputy Blizzard.

      And even if they could, on what grounds could you charge any of those places with a crime?
      • Re: (Score:3, Informative)

        And even if they could, on what grounds could you charge any of those places with a crime?

        Fraud and unlawful computer access, to start. Racketeering too, and possibly money laundering or false advertising.
        • Re: (Score:3, Interesting)

          You would have to prove the gold/item trading companies were complicit in any of that. It hasn't worked for online auctions, search engines or ISPs, I don't see why it would work here. They say "we are a medium - it's not our job to investigate every sale for crime. You're the police, you do it."
          • Re: (Score:2, Interesting)

            Actually, that got so irritating with pawn shops that many states require pawn shops to record serial number and seller names of any items they take in.

            So yes, playing too dumb can bring the law down on you whether you like it or not.
            • Never heard of such restrictions on pawn shops before, but unless there is a serial number on the item itself (handgun), that sounds like a joke. I'll do the same thing I do for online forms. John Smith. 123 Silly Lane.
              • Re: (Score:3, Insightful)

                by snarlydwarf ( 532865 )
                And I hope you have ID to match that. Again, in many states, ID is required.

                Business Watch International (see BWIPOLICE.COM, for example) maintain database servers for pawn transactions and many municipalities are changing their laws to require pawn shops report their transactions electronically. (Here in the Eugene, Oregon area, for example, that is now the law. Not paper pawn slips for the police to wade through, but databases they have live access to.)

                Of course, it could even be argued that these sort
                • If yes, then why is getting it as a drop not considered taxable income?

                  The correllary would be pretty interesting, suing for access to the drop tables if your loot percentage does not match posted approximations.
      • by Aladrin ( 926209 ) on Thursday April 05, 2007 @09:47AM (#18619711)
        What hole have you been hiding in? Anything that happens on Blizzard's servers is THEIR property. They can do whatever they like with it. By 'come down on' he means 'ban accounts'. If these 'gold-selling, account-selling, and item-selling service providers' lose more money than they make, they'll have to give up. It takes time and effort to amass stuff to sell, and there are companies -paying- people to amass it. If they have no way to do their thing, they'll have to stop.

        Having said that, short of shutting down all the servers, there's no way to stop it. Even having to start from scratch constantly, they'll still make enough money to keep going and hopefully outlast Blizzard's fury. Blizzard can't afford to hire enough people to police this well enough to stop it.
        • by ab0mb88 ( 541388 )
          Blizzard can't afford to hire enough people to police this well enough to stop it.

          This seems to me to be a simple matter of creating a script to record all transactions that include so much gold and then filter by transactions per user and transactions that do not include a major item. This could not require that many staff members.
        • Well there's a way to get around this, if Blizzard were so inclined.

          It would involve an added security feature. When an account is created, present the user with a pile of unique graphics (could even be spell/item/etc icons from the game). Make the user pick, say, three out of the pile.

          When the user logs in later, present the user with several of these graphics, with ONE of'em being one of their choices from the get to. User clicks on the right graphic, they log in.

          It's pretty much purely a visual thing - n
          • Err, "get-GO" not "get to". :P
          • by Graff ( 532189 )
            Even easier - stop having people log in.

            You should only have to enter your account name and password once, the first time you log onto the account. Blizzard could then encrypt your password along with some details unique to your computer system and use that to automatically verify your account the next time you log in.

            If for some reason Blizzard needs to re-create the stored, encrypted password then it could ask you for the password again but with a statement to the effect of "Blizzard can no longer find y
            • Re: (Score:3, Interesting)

              by dknj ( 441802 )
              To: Graff
              From: BlizzardAnnouncement@blizzard.com
              Reply-To: BlizzardSupport@b1izzard.com
              Subject: Blizzard can no longer find your stored password

              Dear World of Warcraft User,

              We are unable to find your stored password. As you know, you should only have to input your username and password once to connect to our WoW servers from your gaming machine. Unfortunately, it would appear that you have done one of the following:

              - Reinstalled Windows or erased a critical part of World of Warcraft
              • by Graff ( 532189 )
                Cute, but this is just social engineering and can be done just as easily with the password system that is currently in-place.

