There have been a lot of scares recently about AddOns having keyloggers in them. For the most part, it turned out to be ads on the sites that were the problem. And now we have the Fraps scare. Unfortunately, no one is immune and it's best to be as careful as possible. Recently, I came across another particularly sneaky way you could get keylogged.

I don't use many AddOns when I play. Cartographer, Auctioneer and Gatherer are pretty much it. I've tried tarting my UI up with some of the fancier mods, but I always come back to my minimalist setup. Because I don't use many, I don't have to upgrade very often and I always neglect to bookmark the appropriate download sites. I'm also a believer in convenience, so I make full use of my Firefox address bar to do my "searches". Firefox will either bring up a Google search for whatever I type in or it will bring up the closest webpage to what I have typed.

While the Incgamers malware problem is fixed, it looks like there's another malware flare up in the world of addons. The WoW Ace Updater, according to many users, may be passing off a trojan from an ad in the guise of an antivirus program. The program, called Winfixer, pops up in a window and (in some cases automatically) installs malware while claiming your computer is compromised and that you need to buy the full retail version to fix it. It can be detected and removed by Spybot Search and Destroy and Vundofix, and Symantec includes instructions on how to manually remove it here.

Wowace.com site owner Kaelten has disabled the ads on WoW Ace Updater completely for now, and is talking to his Ad provider to find out what went wrong and which ads might be causing problems.

This isn't the first time a popular WoW site has had trouble with trojans in ads, and unfortunately, it is unlikely to be the last. Kaelten seems to be on top of it, though, so hopefully he'll get to the bottom of these claims. Since the ads are currently disabled, the program itself should already be safe to use. If you're feeling a bit skittish, though, you can check out some of Sean's recommendations for other upgrade programs here.

I should note that, being a religious user of WoW Ace Updater myself (I run it at least a good 5 times a week), I just made sure to scan my computer with the aforementioned Spybot Search and Destroy as well as AVG Free Edition. According to those programs, It has a clean bill of health.

Yesterday, I reported to you that Google (via Stopbadware.org) had marked wowui.incgamers.com (which redirects to wowui.worldofwar.net) as a bad site. Today, the site is reported as clean according to the same report (you can check it out here).

Rushter of Incgamers.com explained to us on the comments of the previous article that the problem was with a seperate attack on a different hosted site (which was quickly dealt with, and unrelated to worldofwar.net, says Rushster), but Google marked the whole site as bad. The worldofwar.net UI database was unaffected, he says, and after some back and forth, Google has now dropped the warning.

Of course, it's still always a good idea to check your computer for viruses, trojans, and keyloggers regularly, and realize that no website is completely safe (though having a good defense always helps). That said, at the moment it looks like wowui.incgamers.com, also known as wowui.worldofwar.net, is a safe spot to grab your addons from.

Here at WoW Insider, we've noticed an unusual and disturbing glut of people having trouble with being keylogged or otherwise hacked soon after installing new addons lately (which wouldn't be a surprise -- lots of people were grabbing addons after patch 2.4, so that makes them a likely route for attackers). While it's too early to make any definite connections, It seems like there's one new lead that's just popped up: popular addon site wowui.incgamers.com (not linked for obvious reasons) is apparently passing off bad files, according to reports from Stopbadware.org and other anonymous sources.

If you've been using the site for your addons, especially in the past week or so, it might be a good idea to exercise some caution and run your favorite anti-virus or anti-malware program. The site has already been in trouble recently with reports that their UICentral addon updater (now discontinued) was using copyrighted code, and now it looks like there's more trouble abrewing for them.

Update: Wowui.incgamers not infested with malware. Full story here.

Hackers are getting more and more brazen lately, hiding various trojans and keyloggers not only in random forum links, but in ad banners and even in electronic devices. Even common sense avoidance of suspicious links and websites doesn't always seem to work anymore. Luckily, there are other tools you can use, such as the Noscript extension for the Firefox browser. Lifehacker reported on a new one yesterday as well: Anti Keylogger Shield for Windows.

