Thread Tools Display Modes
03-31-10, 03:34 PM   #1
quasipolymath
A Deviate Faerie Dragon
Join Date: Mar 2010
Posts: 12
Near-instant account breach

I installed Minion last night, updated a few addons, logged in and out of WoW and went to bed. This morning, my battle.net creds were cleared, all of my toons had been logged into and my account was on temporary ban. Checking last login times indicates that it was less than three hours after I installed and used Minion. I'm livid. I should note that I would be less willing to point fingers if this hadn't happened on a fresh windows install on which I have only installed Symantec Endpoint, Firefox, WoW, Curse Client, and Minion. Everything else was installed over a week ago. Seriously, what the hell is going on here?
  Reply With Quote
03-31-10, 03:49 PM   #2
mankeluvsit
An Onyxian Warder
 
mankeluvsit's Avatar
Join Date: Sep 2008
Posts: 354
Originally Posted by quasipolymath View Post
I installed Minion last night, updated a few addons, logged in and out of WoW and went to bed. This morning, my battle.net creds were cleared, all of my toons had been logged into and my account was on temporary ban. Checking last login times indicates that it was less than three hours after I installed and used Minion. I'm livid. I should note that I would be less willing to point fingers if this hadn't happened on a fresh windows install on which I have only installed Symantec Endpoint, Firefox, WoW, Curse Client, and Minion. Everything else was installed over a week ago. Seriously, what the hell is going on here?
i dont even think minion asks for your wow credentials (ive never ran it on my pc). but you should contact blizzard about this. not wowui.
  Reply With Quote
03-31-10, 03:50 PM   #3
Petrah
A Pyroguard Emberseer
 
Petrah's Avatar
AddOn Author - Click to view addons
Join Date: Jan 2008
Posts: 2,988
You most certainly did not get infected by using Minion. That's a guarantee.

I find it hard to believe that wow hackers will change overnight.. they have never hacked a wow account via a freshly infected machine. Keyloggers have always sat on an infected machine for several months before an account gets hacked into.
__________________
♪~ ( ) I My Sonos!
AddOn Authors: If your addon spams the chat box with "Addon v8.3.4.5.3 now loaded!", please add an option to disable it!
  Reply With Quote
03-31-10, 03:59 PM   #4
Gsusnme
A Wyrmkin Dreamwalker
AddOn Author - Click to view addons
Join Date: Jun 2008
Posts: 55
I would agree with Petrah, generally if your account info is stolen, you don't know about it until some time later.
Either this is a case of coincidental bad timing (e.g. your info was stolen 6+ months ago and thye only JUST used the info and now to you it looks like something other than it is.); or this was some kind of very personal attack in which case you may want to look more closely at someone who may have had access to your pc, your wifi, or check for any physical key-loggers plugged into your machine.

And of course, contact Blizzard support A.S.A.P. and let them know what happened, and make sure you have changed your password.
  Reply With Quote
03-31-10, 04:00 PM   #5
quasipolymath
A Deviate Faerie Dragon
Join Date: Mar 2010
Posts: 12
Originally Posted by mankeluvsit View Post
i dont even think minion asks for your wow credentials (ive never ran it on my pc). but you should contact blizzard about this. not wowui.
Thanks for the helpful reply, random person with no experience using minion. I have already run through the paces with Blizzard regarding my account. I came here, to the minion subforum, because the last thing I did before my account got hacked was to install minion. Apparently this was the wrong thing to do somehow?
  Reply With Quote
03-31-10, 04:08 PM   #6
quasipolymath
A Deviate Faerie Dragon
Join Date: Mar 2010
Posts: 12
Originally Posted by Gsusnme View Post
I would agree with Petrah, generally if your account info is stolen, you don't know about it until some time later.
Either this is a case of coincidental bad timing (e.g. your info was stolen 6+ months ago and thye only JUST used the info and now to you it looks like something other than it is.); or this was some kind of very personal attack in which case you may want to look more closely at someone who may have had access to your pc, your wifi, or check for any physical key-loggers plugged into your machine.