                My idea is that Blizzard should try to have people enter their passwords as little as possible because each time you type in a password that's one more chance for a keylogger to capture your password. By only requiring people to enter their passwords the initial time you log in you make it so that a keylogger only has one chance to get your password rather than a chance every single
          • Read that on the forums, had the same response(though I didn't post it as others beat me to it): Solves nothing.

            Recording mouse movement and clicks is not any harder than recording keystrokes (okay, its more data and a little harder to sort through, but still trivial for any highschol kid with an outdated warez copy of vb).

            In your main loop, check the list of open processes or windows and look for WoW. Wait a few seconds before next check if it isn't open.

            If it's open, hook the mouse press event. Every clic
        • by ClamIAm ( 926466 )
          Anything that happens on Blizzard's servers is THEIR property. They can do whatever they like with it.

          This would be true if Blizzard and their servers resided in Libertarianfantasystan. But this is not the case, so Blizzard and their property are subject to the laws and regulations of the country(ies) they do business in.
        • by Snaller ( 147050 )
          Anything that happens on Blizzard's servers is THEIR property.

          It is of course a sick twisted law that makes something entirely non exsisting PROPERTY.

          Having said that, short of shutting down all the servers, there's no way to stop it.

          Indeed.
      • by zyl0x ( 987342 )
        Considering that Blizzard explicitly states in their EULA that all items, accounts, and data within is owned exclusively by Blizzard, I would say that they have excellent reason to sue these companies for illegally reselling property that does not belong to them.
        • Wut.

          Blizzard: You illegally resold our property
          Company: How? You owned it the whole time, it was on your server. At what point was the item out of your hands? When was it "sold?"
          • Re: (Score:3, Insightful)

            by Senjutsu ( 614542 )
            By you're logic, it's legal for me to sell someone the Brooklyn bridge. After all, New York still owns it after I'm done, so where's the crime?
        • by jafuser ( 112236 )
          This kind of reminds me of the businesses that "sell" lunar property, or the right to name a star.
      • by Sancho ( 17056 )
        Their terms of service prohibit the sale of items/gold outside of the game. They can cancel the accounts of people who do this, and order the cancellation of eBay auctions (after all, the 'property' that is sold doesn't belong to the ebayer, it belongs to Blizzard). I'm not sure what steps they could take against non-US sellers, though.
        • by Pojut ( 1027544 )
          If I remember correctly, most companies like IGE don't ask you to pay for the items...they are asking you to pay for their TIME.

          This is why they are able to stay in buisness...they aren't selling you gold, they are selling you time. There is nothing illegal about trading gold from one toon to another in-game, and since real world money is exchanged out of the game for a commodity that they don't own (unless Blizzard is Father Time), there isn't much Blizzard can do.

        • by 0racle ( 667029 )
          Nothing, or this problem would have been solved long ago. WoW isn't the first game to have to deal with this.
      • Probably on the grounds of the EULA that you agreed to to run their software and access their servers. Doesn't it basically say that you are entitled to throw money at them, and they can do whatever the hell they want?
    • Re: (Score:3, Insightful)

      by faloi ( 738831 )
      It probably is a better target, or at least safer. There's nothing illegal (AFAIK) about selling accounts and gold, and I imagine it'd be tough to prove who actually stole the account. The worst thing most people who engage in this behavior have to look forward to is an account suspension, whether you're buying or selling.
    • by Daravon ( 848487 )
      Diversify yourself! Write a program to turn some computers into a bot-net for spamming. Create a few phishing sites. After a while you get bored so you write a program just to steal gaming accounts to let people steal ingame crap from people to sell for money. If you're writing the programs for other people, a sale is a sale. If you're doing the rest of the work, then you're just picking up another easy (comparatively) source of income.
    • by MyIS ( 834233 ) on Thursday April 05, 2007 @10:18AM (#18620149) Homepage

      Ah, history is full of examples how making something illegal completely eliminates it. *rolls eyes* More laws make more criminals, and if Blizzard came down on this, they would only drive this arms-race to higher levels. *OR* they could cash in on this (first and foremost), and also improve the game so that IT ISN'T A FRICKEN SECOND JOB!

