Playing Games with Your E-Self.

Here is the Cybercriminal Guild!

These days, a combined phishing and malware distribution campaign targeting WoW users reignites the question of cyber identities’ vulnerability.

The authentication tools gamers use in order to access their accounts can sometimes be exploited for malware spreading purposes. From this point of view, World of Warcraft is worth paying close attention to because of its extreme popularity and to its implicit value for cybercriminals.

The recently launched phishing campaign, which fraudulently exploits the game’s visual identity, requires users to update their account details by following a link allegedly allowing them to log-in to the game. This link actually redirects them to a fake WoW web site which deftly uses several PHP scripts in order to pilfer their sensitive data.

WOW scam

Fig. 1 The fake web page used in the phishing campaign

Once they have filled in their WoW Account Name and Password, the unsuspecting users are requested to provide more sensitive information, such as their e-mail address and an answer to a secret question. Mention should be made that the form whereby these data are to be sent in is entitled “Mounts Application Trial”, which may count as an important persuasive element among WoW connoisseurs. According to the game’s description, “mounts” are pets that players can own and use as means of travelling faster. To get the whole picture of a mount’s importance, suffice it to say that it is a “status symbol” and that it cannot be attacked by monsters.  And on we go!

Despite the enticing lure, this last request should make players raise an eyebrow in distrust, to say the least, as the reference list they are to choose from contains the standard “secret questions” provided when creating an  e-mail account.

Wow scam

Fig 2. The second step of the sensitive data harvesting scheme

To make sure they actually get all of the information gamers hand them on a silver plate the cybercriminals generously present their victims with a piece of malware related – of course – to online games. To crown it all, the final window reassures the players themselves that their application (for a nice Trojan, mind you!) was successful.

Wow scam

Fig 3. The finishing touch of the phishing scheme

Identified by BitDefender as Trojan.PWS.OnlineGames.KDEU, this piece of malware follows an accurate routine.

First, it makes sure that it is not affected by a system restart by creating autorun.inf files that automatically launch copies of it.

Second, it chooses as locations the root of the local drives and the temporary folder of the current user to create copies of itself. In the latter location, it drops a .dll file. This file injects itself into the memory space of the explorer.exe process where it would be executed from, stealing passwords of different online games. It also creates an autorun.inf file in the root folder of all local partitions, every two minutes, in order to replicate itself.

At system start-up, the copy is registered by a new entry under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun  and the original Trojan eliminates itself, leaving behind no trace of its existence.

About the author

Sabina DATCU

Sabina Datcu, PhD has background training in Applied Informatics and Statistics, Biology and Foreign Languages and Literatures. In 2003 she obtained a master degree in Systems Ecology and in 2009 a PhD degree in Applied Informatics and Statistics.
Since 2001, she was involved in University of Bucharest's FP 5 and FP6 European projects, as researcher in Information and Knowledge Management field.

In 2009, she joined the E-Threat Analysis and Communication Team at BitDefender as technology writer and researcher, and started to write a wide range of IT&C security-related content, from malware, spam and phishing alerts to technical whitepapers and press releases.