New Trojan Intercepts Battle.net Authenticators

Battle.net Authenticator

2014-01-07

Blizzard recently issued a warning regarding a potential new Trojan that could sniff the emails, passwords and authenticator codes.

They went on to say that this is different from many previous attacks, as it would intercept the login credentials of the user and in real-time pass them onto their malicious servers, which would then log into the owner’s account.

This type of attack had been seen previously in 2012, but only for a small number of accounts.

It is worth noting that this type of Man-In-The-Middle attack equally compromises users who have authenticators and those who don’t, and also affects anyone even using the official mobile authenticator on a mobile device.

Latest updates are that the trojan was included in a fake Curse Client download, hosted on a fake Curse website. The website itself was appearing high up in Google searches, and so unsuspecting users were downloading the file.

Uninstalling the fake Curse client and running the latest MalwareBytes are now know ways to clean and remove the trojan.

Protecting yourself against this type of attack can be difficult due to their nature. It goes without saying to be careful about what you download and have your anti-virus / anti-malware protections up to date.

However, even the best people can sometimes make mistakes or be fooled by more elaborate malware.

Be more aware by watching out for typical warning signs that might indicate you have a problem. For instance, that you failed to login when you are sure you entered all the correct information. When a trojan like this steals your credentials, it will use them immediately but pass invalid ones to Blizzard, and so your own login attempt fails. This is because Battle.net is designed so an authenticator code can only be used once (for that particular time), and the trojan ensures that it gets in first.

Not that you should freak out every time you mistype your password, but perhaps if it happens you should just think if you have downloaded anything recently. You can also run “msinfo32″ to see if there are any Startup Programs or Running Tasks you don’t recognize.

Despite this, having an authenticator is still a lot safer than not.