Here at WoW Insider, we've noticed an unusual and disturbing glut of people having trouble with being keylogged or otherwise hacked soon after installing new addons lately (which wouldn't be a surprise -- lots of people were grabbing addons after patch 2.4, so that makes them a likely route for attackers). While it's too early to make any definite connections, It seems like there's one new lead that's just popped up: popular addon site wowui.incgamers.com (not linked for obvious reasons) is apparently passing off bad files, according to reports from Stopbadware.org and other anonymous sources.
If you've been using the site for your addons, especially in the past week or so, it might be a good idea to exercise some caution and run your favorite anti-virus or anti-malware program. The site has already been in trouble recently with reports that their UICentral addon updater (now discontinued) was using copyrighted code, and now it looks like there's more trouble abrewing for them.
Update: Wowui.incgamers not infested with malware. Full story here.
Subscribe
Reader Comments (Page 2 of 3)
4-14-2008 @ 5:39PM
Druid dude said...
There are plenty of malware makers targeting Firefox these days, so just using Firefox doesn't make you safe. The problem with the no-script thing is a social one; people will start tagging tons of sites as safe, allowing scripts to run (which you have to do in order for the sites' UI to work at all). Firefox + no-script =/= safe.
Multiple lines of defense are wise in this day and age.
1) Good anti-crapware helps tremendously. Personally I am quite fond of the public beta of VIPRE so far, but there are others that are also effective. Make sure it has active protection, and set it up to run a scan every night (not during your play times of course lol!)
2) Windows Firewall will not keep you all that safe, but it does actually help a bit. By itself, your pretty naked. But as part of a multiple defense strategy, eh, it helps a little.
3) Here comes the heresy: Windows? Use Vista. XP was always full of holes, swiss cheese that made for a very easy target. Vista's default settings add several defensive features that actually do help. Just don't run under an admin account (Vista, XP, anything) and you are fairly safe. Not 100%, not by a long shot, but fairly safe.
4) Patches. Keep your OS patched, and your anti-crapware up to date.
5) Do NOT do NOT do NOT use the recently popular 'addon updater' programs. They are executable programs that must be installed on your machine, those are the ones I am talking about. Yes, it came from a nice safe website. No, I still don't trust it, neither should you. Yes, I realize you have a friend who has a friend who uses Updater XYZ and have NEVER been hacked. No, I still won't do it, neither should you. This is a disturbing trend. Something bad gonna happen on a large scale at some point with these things. Don't become a statistic when it does, or beforehand even.
6) Copy and Paste your username and password. Yes I know, many modern keyloggers can and will read your Windows clipboard from memory and log it as well. I also know that many common keyloggers can't do that. Again, its another layer. If copying and pasting is your only security measure, all your toons are belong to China. But as one more thing you can do to reduce your chances of being hacked and wacked, its worth the extra 3 seconds each time you log in.
7) Common sense! This is the hardest one! Don't give your account info to anyone, ever, never. No really, DONT DO IT. Not your girlfriend, your guildies, your brother. Nobody. No, that website is really not a beta signup for Wrath.
8) Don't log in to the WoW forums from any computer that you are not 100% confident about. Are you totally certain that your buddies machine is secured? Do you really want to risk all your characters just to respond to yet another troll thread by some level 1 alt on the WoW Forums? Don't.
There is more you can do of course, but these are decent start.
Reply
4-14-2008 @ 5:42PM
Tridus said...
That site seems to have a lot of problems with keyloggers over the years. Its a shame, because in terms of actually finding addons easily its my favorite site.
Reply
4-14-2008 @ 6:09PM
Matt A said...
From reading these comments, it seems there are two primary ways you can get keylogged:
1) Install an executable that contains a keylogged, OR
2) Be running compromised code through your browser that is actively logging keystrokes or monitoring memory.
Assuming these are the major keylog methods, you can probably protect yourself pretty thoroughly by being abstinent of third party mod exe files, and either running Firefox + NoScript, or not running your browser while you play WoW.
I am not an IT professional, so please fill in the blanks that I have left if you are one. But it seems relatively easy to me to avoid getting hacked if you're aware of your browsing environment and are active in controlling it.
Reply
4-14-2008 @ 7:23PM
darian said...
You are incorrect on #2.
It isn't that your browser is running the virus itself, but that it downloads the virus, which then buries itself in the cavernous reaches of your computer and begins its malicious work.
So you have effectively three defenses against viruses.
1) Don't let it get in. Firewalls, more secure browsers with script-disabling addons, and sensible browsing (/keylogger) are the stables here.
2) Don't let it get out. If the virus can't phone home, it can't function properly. Software which prevents suspicious network traffic (such as ZoneAlarm) helps you here.
3) Destroy it. This is, unfortunately, less effective than anyone would like. Anti-virus software is key, and will cover this and partially help the other two. However, chances are you won't know to run the virus/spyware scan until you've already lost everything.
4-14-2008 @ 6:28PM
ee said...
If what you're saying is true, then Blizzard should stop crying about gold buyers and just tell Warden to check that memory access.
