Posts: 1,450
Threads: 168
Joined: Oct 2003
Reputation:
2
Account Hacked (battle.net) - do me a favor
02-26-2010, 08:19 AM
I got a notice from Blizzard that my battle.net account had been suspended and I had to regain control. Now, that account was mostly inactive - all I used it for was a SC2 beta application and my very (like years and years) defunct WoW account (with a L30 Paladin) - but still, I'm concerned.
If you see my Yuku account (or my CoX account) do anything odd, warn me. I've changed the passwords on *everything* I can think of to something longer and more secure (and unique for each one) but if they know my email address and typical username, they've got a lead.
Thanks.
Posts: 343
Threads: 11
Joined: Jun 2005
Reputation:
0
You sure it's acutally from Blizzard? I get like six or seven warnings a week, and I don't have a WOW account. It could just be phising emails.
--
If you become a monster to put down a monster you've still got a monster running around at the end of the day and have as such not really solved the whole monster problem at all.
Posts: 2,354
Threads: 83
Joined: Jul 2005
Reputation:
0
I'll echo Florin on this. There is a good chance the message you received was a phishing attempt.
The spammers have started (since the end of last month) to copy the form letter that blizzard sends out for WoW account de-activations.
Only two things change:
1) the url you click on
Take a very careful look at the urls they are asking you to click on. Is it the actual blizzard login page or 'secure-blizzard-login.com'?
2) the original sending machine
and if you know how, pull up the raw source of the message, any mail from blizzard should originate from blizzard servers (not hotmail, or yahoo, or comcast, or random-german-isp)
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy
Posts: 1,450
Threads: 168
Joined: Oct 2003
Reputation:
2
It was actually from Blizzard. the message source and body checked out.
Posts: 1,450
Threads: 168
Joined: Oct 2003
Reputation:
2
So, I finally got through to Blizzard, and found out what happened. Someone broke into my Battle.net account, via a brute-force attack. They then activated my WoW account, and started spamming gold sales.
What the hell kind of security is Blizzard running that they don't protect against a brute-force attack?!
Posts: 1,449
Threads: 137
Joined: May 2007
Reputation:
0
Well. To be fair? They -can't- protect you against a brute-force attack, if it's executed properly. At least, not without pissing off the userbase.
Can they reject an IP based on too many failed login attempts within a certain window? Absolutely. And they do. Unfortunately, this has to be lifted after a certain period because otherwise you get AOL users (and others, they're just the most visible) bitching and moaning about how they can't log in. They can't log in because some dipshit using their shared or recycled IP got the IP blocked, but then you're punishing valid users. So, it unlocks after a while.
Can they lock an account after too many failed login attempts within a certain window? Absolutely. I have no data on whether they do or not, but this is a landmine option, meaning that it's guaranteed to piss off the public and needs to be handled with care. My guess would be that they -do-, but it automatically unlocks after X hours.
Here's the thing, though. Anybody trying to gain access can get around both of those ridiculously easily. Once you've experimented a few times to find out what the parameters are, you can script the entire thing, and stay under the threshold for automatic lockout. And remember, it's not some bored hacker targeting -you-, it's someone with thousands, possibly millions, of account names that his script is patiently sifting through, and more likely than not a sizable pool of IP addresses to launch the attack from.
Blizzard -does- protect against brute-force attacks as best they can, but nothing can stop one outright if the attacker is reasonably clever. Not with a simple password scheme, at any rate. You can protect yourself by choosing passwords of sufficient complexity, but with this sort of security scheme -- the only sort the paying public will tolerate, mind you -- you cannot guarantee a brute-force attack won't get through.
--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs
Posts: 8,933
Threads: 386
Joined: May 2006
Reputation:
3
It's pretty easy, too, if they're running Zombie Boxes - computers that have somehow downloaded their Trojan script and hijacks their internet connection. Most users don't even realize it's running, either, hence the name. It's how a lot of DoS attacks are done without having T1 lines to spam a website with packets.
