Security researchers at BitDefender identified a trojan that is used to steal the virtual goods in World of Warcraft player accounts which are protected using the previously-thought-unbreakable Blizzard Battle.net Authenticator.
The authenticator is an electronic device generates a one-time numerical token (a string of six digits, in fact) which is used in conjunction with a regular username and password to gain access to a user’s account. The six- digit strings are mathematically related to the (unique) serial number assigned to each authenticator device, in such a way that Battle.net servers can verify that a certain six-digit token was issued from a certain generator.
The method was supposed to be safer than regular password-based authentication, as an attacker would need both the username/password combination and a valid token to log in, and, obviously, the token would only be accessible to the person actually holding the token generator.
It turns out, however, that there is a way to steal and use a token – and it’s quite simple, provided one can convince World of Warcraft users to install a trojaned copy of Wowmatrix (Wowmatrix is a popular auto-updater for World of Warcraft extensions).
Once installed, Trojan.PWS.WOW.NGT patches (modifies) the World of Warcraft client executable in-memory, when it is loaded, and thus retrieves a valid token, which gets sent to an attacker-controlled server along with some information about the victim’s system. The game executable is then crashed before it can attempt to log in using the token.
The attacker is now in possesion of a valid, unused token, which gets immediately used to log in and “clean out” all the virtual goods iof the victim, by the simple method of selling them and sending the resulted virtual cash to an attacker-controlled account, as a “gift” from one player to another.
“There is, obviously, significant overlap between the population of BitDefender researchers and that of World of Warcraft players, but our reaction to reports from the World of Warcraft community would have been swift in any case, as the token authentication method is used by organisations other than Blizzard. We may be seeing the tip of a rather large and menacing iceberg here.” declared Viorel Canja, Head of BitDefender Labs.