      See, this is why I quit WoW - the fact that 90% of the time one has to "farm" or wait for a raid to assemble, or dully point their running character along some path across the map. I paid them money to escape the daily grind, and look what happened - I got into an even more boring grind. And, of course, there is no way to escape that grind either, because that's the only way to even get to the "fun" 10% of the game.

      If Blizzard made the game actually *fun* to play almost all the time, then noone would see the incentive to pay someone else to get through the boring stuff! And voila, no gold-farmers, no hacking accounts, no Slashdot story.

      • by MBGMorden ( 803437 ) on Thursday April 05, 2007 @10:58AM (#18620821)

        If Blizzard made the game actually *fun* to play almost all the time, then noone would see the incentive to pay someone else to get through the boring stuff! And voila, no gold-farmers, no hacking accounts, no Slashdot story.
        Yep, and they'd lose a lot of paying customers shortly afterwards. Here's the rub with games like WoW: they're largely a pissing contest where people like to gloat about how much better stats they have, how much better their gear is, how high their tradeskills are, etc. (and this is coming from someone who actually does play the game quite regularly).

        If they took out the grind, the coveted "status" that so many either love to maintain, or love to strive for, vanishes. Everybody is left with just the game for the game's sake, which while arguably the way it "should be" won't work for WoW because the game engine itself isn't the most interesting thing in the world.

        That's mainly why all the gear in TBC was so overpowered compared to the original campaign. People were finally getting to the point where many realized they were NEVER gonna make it into BWL, much less Naxx, and starting to lose interest. They gave them some major gear upgrades so that they can feel like "wow, I'm a badass - this stuff blows away the gear I saw those raiding guys walking around with a few weeks ago". Then they get back on the treadmill to try and reach that status again. Stupid, but if you take away the treadmill a lot of them will see no point.
        • I was really glad to see the "overpoweredness" of the gear that I got in Outland, because (for a little while, at least) it significantly reduced the gap between me and the people that can spend 20 hours a day grinding in the game for uber-gear. It was nice to go into a level 70 battleground and have a realistic chance of winning because nobody had an outrageous gear advantage. Sure, that gap will reappear shortly, but it's nice while it lasts. Hopefully there will be more expansions in the future...

          Anywa
        • They're not mutually exclusive, as you imply. In short: make the "grind" fun. Look at Ultima Online circa 1997-2000 for an example of how to do things differently. Yeah, the WoW system is so simple that the grind is all they have, but it doesn't have to be that way.
      • Ya know, you can play any number of other games that are halfway decent. Pick up an old copy of Sacrifice or Total Annihilation. It'll look dated, but one thing you aren't doing at any time is grinding.

        Do people realize how mathematically futile it is to gain that big piece of equipment that raises your damage by 1%? The inability to change what you are by more than a few percent is their lazy man's way to balance.

        If you must have a MMORPG, try City of Heroes. In it, you get:

        - Cheap (free) high speed tr
        • by Sancho ( 17056 )
          You get to double your damage? That's pretty cool. How fast do your enemies HP increase?

          Ultimately, it's all about scale. If any MMO allowed you to vastly increase your power compared to the enemies you are expected to fight at that point in your character's development, the games would be mind-numbingly boring. My guess is that CoH enemies HP increases at a faster rate than WoW's, or that there are other ways in which a scale reasonably similar to WoW is maintained.

