Looks like the hackers are making the rounds. Another guildie got their account hacked last night.

If you have not done so already go out and get Blizzard Authenticator right now.

http://www.blizzard.com/store/search.xml?q=authenticator

$6.50 for a little peace of mind well worth it. No reason why everyone should not have one.

We should have a password or something, whenever anyone logs in- some kind of question you answer or code word you say. For example- as soon as I log in I say 'poopsock' on gchat so everyone knows I'm not chinese (they don't wear socks, much less poop in them). If it slips the persons mind, or whatever, guildies can ask a question about that person (something personal if you know them, or just a reminder- "hey whats the word?", etc.)

I've already gotten quizzed a couple of times when i was logging in and out of alts, and I appreciate you guys making sure it was me!.

If this is really going to be a problem, maybe we should address it with a simple fix like this. I don't think this would be too much a pain in the ass?

Who got hit this time and why aren't we tracking someone down and lighting them on fire?

I'm on it.

I'm not sure if they are the culprits, but I'm on it.

One thing being in artillery taught me was the concept of "collateral damage."

I think it was terrorists funding their efforts through gold sales in WoW.
I have no proof...

Bren, could you get on that.

Oh, and I ordered my authenticator right when my account got hacked.

Arachne suggested we limit the guild vault withdrawals to those with authenticators, but I think that may be asking a bit much... then again, they're only $6.50.

I have noticed something about the Google Ads on the main page of the website. Sometimes they're for gold sellers. If there's a script in those ads and someone isn't running a script blocker (or whatever the fuck it is you PC people do that I really don't know anything about because I use Apple) they could be at risk.

I'm not sure how this works, but maybe The Don can complain or raise these concerns to Google Ads that sometimes questionable ones are making it through?

D: *marks google syndication as untrusted*

I don't think a password logger could be embedded in an ad. I could be wrong, but I doubt that is where the leak came from.

One other odd aside concerning the site is that my workplace webfilter now sees it as a "game related site". This has been the case for about a month or so.

I do not agree with the "authenticators only" access to the vault; as it is a finite time until they will be compromised. If you want to restrict access then make it across the board; have the officers have access and let them do the deposits and withdrawals.

It does create more work for the officers but it also creates limited liability for the guild in general.

Less Gatekeepers=More Secure.

In fact I will volunteer to be the first to have vault rights removed.

Pils - The authenticators are pretty fool proof. Unless they have the authenticator there is pretty much no way through it except by having all of your personal information and calling in over the phone.

I don't mind having my vault access removed since I don't really use it, but whatever.

Pils - One other thing. We just changed web security devices and it reclassified a bunch of sites based on the way the manufacturer had stuff classified. Have you guys done anything like that recently?

Nope...one day the site was hanging on "connecting to wowhead.com" (which I thought was odd) and then the next day VS was blocked.

In regards to the autenticator, I don't give a shit, I am going to buy one just for the geek factor; but perhaps some folks don't want to feel obliged to have to own a particular device to have the privilege of access to a bank vault.

Bottom line is if a member does not use questionable addons, does not cheat, and does not share their account information; unless they pick up a keylogger from some random page...they are not going to be hacked.

Bottom line is if a member does not use questionable addons, does not cheat, and does not share their account information; unless they pick up a keylogger from some random page...they are not going to be hacked.

That is absolutely not true. I got hacked and I wasn't doing any of that. Back then I didn't even use addons at all. I was looking at the wow forums on their official site and that's where I got the keylogger. Thing is you could click on something that looks entirely innocent and unintentionally get a keylogger without knowing it. With the increase in gold selling and buying, the hackers are putting in overtime to get our accounts. It can't hurt to have extra protection. (Sounds like a condom add....heh)

Curse has been known to be affected by people who rewrite add-ons and submit them as updates and have a keylogger in the rewrite. The fact is, if they can hack into Government websites, including highly sensitive defense data, then the Chinese can hack into WoW. The authenticator works until, it breaks or is lost just before a raid. Anytime there is a human in the equation there is room for error. That is why I am joining the borg. Avoid all the nonsense and assimilate with me!!!! Resistance is futile!

