Well, as the title says, I use and authenticator for 2+ years now and I just got hacked.

To describe it in more detail:

Had the authenticator since SWP times in TBC. Haven't touched anything since I first registered it in account management.

No social engineering possible on my side. I only play from home, no other person has access to my computer, the authenticator wasn't ever taken out of the room where the computer is. Especially not in the last couple days, weeks. Only people close to me have access to my room and I honestly doubt they know what that authenticator is used for.


This is what basically happened:

I was online, got a memory access violation critical error. Not being all to savvy with this, I didn't pay extra attention to it.

I tried to log in, put the correct password and authenticator code in the WoW in-game login screen. Got "wrong information" message. Tried a couple times.

Went to wow-europe account management, tried to log in, got a message that the authenticator number was put in wrong a couple times and that my authenticator is locked out for the time being or something.

Went to check my system, discovered a suspicious DLL. (emcor.dll if I recall right, ESET NOD32 didn't find it, nor did Spyware Doctor, found it using Security Task Manager, quarantined it and removed, sadly didn't bother checking anything about it, googling it doesn't return much at first glance).

Removed it etc. etc. (took me like 15 minutes).

Logged back online (had to use authenticator number, so it was not removed from my account), stuff was gone.

Made a ticket, logged off, checked my system properly.

Went to account management, logged in fine (again, using a number from the authenticator), checked if authenticator was still assigned to my account (it was), changed the account password just in case. I didn't touch the authenticator, nor did I put in it's SN number anywhere besides that one time I registered it to my account like 2 years ago.

To add about the suspicious .dll file:
Edit: emcor.dll was found in /users/username/appdata/Temp

Creates an autostartup registry entry (or whatever it's called, not that savvy). I find it interesting that NOD32 doesn't find that as suspicious behavior when it starts a .dll file from that folder path...

Didn't take any further notes (my bad, I did have some kickoutofgame stuff and email info + wtf/config.wtf related stuff in the information Security Task Manager displayed about it).


So yeah, lone case of some hacker getting really lucky with hacking my account in real time (as authenticator digit code changes every 30 seconds iirc), or is it finally starting.

Emcor.dll, according to probably one of the only pages I found any info on it via googling was apparently first seen around 24th or 25th February 2010, so it's definitely something new.

e: I got no clue where or how I got the file. I don't take too many super extra security measures, just the regular (spyware, antivirus, no-script always active in firefox).

yeah i had it to i am on dragonblight and just got account back guy farmed alot of herbs

and i have guys name shadadiao :D he left himself on my characters friends list and deleted all my other friends

He never had my account for more than 15 minutes, basically until he was disconnect by me trying to log back in with a cleaned out computer.

He also never logged in to my account management or changed anything.

Just a man in the middle hacking success.

I can imagine how this was done. I had previously theorised (Though not shared with anyone) how the authenticator could be circumvented ~easily.

I managed to find the quarantined file on my computer. If it's any help, I could send it or whatever to you guys (Blizzard) to take a look at it.

Bump for slacking support and bad coders!

---

Q u o t e:
I'm going to take a look into these and may be in touch via email about this.

This is obviously something that needs a proper investigation.

---

Would be good if you could also post here confirming whether accounts with authenticators are now vulnerable and what we/you can do to help stop accounts being compromised.

I got the same hack issue yesterday. got memory violation access then i could not connect. Wrong connection informations.

I got lot of stuff stolen. My guild friends kick me out of my guild and ask for a admin to note the name of the hackers.

I think it had come with a add on updating... but not sure

It was only a matter of time before someone reverse engineered the authenticator and would snag up authenticator codes from people, and be able to circumvent it that way. Nothing that can be done about it, other than getting better (computer) security.

---

Q u o t e:
I managed to find the quarantined file on my computer. If it's any help, I could send it or whatever to you guys (Blizzard) to take a look at it.

---

Do you want me to send the file somewhere in a password protected zip file? If so, please let me know where.
I can also attach the crash dump of the memory access violation critical error I described happened before they hacked me. The memory dump in there basically has all my login info in it as well as the 6 digit code, or at least what might be the 6 digit code.
Also, it seems it's doing something with a file called mpcore.txt located in the same folder as the emcor.dll file I decribed.

I remain very skeptical about this. Almost no information available, and hacking authenticated accounts is not exactly easy.

Any blue updates on this would be very nice.

Oh, and don't visit those gold selling websites and various other naughty activity websites and you are 99% safer from keyloggers.

edit:

---

Q u o t e:
Only people close to me have access to my room and I honestly doubt they know what that authenticator is used for.

---

Chances are one of your friends/family/housemates whatever were playing a trick on you. 99% of these (I got hacked) threads are because the people gave their account info (willingly or not) to a "friend"

---

Q u o t e:
e: I got no clue where or how I got the file. I don't take too many super extra security measures, just the regular (spyware, antivirus, no-script always active in firefox).

---

You most probably got it, when that error appeared. They usually use a way to crash some program on your PC to be able to execute code there. Big question, I have about it all: do you have any kind of firewall?

---

Q u o t e:
I remain very skeptical about this. Almost no information available, and hacking authenticated accounts is not exactly easy.
<snip>
"

---

Alas a keylogger with a few modifications could easily do this.

---

Q u o t e:
After looking into this, it has been escalated, but it is a Man in the Middle attack.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack

This is still perpetrated by key loggers, and no method is always 100% secure.

---

I sent the file to hacks@blizzard.com. Might help you further.

This sounds similar to a hack I suffered on 10 Feb 2010.

I had just received my authenticator in the post, arrived home around 17.30 and loaded up the PC so that I could associate the authenticator with my account. Windows start up was very slow and I couldn't connect to the internet for around 10 minutes. I didn't think too much about this as I had been getting problems with vista and had just relinstalled windows etc.

I eventually managed to get to the log in page for my blizz account but I was prompted to enter the authenticator number associated with my account. Of courseI hadn't associated my authenticator yet so couldn't respond appropriately and was therefore denied access to my account and to the game on line.

Around this time I started getting telephone calls from fellow guildees telling me my character was on line and emptying the guild bank. I contacted blizzard help by phone - and after about 15 miinutes, the assistant was able to reset my account and link the proper authenticator to it.

I was very suspicios about the authenticator arriving and the hack coinciding with it - but up to now had not placed much importance on the windows problems while loading up. I run AVG Internet Security with everything active (inc Firewall), Adaware and Marwarebytes, and the machine was apparently clean before and after the attack.

This is very interesting.

For those of you who don't know me, I review HJT logs on In Game Support in this thread:-

[Guide] How to CLEAN your PC from Keyloggers
http://forums.wow-europe.com/thread.html?topicId=5383442401&sid=1


This entry I am seeing more and more lately and matches your file:-

O20 - AppInit_DLLs: C:\DOCUME~1\Imba\LOCALS~1\Temp\emcor.dll

Whilst Antispyware and Antivirus seems to miss it, HJT Analysers does spot it as a "concern" so for those of you reading this thread that are worried, download and run HJT and see if it finds a similar entry.

NB: Do not "Fix" everything HJT recommends, but you can fix any entry that is similar to the above one. Or post your logs in the thread linked and I will do my best to take a look for you.