          A better system might be a system of
      • by brkello ( 642429 )
        Wrong. Everyone wants the shotcut. Even if something is fun to one person, it isn't to another and they are willing to pay to get it done so they can concentrate on what they find fun.
    • by xemit ( 1037320 )
      Funny thing is a group of us were having a similar discussion about the gold trading in another smaller online game. MTV did a special on the RMT. http://www.youtube.com/watch?v=ketOtwjAdO4 [youtube.com]
  • While I'm no fan of gold farmers and in-game currency traders, is there any evidence to justify naming IGE in that addendum? What justifies that?
    • by pslam ( 97660 ) on Thursday April 05, 2007 @09:49AM (#18619733) Homepage Journal
      While I'm no fan of gold farmers and in-game currency traders, is there any evidence to justify naming IGE in that addendum? What justifies that?

      Why, you could click on their web page [ige.com] and note the tagline "IGE, Buy WOW Gold, World of Warcraft Gold, FFXI Gil, Final Fantasy XI Gil, Lineage 2 Adena". These guys are assholes and proud of it. They don't deserve apologists.

      Maybe I should also dig up the evidence that in the past they were involved in authoring trojans...

      • Not to mention involved in large-scale economy manipulation in EQ and other games.

        Basically, when 1 company buys everything (and buys up competitors who start up buying companies for resale), you're forced to buy from them, they can jack up the price to whatever they want.

        The irony of the whole situation is that because they jack up the price of "UberSword001", you're 'forced' (yes, not forced, but you're left with few in-game options aside from farming a ton) to purchase gold/plat from IGE. They use the p
      • by g051051 ( 71145 )
        I understand about IGE, and don't like their business, but it's unjustified in this case to suddenly throw them in at the end in a blurb where the actual article doesn't have any mention of it. Regardless of their sleazy dealings, there's no reason to associate their name with this trojan as if they were connected.
        • by pslam ( 97660 )
          The point is, there would be very little market for these stolen goods if the assholes at IGE didn't exist and there wasn't such a readily available blackmarket for in-game gold for out-of-game cash trading.

          Using their "service" is against the game rules and cheating. Every time you buy from them, you are funding this legal (but totally unethical) blackmarket, as well as indirectly funding the illegal criminal element that writes trojans to steal your stuff instead. If it weren't for the IGE link, this wo

          • The market exists already and would have had IGE never existed. IGE is providing a service that makes the market a bit less scary and puts a 'We aren't here to steal your credit card information' face on it.
            • by pslam ( 97660 )
              I hate defeatists.
              • And I hate people that refuse to recognize the truth just because it contradicts their naive fantasies. You'll have far more success solving problems if you're willing to accept the truth about the source of those problems.

                The truth is that many WoW players prefer to trade cash for gold instead of time for gold. Until you deal with this demand, you'll never achieve your ideal fantasy world uncorrupted by companies like IGE.

                • by dave562 ( 969951 )
                  The truth is that many WoW players prefer to trade cash for gold instead of time for gold. Until you deal with this demand, you'll never achieve your ideal fantasy world uncorrupted by companies like IGE.

                  I am about at that point myself. I play WoW on a casual basis. I started playing about six months ago and my main is up to level 62. I still don't have an epic mount and the amount of time required to get one is ridiculous. I don't even want to spend the time that it would take to come up with 540 gold

                  • Do what I did. Grind to 70 avoiding all questing in Netherstorm or Blades Edge mountain. Once you're 70, you get dramatically more gold per quest. Then do your questing and you'll find yourself making 50g-100g per hour, not to mention all the quests are easier than they would have been if you did them at their prescribed level.

                    I think I was the only person in Outland riding a 60% horse at 70, but I farmed my epic and flying mounts fairly quickly after hitting 70.
      • by Snaller ( 147050 )
        These guys are assholes and proud of it.

