Playing Games with Your E-Self.

These days, a combined phishing and malware distribution campaign targeting WoW users reignites the question of cyber identities’ vulnerability.

The authentication tools gamers use in order to access their accounts can sometimes be exploited for malware spreading purposes. From this point of view, World of Warcraft is worth paying close attention to because of its extreme popularity and to its implicit value for cybercriminals.

The recently launched phishing campaign, which fraudulently exploits the game’s visual identity, requires users to update their account details by following a link allegedly allowing them to log-in to the game. This link actually redirects them to a fake WoW web site which deftly uses several PHP scripts in order to pilfer their sensitive data.

Fig. 1 The fake web page used in the phishing campaign

Once they have filled in their WoW Account Name and Password, the unsuspecting users are requested to provide more sensitive information, such as their e-mail address and an answer to a secret question. Mention should be made that the form whereby these data are to be sent in is entitled “Mounts Application Trial”, which may count as an important persuasive element among WoW connoisseurs. According to the game’s description, “mounts” are pets that players can own and use as means of travelling faster. To get the whole picture of a mount’s importance, suffice it to say that it is a “status symbol” and that it cannot be attacked by monsters.  And on we go!

Despite the enticing lure, this last request should make players raise an eyebrow in distrust, to say the least, as the reference list they are to choose from contains the standard “secret questions” provided when creating an  e-mail account.

Fig 2. The second step of the sensitive data harvesting scheme

To make sure they actually get all of the information gamers hand them on a silver plate the cybercriminals generously present their victims with a piece of malware related – of course – to online games. To crown it all, the final window reassures the players themselves that their application (for a nice Trojan, mind you!) was successful.

Fig 3. The finishing touch of the phishing scheme

Identified by BitDefender as Trojan.PWS.OnlineGames.KDEU, this piece of malware follows an accurate routine.

First, it makes sure that it is not affected by a system restart by creating autorun.inf files that automatically launch copies of it.

Second, it chooses as locations the root of the local drives and the temporary folder of the current user to create copies of itself. In the latter location, it drops a .dll file. This file injects itself into the memory space of the explorer.exe process where it would be executed from, stealing passwords of different online games. It also creates an autorun.inf file in the root folder of all local partitions, every two minutes, in order to replicate itself.

At system start-up, the copy is registered by a new entry under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun  and the original Trojan eliminates itself, leaving behind no trace of its existence.