No end in sight to hacking of 'WoW' accounts

'Tens of thousands' of players' accounts have been compromised with keylogging exploit, security experts say.
Written by Daniel Terdiman, Contributor
A correction was made to this story. Read below for details.

If you're a World of Warcraft player using Windows, beware.

For months, hackers--most likely in China and Russia, according to security watchers--have been surreptitiously installing keylogging software on WoW players' Windows computers, hijacking their accounts and selling off their often valuable in-game assets.

And the problem doesn't show any signs of going away.

The gangs perpetrating the hacking are "incredibly active, and it's a good exploit," said Roger Thompson, CTO of security software developer Exploit Prevention Labs. "It's probably a conservative estimate to say that there's tens of thousands of victims."

The exploit works when unsuspecting WoW players visit any number of Web sites infected by the hackers with keylogging software. When the players visit the sites--which are often unrelated to WoW, but that players frequent, Thompson said--the software is quietly installed on their computers, allowing the hackers to spy on keystrokes and steal players' WoW passwords.

While the software could easily be used to hack into players' accounts in almost any online game, there's no evidence the victims are anybody but players of WoW.

"It's only a matter of what they want to do," Thompson said of the hackers' choice to attack only WoW accounts. "The guys working out how to do it are WoW players. We're pretty sure we know who (most of them) are: a couple of Chinese college students, and it turns out they're interested in WoW."

Thompson said he suspects that a Russian gang may also be involved.

Many of the victims, no doubt, have experiences similar to that of Dag Friedman, a 37-year-old math teacher from Sacramento, Calif.

Last month, Friedman wrote on the WorldofWar.net--an unofficial WoW community site--that he had recently discovered that one of his WoW accounts had been permanently banned by the game's publisher, Blizzard Entertainment. According to an e-mail he received, the banning was punishment for "account sharing," a violation of the game's terms of service in which players give others their passwords and access to their accounts.

Friedman wrote that he had tried to get Blizzard to explain what happened, but had gotten no initial response. Weeks later, however, he was contacted by Blizzard, which told him it had reinstated his account and restored his lost items.

Contacted by CNET News.com, Friedman said he had since had another WoW account hacked, and that he was disturbed that someone had broken into his computer.

Worse, in the middle of an instant-message conversation with CNET News.com, Friedman reported that he had just discovered that yet another of his accounts had been broken into and all its contents pilfered.

For its part, Blizzard said it's addressing the problem by informing players that they should ensure their computers are safe against malware.

"This really comes down to a security issue, and obviously I am not taking the necessary steps to make my home computer secure enough."
--Dag Friedman, WoW player

An "important means of protecting your account information is keeping your system up-to-date," Blizzard wrote in an April 6 forum posting on the official WoW Web site. "For instance, installing the latest Windows security patch is a good way to avoid exploits designed to steal your login and password details."

But some players would be the first to admit they do a poor job of updating their security software. As a result, they are perfect targets for hackers.

Friedman, in fact, acknowledged that he is lax about such things.

"This really comes down to a security issue," Friedman said, "and obviously I am not taking the necessary steps to make my home computer secure enough."

Friedman also said he appreciates that Blizzard is acting quickly to shut down accounts after they have been compromised, since it alerts players to problems with their computers.

"I think that it is good that they are so quick to ban the account," he said. "I would not have been aware of this situation if they had not been so quick to act. Who knows what other types of information could have been accessed?"

There are more than 8 million WoW players, so even if tens of thousands are finding their accounts compromised, that's still a very small percentage of the total.

But for the hackers, the rewards can be substantial. That's because many players hoard gold, weapons, spells or armor worth a lot of money on the open market. Even though Blizzard doesn't officially allow players to buy or sell those goods, there is a thriving market for them (and that's in spite of the fact that eBay, one of the most popular venues for such transactions, recently decided to ban them).

"People are willing to buy on the black market," said Javier Santoyo, senior manager of Symantec's security response team. "If players themselves were not willing to go outside the games to improve their characters, then there wouldn't be such a need."

But for players like Adam Satterfield, a 28-year-old IT consultant from Atlanta, the downside to having a WoW account hacked and subsequently banned goes beyond losing in-game assets.

Several months ago, Satterfield said, his computer was infected by keylogging software. His account was hacked, his assets were stolen and the account was banned.

"It's unfortunate to lose your in-game stuff," Satterfield said, "but what was really important was to play and hang out with my friends."

Once his account was deactivated, Satterfield said he had to go back and forth with Blizzard to prove his account truly belonged to him. All told, the process took nearly a month, and Blizzard ended up charging him for that month of service anyway.

Blizzard spokesperson Shon Damron said the company recommends using the Blizzard Launcher, a console that delivers WoW news and at the same time runs a scan of players' computers. If it finds something amiss, it alerts the player. Damron said Blizzard also recommends players use virus-scanning software.

Thompson agreed, and said the best thing a WoW user on a Windows machine can do is use the very latest Windows patches from Microsoft.

"The moral of the story is that if you patch, you're safe," Thompson said. "If not, be afraid, be very afraid. Complacency is the enemy."

Correction: Due to incorrect information supplied to CNET News.com, the name of Roger Thompson's company was incorrect in an earlier version of this story. He is chief technology officer of Exploit Prevention Labs.
Editorial standards