        But at least they never spam people ingame, like the 500 other looser outfits.
  • by Sciros ( 986030 ) on Thursday April 05, 2007 @09:46AM (#18619685) Journal
    Is there some sort of big warning popup in WoW for players as they start the game up? (prior to entering a username/password)? I know that Guild Wars has special "news items" alongside the login form that you can read without having to actually log into your account. It would be cool if Blizzard (heck, and ArenaNet) had a giant warning that came up for the next few days informing people of this issue and of the upcoming fix from MS (or am I confusing my vulnerabilities/fixes here?...). That might help folks out perhaps.
    • No, they are exploiting ANI. However a patch for this exploit has been released by Microsoft and is available via Windows Update.
  • Irony? (Score:1, Insightful)

    by Anonymous Coward
    I dont RTFA but im assuming u have to go to one of those "power lvl" sites for this to happen (or any other site). That means that people that buy gold and items (ilegal according to blizz) with real cash have big chances of getting hacked. If all this is true why should blizzard care? this is theire anti-power lvl system. RandomGM : WORKING AS INTENDED.
    • That's why you're supposed to RTFA.

      From the article:

      Analysis of that malicious software showed that it lay dormant on a victims machine until they ran World of Warcraft (WoW) at which point it captured login data and sent it to the hacking group.


      This means that you can visit a site that exploits the vulnerability, in this case it was a Super Bowl website, and your account will be pwnd next time you log on.
  • by Culture ( 575650 ) on Thursday April 05, 2007 @10:05AM (#18619961)
    I just hope no one ever figures out a way to do this with Slashdot accounts. If WoW accounts are more valuable than credit cards, then Slashdot accounts must be more valuable than, I guess, say Dilithium Crystals or Ewok slaves. I think I have finally going to have to upgrade to Windows98 from Windows95. It probably is mature enough at this point.
  • by RealErmine ( 621439 ) <commerce&wordhole,net> on Thursday April 05, 2007 @10:15AM (#18620089)

    What Microsoft should have done, instead of investing significant amounts of its own resources into the security patch, was tether a huge, yellow exclamation point over the Redmond campus. Wayward WoW players would be inexorably drawn to it where they would find a Non-payroll Personnel Coordinator (NPC) who would relate to them the details of the bug and why it needs to be fixed. Harvesting the collective zeal of the WoW community in such a fashion, the solution to the issue would have been presented to Microsoft promptly and at little expense. Patch notes could even be copied and pasted directly from the resulting Wowwiki page.

    Incidentally, I plan to use a similar process to reduce the amount of manual labor around the home.

  • by Greyfox ( 87712 )
    Must suck having to worry about Windows exploits when you play WoW. One of my arena team members was complaining the other day that she needed another gigabyte of RAM to play WoW in Vista, too. I don't know if this is an issue in OSX since all my Apple machines came with 2gb.

    There's been a recent surge in the number of gold farming and leveling service spammers in the game lately, too. Your only recourse with those is to disable the whisper channel, which you can do from the chat menu. Unfortunately then

    • by tweek ( 18111 )
      Do what I do. Simple verbal harrasment complaint:

      Player XXXXXXXX is whisper spamming website xxx.xxx.xxxx for gold and powerleveling services in area (STV|Barrens|wherever)

      EVERY GM I've talked to thus far has said they don't mind getting these reports and that this is currently the prefered method.

      The only time it's a pain is when I'm in the middle of a mob.

      The way that would make it easier is to put functionality into the problem report to select a name from recent whispers. I know who foo and bar and baz
      • by Kennego ( 963972 )
        It's just unfortunate that although this might ban the offending person, there's nothing stopping them from making another trial account and starting all over again, which is why I don't bother. I have never seen the same username spam about gold twice on my server, and that's because they don't have to use the same one.

        The idea the GP had was fantastic, an option to ignore messages from trial accounts, but I imagine Blizzard would never implement this for fear of it damaging the "community."
        • Another option might be to require a credit-card for trial accounts. They could do the thing where they verify the credit card without actually placing a charge on it. Credit cards associated with accounts banned for farming/advertising would be barred from creating new accounts. This would mean the farmers would need to have a steady supply of credit cards to be able to keep up which should raise the bar a little. And having the credit card on file could make things easier on legitimate trial accounts
          • by Greyfox ( 87712 )
            They demanded one from my room mate when she signed up for a trial account. I suspect that the spammers sign up with stolen ones.
          • Yup, I can confirm -- they do require a credit card (I had to enter mine to use the Guest pass I got from a friend).
        • by tweek ( 18111 )
          That would actually hurt me as well (ignore from trial) because we have a guild we're building made up of people at work and people often use the trial copy to get rolling and decide if they wnat to play or just *listen* to us throw words around like aggro,dps,tank and zerg ;)
          • by Greyfox ( 87712 )
            Yeah and I've helped out quite a few guys on trial accounts myself. I usually don't notice (They don't mention it) until I try to give 'em something to help them along and find that I can't. You can't trade stuff with trial accounts.