I've read enough reports from people that have been hacked to know that it can happen to anyone. I would have ordered an authenticator earlier if they weren't always out of stock. Now that they are back in stock Sapph has ordered a few and I have the mobile one up.

As far as the bank goes. Nothing was taken that can't be replaced and most people don't take anything out of the vault to use anyway so it really isn't too bad. We lost a couple gems which can now be purchased with 10 emblems of heroism anyway.... no big deal at all.

I think the limits we have on the guild bank are pretty good. A character can only take out 5 items a day.

I would advise people to get an authenticator, not for guild security, but for their own... but in the end it's totally up to you guys.

That is absolutely not true. I got hacked and I wasn't doing any of that. Back then I didn't even use addons at all. I was looking at the wow forums on their official site and that's where I got the keylogger. Thing is you could click on something that looks entirely innocent and unintentionally get a keylogger without knowing it. With the increase in gold selling and buying, the hackers are putting in overtime to get our accounts. It can't hurt to have extra protection. (Sounds like a condom add....heh)

So are obviously but the ones that really get people are when users get their accounts hacked the hackers go on the forums and post stuff as them. People see a person the know and trust and click on it.

When Jack got her account hacked that's what they did, they posted stuff in her name all over the place, until she got banned.

I don't think a password logger could be embedded in an ad. I could be wrong, but I doubt that is where the leak came from.

In fact this is actually very common and very easy.
These kinds of "injection" exploits have been affecting sites like Facebook and MySpace pretty heavily for a while. But the concept works pretty much the same.

There are actually a few different ways to avoid these exploits. Trianna's right, noScript in Firefox helps a lot, but if your just running IE, or even vanilla FireFox, you may run into problems. You still could get a spoofed addon, or a virus from an email (I've seen 2 0-day viruses in the last 2 weeks and reported them to Trend to add to the virus databases).

The bottom line is to just watch out. But sometimes that doesn't work all by itself--completely minding your own business you can still get in trouble.

The Authenticator is pretty fool proof. It doesn't rely on anything that can be key-logged, and it would be nearly impossible to circumvent it using a random number generator unless you got really, really lucky. It works with a 1-press/1-password system--and then the password changes--giving you a new password every time you log in.

More for my own purposes Homx, I thought you had to click the ad to get the keylogger. My area of expertise is repair and software so I don't delve too much into the web security aspect.

More for my own purposes Homx, I thought you had to click the ad to get the keylogger. My area of expertise is repair and software so I don't delve too much into the web security aspect.

It depends what is actually being attempted. If the premise is to get you to click and then you download something you wouldn't normally have, then sure. But most of the hackers are using some sort of injection, either SQL injection, XPath injection, or LDAP injection.

The basic premise is that when the add shows up, it will call to your computer in order to access flash player, or Java or whatever. Once it has access to those players (which generally we allow in some way or another so that we can see all the content on sites) they have access to write to, well the "temporary internet files" folder for instance.

We generally call them "Drive-by websites." The best way to counter them still seems to be turning off scripting, but really who wants to do that, it would also serve to block YouTube and other popular sites. The alternative is to use FireFox with NoScript installed (which helps a lot).

Here's more information on those injections for those who have an ubergeek need:
http://www.site-reference.com/articles/Website-Development/Malicious-Code-Injection-It-s-Not-Just-for-SQL-Anymore.html

Here's the link to FireFox, if you don't already use it:
http://en-us.www.mozilla.com/en-US/

And here's the link to the NoScript addon:
https://addons.mozilla.org/en-US/firefox/addon/722

I ordered my authenticator the day there was a major break out from curse client. I was saving up for my mount and damn it, it was painful to gather that kind of gold in tbc.