And of course, contact Blizzard support A.S.A.P. and let them know what happened, and make sure you have changed your password.
Done, done, and done. To respond: NOBODY could have had access to any of my hardware physically at 4:30 in the morning with me asleep in the next room of my own house, except my dog. I run pretty strict and redundant encryption/security on all of my pcs and my wifi. Running deep virus scanning multiple times this afternoon turned up nothing. This isn't surprising, since (as I said) I'm running on a fresh Vista install and (as I didn't say) I don't use that particular PC for anything but WoW, not even browsing the web. I have since changed my password and added an authenticator to the account.

HOWEVER. The last thing I did before all of this happened was install minion. 3 hours later, boom, account hack.
  Reply With Quote
03-31-10, 04:08 PM   #7
mankeluvsit
An Onyxian Warder
 
mankeluvsit's Avatar
Join Date: Sep 2008
Posts: 354
Originally Posted by quasipolymath View Post
Thanks for the helpful reply, random person with no experience using minion. I have already run through the paces with Blizzard regarding my account. I came here, to the minion subforum, because the last thing I did before my account got hacked was to install minion. Apparently this was the wrong thing to do somehow?
you are quite welcome sir /sarcasm. as everyone else has stated there would be no way that minion did this, you were hacked/keylogged (just a guess) weeks ago, they decided to take ur account. contact blizzard. UNLESS you downloaded minion from somewhere else. the possibilties are endless how your account got hacked.

dont download third party programs. unless you know fer sure where its coming from.

http://forums.worldofwarcraft.com/th...32280066&sid=1
http://forums.wow-europe.com/thread....02690401&sid=1
  Reply With Quote
03-31-10, 04:20 PM   #8
ravagernl
Proceritate Corporis
Premium Member
AddOn Author - Click to view addons
Join Date: Feb 2006
Posts: 1,176
If you need to prove that Minion got your account credentials sent to someone else, you can go and open up the .jar files in a zip file manager(they are actually zip files renamed to .jar), and read through the code.

There is no way Minion gained your account credentials. Ask any java programmer, they will tell you the same.

Unless you downloaded Minion from a different site other then minion.mmoui.com, that is.

Last edited by ravagernl : 03-31-10 at 04:25 PM.
  Reply With Quote
03-31-10, 04:28 PM   #9
Dolby
PPAP
 
Dolby's Avatar
WoWInterface Admin
Join Date: Feb 2004
Posts: 2,339
Make sure to update your flash and adobe acrobat reader. Right now most keyloggers are taking advantage of people who have the older versions with the exploits to get their keylogger to you. Some hacked sites will start a pdf download that is infected, others display infected flash ads or site elements. So I would go to adobe.com and update flash and reader asap.

Also Minion will never have you enter your wow account login info. Heck it doesnt even run when WoW is running.

Like others said its java and you can look at the source code your self.

Make sure your virus/malware scanner is up to date and do a full scan. If it finds anything post all the information here so we can help you figure out where it came from.

Update: The latest scam going around is this: http://www.wow.com/2010/03/31/new-sc...gets-launcher/

Last edited by Dolby : 03-31-10 at 04:35 PM.
  Reply With Quote
03-31-10, 04:28 PM   #10
notthepop
A Kobold Labourer
Join Date: Apr 2009
Posts: 1
If you had a fresh install of Operating System ,WOW and other addons...Then I would look deeper into your old comp for the hacking code,Virus or keylogger...
  Reply With Quote
03-31-10, 04:34 PM   #11
Shirik
Blasphemer!
Premium Member
WoWInterface Super Mod
AddOn Author - Click to view addons
Join Date: Mar 2007
Posts: 818
Did you change your password before reinstalling your OS?

It is rare that account data is acted upon immediately. Often times there are month-long gaps or more before your account is actually broken into. Changing passwords frequently goes a long way to act as a stop-gap.