This freeware program purports to work not by blocking installation of keyloggers, but by preventing them from logging your keys once installed. Lifehacker tested it by loading a keylogger and reported that it seemed to work, at least in that case, as the keylogger's log file was completely empty.

Of course, you probably shouldn't just install this program and go off clicking strange links willy nilly, but it does look like it could be one more line of defense in the ever escalating battle to protect your computer and your account from those who would steal it. Plus, it's free, so that's even better.

[Thanks for the forward, DrDiesel!]

Recently we've had several posts about being hacked, guild banks assaulted, and Blizzard's typical response. The Customer Service Forum is filled with threads started by desperate World of Warcraft players seeking the return of their accounts and belongings as a gesture of goodwill. It is our responsibility to keep our accounts safe from hackers.

I speak from experience when I say that being hacked is just dreadful. Although it is usually possible to have your account returned, there is usually significant damage done in the process. In the past, even Blizzard employees have had their accounts compromised. This post is designed to help you do the best you can to protect your World of Warcraft investment.

The worst part of the keylogging episode was that my Shaman was transferred from a PvP to PvE server. After about a week in limbo my beloved Tauren was returned to her proper place. I was extremely relieved. Unfortunately that's the only thing on my account that Blizzard was kind enough to restore. They refused to return any of my gear or gold and did nothing about the items ninjaed from the guild bank. I appealed their decision with several emails. Those appeals were ubiquitously denied despite logical arguments and heart-filled plights. I thought it was all over, for better or for worse.

I got more bad news in my email box the other day:

You'll want to be a bit more cautious when looking up information on the game today. World of Raids reports that an unknown ad banner appearing on Wowhead, Thottbot, and Allakhazam has an embedded keylogger trojan. You don't even need to click on the banner, apparently, simply mousing over it will be enough. Wowhead says that all they know for sure is that it originates from "ad.yieldmanager.com", and will produce a redirect to "xpantivirus.com." They're working at isolating it.

The issue is known, and all parties involved are tracking it down, so it should hopefully be resolved soon. In the meantime, if you're looking for a quick way to protect yourself, I would follow the recommendation of World of Raids, and try out the Firefox web browser and the No Script extension. As long as you keep the scripts blocked, it should prevent the banner in question from forcing itself on you. This should also provide you with some protection if you accidentally click on the wrong link elsewhere, such as on the WoW general forums.

Edit: Apparently, the virus in question is not an actual keylogger, but it still does a number on your system, which is reason enough to try to avoid it.

Hackers seem to be trying more and more ways to get legitimate accounts out of players hands and working to steal and farm more gold, but if you think they've had some sneaky schemes in the past, you ain't seen nothing yet. Our colleagues at Massively have a story that's both amazing and disturbing at the same time.

A lot of geeks found a digital photo frame under the tree this year. Seems like a good idea, I'm sure a lot of us have a pretty large collection of digital photographs stored on memory cards and flash drives that we just haven't quite gotten around to printing for display.

Unfortunately, certain frames sold at Best Buy, Target, Costco and Sam's Club come with an extra undocumented feature, in that they have a nasty little bug that's being dubbed Mocmex. The bug can burrow its way into your computer, latch itself in, and sniff out account information. It doesn't seem to affect Linux or Macs, at least not in its current form, but right now there doesn't seem to be a single manufacturer or frame type that's infected, so the origin of the bug hasn't been nailed down.

If you think you've got one of the infected picture frames, Massively recommends contacting the SANS institute and calling the store where the frame was purchased. You can check their story for the contact information.

The upside of this, I suppose, is that if the farmers are starting to branch into using peripherals to steal our accounts, they may be getting pretty desperate. The downside is, when we have people who practice safe web browsing and keep a clean computer getting bitten, like our Amanda Dean for example, we could be in some trouble. With any luck, all the major virus programs will have a cure for Mocmex and programs like it soon. In the meantime, it looks like we'll have to be extra careful about what we install on our computers, and make sure our anti-virus programs and firewalls are up to date.

My first post on WoW Insider was about a friend of mine being hacked, this time it's about me. I woke yesterday and tried to copy a character over to the public test realm as I've been doing often lately. I got a password error. I tried to log into my account- same thing. My email had this happy little surprise for me:

Hello Amanda,

The character transfers listed below have been completed as of 2/14/2008. The character[s] listed will now appear in the new location and/or account selected and are immediately available for play!

