

World of Warcraft - Man in the middle attack in the wild - illumin8
http://www.mmo-champion.com/news-2/authenticator-accounts-hacked-icc-quests-crimson-deathcharger/

======
icey
It must be fascinating to work on the anti-goldseller/theft/fraud team at
Blizzard. I would imagine they're the largest target for this sort of
activity, and get to see some seriously crazy stuff.

------
illumin8
To my knowledge, this is the first attack that is in the wild against RSA and
similar SecurID token type devices. Basically, the virus intercepts your
keystrokes while you are logging in, instantly submitting (your constantly
changing code) to Blizzard, and removing the authenticator device from your
account.

I read before that the average World of Warcraft account is worth about $10 on
the black market, much higher than a credit card number, so that explains why
it is one of the first targets for new and innovative hacks that are designed
to thwart 2 factor authentication.

~~~
cheald
WoW authenticator tokens are single-use with a 30-second lifetime. On one
hand, it's a testament to Blizzard's effectiveness in pushing them on the
playerbase - the fact that enough accounts are protected by them now that the
bad guys have to target them specifically is pretty impressive. On the other
hand, it's scary that we're at the point now that the bad guys are developing
attacks against hardware token-protected accounts.

I've read the same thing about a WoW account - it's worth more than a stolen
credit card, and is significantly easier to get ahold of. Not what I'd expect,
at all, but given the lengths the bad guys go to in order to steal accounts,
it seems like it lines up.

------
jmatt
There has to be a way to fix this through changing their process when dropping
your authenticator.

One solution off the top of my head is to add an additional special question
to admin tasks. Users very rarely if ever go to the blizzard admin page and
thus won't be typing a special question in when they are just logging in to
the game. Another solution is to confirm such authenticator drops through
email or text. Both of these could be quickly implemented. And both could be
used to alert blizzard and the user that they are infected.

The real problem here are rootkits + trojans that are just trouncing these
unpatched old windows boxes.

I still haven't figured out how people end up with these trojans. Everyone
that I know who plays wow is deathly afraid of getting "infected". Yet they
still don't all have authenticators and they still manage to run trojans. Hmm.
I blame porn ~ I don't know what else it could be.

EDIT: elaboration. paragraph 2 sentence 5 if you must know.

~~~
cheald
The vast majority of infections are due to Flash-based ads targeting older
Flash installs, which are then targeted to be run on gaming sites. The days of
opening emails with attached .SCR files are long behind us.

Blizzard does require that you provide two consecutive codes when removing an
authenticator from an account, so I'm not quite sure how you'd coerce a user
into providing two codes back-to-back, unless they just keep spamming tokens
into the system. You could get around that by introducing, say, a 15-minute
email-based delay that asks for a second auth code:

1) Log into account management (token required), request authenticator be
dropped.

2) Request authenticator token. Validate token.

3) Stick request on the queue.

4) In 15 minutes, email the user with a link that includes a URL token
validating the request. The link takes them to a page that asks for another
token.

5) The authenticator is dropped upon receipt of the second valid token.

Most players, no matter how impatient, aren't going to sit at their computers
for 15 minutes punching in auth codes. They'll give up after 3 or 4, max. The
additional email ownership verification step, with the time delay between code
entry should at least buffer you against authenticator-drop attacks.

------
pieter
Afaik this isn't a man in the middle attack. This was only possible because
the host was infected, allowing capturing of the token before it was sent over
a secure (eg SSL) line.

Capturing the token wouldn't really be necessary. The Attackers could just use
the session created by the user to do their stuff (use the infected machine as
a proxy). Capturing the token is just simpler, that's all.

~~~
cheald
It's clasically MITM. MITM is just a "man in the middle" intercepting data and
changing it before it gets reported to either side, then using the original
data to their own benefit. There isn't a defined "middle" point, other than
"in between the source and the destination"; if the "middle" is on the
victim's machine, it's still a valid MITM.

------
henning
Hooray for having a Mac, a platform it's relatively unprofitable to develop
viruses and malware for!

~~~
dagobart
Same for Linux. Regarding fraud profitabililty, I wonder whether it's really
that a good idea to evangelize to get Windows users to switch platforms.