            Still, being able to ignore trial accounts would probably be a better option than completely disabling the whisper channel or installing a mod so that only people in your friends list or guild can whisper you.

    • by Graff ( 532189 )
      I agree with you about Windows and exploits.

      I don't want to get into a huge pissing contest about what operating system is best, whatever you like to use is great, however I honestly don't understand how anyone can run an operating system that gets exploited constantly. I know that Windows is the big target and Mac OS X is not completely invulnerable to being exploited but the fact is that right now there are no exploits in the wild for Mac OS X.

      I use both Windows (I manage a bunch of Windows boxes at work
    • by Gropo ( 445879 )
      Get in the habit of opening a GM harassment ticket whenever you're spammed (and don't mind a little time investment). At the very least when Blizzard realizes how much of its paid employees' time is being wasted chopping off trial account heads they'll be more reticent to do something proactive about it. I wondered why they didn't just disable the /w ability for trial accounts altogether, your idea is far more sensible.

      The obvious question is: why can't they flag an account for issuing a rapid series of ide

  • There is a simple solution to this. Instead of banning accounts and ignoring the fact that no matter what they do, people are going to pay hard cash for in game items, Blizzard should follow Sony's lead.

    If they would control the whole secondary market process, it would help them track stolen property and give them a lucrative second source of income. Instead, they would rather take a hard stance and deny this is even happening.

    • by pslam ( 97660 )
      No, then the game would suck even more than it currently does. Sony put a nail in the coffin of EQ1/2 when they did that and pretty much every authoritative commentator out there said it was yet another in a long string of extremely dumb moves by them.

      There simply isn't any benefit to this. The solution, which I would never have suggested a year ago, is for them to stop bothering with the gold sellers and to start banning the gold users. Unfortunately the problem with WoW at the moment is the user base. T

    • I'm not sure I'd call it "simple." It could kill the game by making it impossible to enjoy - the guys that can spend 16 hours a day grinding for gear would now also be able to safely spend real money (that they don't have to spend on rent because they're living in mom's basement) to buy even better gear and make things like battlegrounds even less fun for casual gamers.

      Then again, maybe they're already doing that via the gold/item/level farmers. Maybe a legitimate exchange system for real-world money woul
      • Maybe WoW needs another way to advance characters other than with gold or items, much like Everquest does. WoW seems completely gear driven. If a casual player could earn points towards new abilities maybe it would give them a leg up on the rich hard-core loot/gold mongers. Just a thought.
        • Re: (Score:3, Insightful)

          It would be nice if there was some equivalent to the "rested XP" bonus once you've reached max level; some benefit that casual gamers would receive for not being online all the time. I'm sure the hard-core people would whine about it, but I doubt many of them would quit over it (as long as it wasn't some outrageous benefit).
        • In almost any MMORPG your toon is 95% gear, 4% Luck/Time and 1% skill. Doesn't matter if it's EQ2, WoW or anyother level based game. Once you cap out your level the only things that can differentiate your toon is gear and skill. If the difficulty of a game is too great many people will not make it to the max level. AA Xp ala EQ/EQ2 is just another leveling metric, it just makes the treadmill run a bit longer. My personal favorite peice of Vaporware currently is http://darkfallonline.com/ [darkfallonline.com] . It seems to
  • tends to use Mac Minis to play WoW on.

    My female gnome mage giggles at the Windows ANI exploit!

Surprise your boss. Get to work on time.

Working...