Malware is being distributed to gamers on the World of Warcraft (WoW) as the value of game accounts rises with the popularity of the software.
Webroot's Curtis Fechner and Grayson Milbourne claimed that most WoW players have a friend who got infected by a Trojan and subsequently had their account compromised.
They said: “For some, this just means that their characters were stripped of all equipment, money, and bank items. For others who may have been in a leadership position within an established guild (a player-organised social group) the account's thief may have stolen as many items and/or as much money as possible from the guild's shared bank.”
Fechner and Milbourne claimed that ‘keylogger posts' on the WoW message boards are one of the most common ways that malware writers deliver malicious ploys to WoW players. While many WoW veterans would not be distracted by the crude tactics of these posts, there are plenty of people who cannot resist the juicy drama or want to learn more about their Death Knight.
Fechner and Milbourne said: “Misled gamers who download and run the flash ‘installer' won't see any obvious difference on their computers to indicate that they are infected. At this point, the Trojan is ready to start stealing login credentials.”
They claimed that the infections are often fairly simple in their configuration, though as with all malware there are versions out there which are much more complex. The installer executable simply drops a DLL file onto the victim's hard drive, typically to System32 or another Windows subdirectory, which performs the keystroke logging then sends that data to the phisher behind the scam. The installer also modifies the Registry so the file loads with every start-up.
The page emulates the appearance of a flash video-based porn site and the pages leech some of the graphics from that site, but every single link on the page links to the malware installer. This simple social engineering trick, so commonly used of late by Koobface to fool Facebook users, still manages to convince users to execute the malware installer in order to view the video.
Fechner and Milbourne said: “While there is some indication that these account credentials are often phished specifically for gaming account information, there is nothing to prevent these individuals from applying those same login credentials, or logging additional ones, to other websites accessed by the infected individual. When that happens, this kind of crime easily transforms from a nuisance into major identity theft.”