« More Honeyclient News at ToorCon | Main | Email Honeyclient Available for Download »
October 08, 2005
Recent World of Warcraft Account Compromises
Recently, a whole bunch of World of Warcraft (WoW) player accounts were compromised via a keylogger being installed on the users' machines. The infection epidemic was so bad that Blizzard Entertainment set up customer service lines for weekend support. This is in addition to the already existing weekday support hours. I read somewhere that the average wait time for customer support lines is currently about three hours. There are about four million WoW players worldwide. That should give you an idea how bad the situation is.
So, how did this happen? Well, there's a site called Allakhazam, which WoW players can reference to see neat statistics such as the average price auction items sell for. Apparently, some bad guy bought an ad on Allakhazam, which when viewed with a vulnerable Internet Explorer browser, installs a keylogger on the IE host. The next time the player logs onto WoW, his/her account login and password are logged, and sent to the attacker. Now, the attacker can log into WoW as that player, and transfer game currency to other accounts, and do stuff like sell that game currency on Ebay for real money. Ouch!
Why am I interested in this? Because 1) I play WoW, and 2) honeyclient technology can help to detect sites like Allakhazam, where in this case, the user didn't even have to click on the ad to get infected. I'm not saying that this is Allakhazam's fault - they just sold an ad to a bad guy. But, if honeyclients were widely deployed, there's a good chance someone would have found this malicious ad before the infection rate become so high. Especially since the ad had already been up and running for several days, according to this Allakhazam post. By the way, Allakhazam has since then removed the malicious ad.
I think the important question is: what's to stop this from happening again? This is clearly a viable business model. These attackers will probably not get caught - how will they even be traced? I could sit here and tell you to download and install Firefox browser instead, but we all know that Firefox has its vulnerabilities too. So, those of us who are using Firefox are hoping that being part of a minority user group will protect us from being the low-hanging fruit that attackers look for first. But, the sad reality is that if those attackers should choose to, they can certainly target vulnerabilities in other browsers besides IE.
I'm starting to feel like a broken record player saying this, but we need to spend more time thinking about proactive detection technologies. The honeyclient is one of those technologies, and I'm glad to see other people have also thought about that besides me - I'm not the only one, or the first. However, we need to hit a critical mass of people who run honeyclients so that we have a chance of finding malicious sites and spreading the word about them before an infection epidemic like this happens.
Posted by Kathy at October 8, 2005 01:47 PM