- <character> - Level 70 Tauren Shaman - now on realm: Blade's Edge.

On Saturday night I noticed a guildie acting strangely. He kept switching between characters and wouldn't respond to tells from even his closest friends in the guild. Concerned about him, we gave him a call... on the phone, to see what was up. You guessed it, he was nowhere near his computer at the time. He went to log in and found his password was changed. Unfortunately, he had also forgotten the correct response to his secret question "What is your favorite activity?"

The hacker kept running in and out of the Shadow Labyrinth. I checked the customer service forums and found that this was common behavior among hackers. Either there is an exploit in that instance, or hackers just really enjoy hanging out with Blackheart the Inciter. I'm leaning toward the latter.

Evidently attendees of BlizzCon have begun receiving emails claiming that Wrath of the Lich King Beta will begin in only three weeks. According to Bornakk, these emails are a hoax, and the original statement provided regarding such a beta still holds. There is currently no WotLK beta, and should one be in the works, there would be an announcement on the official site.

As always, please remember to be especially cautious when asked to provide any account information. Do a search to find out if anyone else has received the same requests, and under what circumstances. If you are concerned about keylogging programs, refer to our guide on protecting your system.

Update: Despite the fact that the rumors, and emails, have been floating around for a little while, Bornakk's official response came yesterday.

Early in the week, we profiled some new features at WoW Digger. The item database site is expanding into quest and faction tracking as well as equipment comparison and wishlists. Until now, getting your character set up on their site required installing their executable program. With all the keylogger activity of late, many interested players were wary of running any executable on their machine.

WoW Digger has come through with a non-executable method of getting your character info into their system. When you create an account on the site, you can tell it to pull your profile off of the Armory instead. Then you can go crazy with the equipment comparison.

This method, however, won't collect your current quest list or track your faction levels. And those two features are the two I enjoy the most. I personally feel this site is legitimate and will be using their executable to get the most out of it.

This isn't the first time we've heard this, but recently PC World has reported that your virtual assets may worth more than your real assets. From the article:

According to Craig Schmugar, a researcher with the McAfee research labs, McAfee now sees more password-stealing malware designed to nab accounts of games like Lineage and World of Warcraft than Trojans that go after financial accounts.

Why? Your in-game assets can easily be converted to cash and there's much less legal risk involved in trafficking virtual goods than trafficking, say, stolen credit card numbers. So treat this as a reminder: be careful of keyloggers! (And if you're not sure how, read up on our advice on how to keep your system keylogger-free.)

It's raid night. You've farmed your mats, topped off your repair fun and loaded up on pizza and cola. But for some reason you can't log on. You're sure you typed in the right password, but no go. You IM you guildie: "Are the servers down? I can't get in." His reply sends chills down your spine: "We just saw you at the bank. Why was your toon naked?"

Years of hard work gone. Someone else accessed your account and stripped your main of all his gold, bank items and tradable equipment. "But I don't give my password to anyone!" you wail. You don't have to, the keylogger program knows it anyway.

What's a keylogger? It's a small, virus-type program that can accidentally be installed on your computer. How might a keylogger be installed on your system?

• Visiting an untrustworthy web site. Some sites may have code in them that exploit your web browser and cause it to quietly install a keylogging application without your permission. (Note: even turstworthy sites can be hacked! The same hackers who are after your information can hack what you think of as trustworthy sites and add exploit code to them which could give you a keylogger.)
  
• Downloading addons (or other files) from an untrustworthy site. Any executable file you download could contain a keylogger or virus, so before you download a file, be sure you're downloading it from a source you trust!

Once a keylogger gets installed, it starts recording every keystroke you make. And when you type in your account name and password for your WoW account, it captures that, too. The next time you access the Internet, it sends your private information to the hackers who use it to log into WoW and strip all your characters of everything valuable leaving you with a penniless toon wearing nothing but his trousers.

This all sounds pretty scary, but don't worry -- there are ways to protect yourself from keylogging programs!