I find it extremely unlikely that any program you installed would lead to your account being compromised overnight.

That being said I'm looking into the integrity of the components.
__________________
たしかにひとつのじだいがおわるのお
ぼくはこのめでみたよ
だけどつぎがじぶんおばんだってことわ
しりたくなかったんだ
It's my turn next.

Shakespeare liked regexes too!
/(bb|[^b]{2})/
  Reply With Quote
03-31-10, 04:43 PM   #12
quasipolymath
A Deviate Faerie Dragon
Join Date: Mar 2010
Posts: 12
Originally Posted by Dolby View Post
Make sure to update your flash and adobe acrobat reader. Right now most keyloggers are taking advantage of people who have the older versions with the exploits to get their keylogger to you. Some hacked sites will start a pdf download that is infected, others display infected flash ads or site elements. So I would go to adobe.com and update flash and reader asap.

Also Minion will never have you enter your wow account login info. Heck it doesnt even run when WoW is running.

Like others said its java and you can look at the source code your self.

Make sure your virus/malware scanner is up to date and do a full scan. If it finds anything post all the information here so we can help you figure out where it came from.
As per previous message, I don't have either a.) an old version of flash or b.) any version whatsoever of acrobat reader. On the malware scanner, I have a brand new and fully-up-to date enterprise version of Symantec Endpoint provided by my employer. Scanning with the most aggressive scan available returns nothing, as it shouldn't. The only pieces of 3rd party software on this rig are WoW, Firefox, the aforementioned virus utils, Curse Client, and Minion. I have only accessed the internet to download the above.

The only other pc I have every used for WoW is my mac. This is my work computer and it is so aggressively locked down, it's laughable. Process scans have turned up no keyloggers. Also, I have never shared any information on anything with anyone and have never corresponded about my account online, even with Blizzard employees, until today.

Taking all this into account, I find it more than an odd coincidence that I install this software and suddenly I am hacked. Also, I should note that MMOUI minion does have a creds page in the options. I filled this in.

Update: I should also note that, despite suggestions to do so, I can't look at any of the minion source code because I wiped it, Curse, and my WoW install off of the PC. I'm not planning on putting anything else on the PC for a while.

Update 2: My account was reset at the battle.net level prior to any unauthorized access. I'm not sure if this is somehow significant.

Last edited by quasipolymath : 03-31-10 at 04:51 PM. Reason: Updates
  Reply With Quote
03-31-10, 04:45 PM   #13
mankeluvsit
An Onyxian Warder
 
mankeluvsit's Avatar
Join Date: Sep 2008
Posts: 354
Originally Posted by quasipolymath View Post
As per previous message, I don't have either a.) an old version of flash or b.) any version whatsoever of acrobat reader. On the malware scanner, I have a brand new and fully-up-to date enterprise version of Symantec Endpoint provided by my employer. Scanning with the most aggressive scan available returns nothing, as it shouldn't. The only pieces of 3rd party software on this rig are WoW, Firefox, the aforementioned virus utils, Curse Client, and Minion. I have only accessed the internet to download the above.

The only other pc I have every used for WoW is my mac. This is my work computer and it is so aggressively locked down, it's laughable. Process scans have turned up no keyloggers. Also, I have never shared any information on anything with anyone and have never corresponded about my account online, even with Blizzard employees, until today.

Taking all this into account, I find it more than an odd coincidence that I install this software and suddenly I am hacked. Also, I should note that MMOUI minion does have a creds page in the options. I filled this in.
out of the hundres and thousands of users that minion have, they decided to keylog you [;
  Reply With Quote
03-31-10, 04:45 PM   #14
ravagernl
Proceritate Corporis
Premium Member
AddOn Author - Click to view addons
Join Date: Feb 2006
Posts: 1,176
Originally Posted by quasipolymath View Post
Also, I should note that MMOUI minion does have a creds page in the options. I filled this in.
These are the credentials used for wowinterface, not for world of warcraft. Even when it was for your wow creds, why would you fill them in? You don't seem to be the person that would do such a thing

Last edited by ravagernl : 03-31-10 at 04:53 PM.
  Reply With Quote
03-31-10, 04:51 PM   #15
Dolby
PPAP
 
Dolby's Avatar
WoWInterface Admin
Join Date: Feb 2004
Posts: 2,339
Shirik is going over the source code on our server. However we haven't received any other reports yet. Also malware/virus scanners would detect most keyloggers if one was some how embedded in the software.