-----
"WoW password stealers typically do not rely on detecting keystrokes - instead they monitor the actual memory addresses where the WoW client stores your account name and password."
Reply
4-14-2008 @ 6:31PM
Dimitrios said...
Or you can run out and buy a Mac and not care about all these keyloggers targetting Windows machines.
Now for the longest time I used wowui to update my addons, then I switched to the wowace updater, and currently I use wowmatrix. I found the all in one programs a huge benefit, especially when I have a lot of addons installed.
Reply
4-14-2008 @ 6:40PM
Frank said...
i run on a mac, and i'm not trusting it implicitly, and neither should you. we are still vulnerable. there are lots of documented cases of people with macs being hacked -- several examples have been mentioned here in other topic threads.
4-14-2008 @ 6:50PM
Verified Insanity said...
Uhh, no.
You fail if you really think that your mac will protect you.
A previous article in fact included that the victim was using a MAC.
Welcome to the internet.
4-15-2008 @ 1:04AM
Hone Melgren said...
To the 2 previous posters and everyone -
Let's be clear here. The attack vector consisting of a keylogger on a mac is not currently possible - I've seen no proof of a piece of malware that installs a keylogger without notifying the user that can be installed on a macintosh computer running OS X.
That's not to say other forms of attack aren't possible - only the one that uses an installed keylogger currently is.
4-14-2008 @ 7:42PM
Faar said...
It's worth noting that worldofwar's front page does not mention anything about being tagged as carrier of malware, as of right now anyway.
One might interpret this in several different ways, for example one being that incgamers is unaware of their current status, or that they're suppressing the news to not scare people away... >.>
Reply
4-14-2008 @ 10:22PM
Mythor said...
It's that second one you mentioned, suppressing the news.
This would not be the first time the WoW IncGamers staff have deliberately suppressed complaints, including that their crappy UICentral program was deleting mods for no reason, something you would think people would like to know before installing it.
Rush is currently in the Shoutbox on the site claiming it's a false reading and he's getting it sorted with "google chumps". Whether you trust that or not is up to you. There's plenty of alternatives out there though.
4-14-2008 @ 10:27PM
Cairenn said...
There is one comment on their site, if you really go digging. It's in their shout box that you can see on the ui section of the site. "Rushster: Guys its a false reading. We are getting it sorted with google chumps (15 hours ago)"
Reply
4-15-2008 @ 3:18AM
Bloodthorn said...
hasn't there like been that kinds of problem with that site before? first I thought this was old news, find it hard to understand why people keep coming back to something that didn't work before, and with obvious security issues...
these days wowace is teh win, and it's both easy and reliable
Reply
4-15-2008 @ 6:32AM
Rushster said...
Just to clarify. It is a false reading it, pertains to the incgamers domain due to a hosted site having been infiltrated last week. The way google works is if one subdomain gets attacked, all subdomains are flagged. As the site is now on wowui.worldofwar.net, and has been for some time, you will see it is fine (browse using the correct URL). Google have been alerted and so have stopbadware.org, the organisation that deals with this rather silly system of site flagging.
Regarding UIC, an unfortunate incident we would not tolerate so it was removed right away. Needless to say a new better app is now in the works for both Mac and PC.
Reply
4-15-2008 @ 6:37AM
Rushster said...
Note Google has unflagged the site as I suggested they would in the news on WoWUI. Drama over :)
Reply
4-15-2008 @ 7:42AM
Leord said...
Just have to say I'm quite disappointed in Daniel Whitcomb for posting a blog entry like this.
Thumbs down.
Reply
4-15-2008 @ 8:30AM
pb said...
not surprised at all, I've known they were bad for awhile now, signed up for their DB(wowdigger) using a very specific email address and I instantly started getting spam email at that address (an address I created specifically for their site). I contact them about this and the reply I got was "they were surprised how this could happen". The more I dug the more I found of people reporting spam and malware from their site.
They are either in bed with spammers or they are hopelessly hacked by spammers, either way I stay away from them like the plague.
Reply
4-15-2008 @ 8:33AM
Rydolomo said...
I run WoW from the launcher as advised somewhere. I think this runs Warden.
However, does Warden only check for EULA violations such as bots and teleporters? or does it check for keyloggers?
I suspect an effective checker program will have to update it's signature files like an AV program. But Warden would only be updated as a patch.
However I also run on Vista, update my AV and run regular spyware checks and don't run any crapware and don't use any Addon installers. My password is also a mix of numbers and characters which is not a real word.
Rydolomo
Reply
4-15-2008 @ 12:49PM
Theserene said...
Warden does not check for keyloggers.
4-15-2008 @ 9:53AM
Rushster said...
Regarding spam. Please don't pass on such info as above as it's pure speculation and rubbish. We do not hand out any email addresses (and never have done for the 10 years we have been running the sites) and if you posted an email address anywhere on the net chances are it will be picked up by someone. If we get a report on anyone having spam mail issues we look into it, if we can not find any problem then there is not much we can do about it. People are responsible for their own email addresses and thatis sopmething as a site we can not check.
Reply