Blizzard revealed today that a trojan which had been disguised as a popular World of Warcraft add on, compromised several WoW accounts.
According to a post on MMO Champion‘s support forum, the trojan was hidden within a fake version of the Curse Client, and managed to even effect accounts with authenticators. The faked client had somehow managed to make it’s way into high ranking on search engines, via a forged version of Curse’s site.
The client, which would appear to be functionally normally to the user, would actually be sending sensitive information such as account information, passwords, and even authenticator keys to the people behind the trojan.
Blizzard has made some recommendations to those who have, or believe they have, been affected by the attack, stating that users should immediately delete the client and then run the latest version of Malwarebytes. After this, users need only follow the instructions listed on this support page.
They also issued a statement saying;
“For those of you interested in these [man-in-the-middle] style attacks, this is the only confirmed case we’ve seen in several years outside of the ‘Configuring/HIMYM’ trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!”