From the information you've given to me its either you were keylogged before your os re-install and since your login cred was the same after your os install your logged info was finally used by them. Thus not being able to find anything on your end after. Or you were tricked to enter your login cred some where other than the real location (which i doubt since you seem fairly up on things but they can be tricky). Another possibility is if you use the same login/password on another site/game and that was compromised and they tried it on wow.

I do agree that its strange that it happend just as you installed those above programs. But I think at this point its a big coincidence. Like I said Shirik is checking the source code of our app and we will let you know. None of the checks in place server side shows a breach in our security.

Last edited by Dolby : 03-31-10 at 04:56 PM.
  Reply With Quote
03-31-10, 04:55 PM   #16
quasipolymath
A Deviate Faerie Dragon
Join Date: Mar 2010
Posts: 12
Originally Posted by mrruben5 View Post
There is no way Minion gained your account credentials. Ask any java programmer, they will tell you the same.
As a java programmer (and CS PhD) myself, I can say that you can't possibly stand by this statement.
  Reply With Quote
03-31-10, 04:58 PM   #17
quasipolymath
A Deviate Faerie Dragon
Join Date: Mar 2010
Posts: 12
Originally Posted by Dolby View Post
Shirik is going over the source code on our server. However we haven't received any other reports yet. Also malware/virus scanners would detect most keyloggers if one was some how embedded in the software.

From the information you've given to me its either you were keylogged before your os re-install and since your login cred was the same after your os install your logged info was finally used by them. Thus not being able to find anything on your end after. Or you were tricked to enter your login cred some where other than the real location (which i doubt since you seem fairly up on things but they can be tricky). Another possibility is if you use the same login/password on another site/game and that was compromised and they tried it on wow.

I do agree that its strange that it happend just as you installed those above programs. But I think at this point its a big coincidence. Like I said Shirik is checking the source code of our app and we will let you know. None of the checks in place server side shows a breach in our security though.
You're probably right. It seems more likely that my password was obtained through social means rather than invasive ones. Thanks, guys. I appreciate everyone's responses.
  Reply With Quote
03-31-10, 05:01 PM   #18
quasipolymath
A Deviate Faerie Dragon
Join Date: Mar 2010
Posts: 12
Originally Posted by mrruben5 View Post
These are the credentials used for wowinterface, not for world of warcraft. Even when it was for your wow creds, why would you fill them in? You don't seem to be the person that would do such a thing
Likely due to a mix of 2am and stupid. To be fair, a lot of stupid.
  Reply With Quote
03-31-10, 05:01 PM   #19
ravagernl
Proceritate Corporis
Premium Member
AddOn Author - Click to view addons
Join Date: Feb 2006
Posts: 1,176
Originally Posted by quasipolymath View Post
As a java programmer (and CS PhD) myself, I can say that you can't possibly stand by this statement.
Heh, you're right. But what I meant was, if you can find the malicious code in Minion, please post where you found it. I should have used the words that Minion most likely has not gained your account credentials.
  Reply With Quote
03-31-10, 05:05 PM   #20
quasipolymath
A Deviate Faerie Dragon
Join Date: Mar 2010
Posts: 12
Originally Posted by mrruben5 View Post
Heh, you're right. But what I meant was, if you can find the malicious code in Minion, please post where you found it. I should have used the words that Minion most likely has not gained your account credentials.
True. I probably put my password somewhere it didn't belong. Sorry for coming across as a douche.
  Reply With Quote

WoWInterface » Site Forums » Minion » Archive » Near-instant account breach

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off