World of Warcraft Attack Highlights Two-Factor Authentication Weakness
New malware targeting users of the online role-playing game World of Warcraft exploits a weakness that exists in many forms of two-factor authentication.
Wed, January 08, 2014
CSO — New malware targeting users of the online role-playing game World of Warcraft exploits a weakness that exists in many forms of two-factor authentication.
WoW developer Blizzard Entertainment recently reported the Trojan program on the company's Battle.net forums. The malware sets up a classic man-in-the-middle attack used to bypass two-factor authentication.
Battle.net, Blizzard's WoW online gaming service, provides a physical token or a mobile app for generating one-time passcodes users would type in after entering their usernames and passwords. As Blizzard points out, the system protects accounts 99 percent of the time, but it was the 1 percent that got some users in trouble.
Cybercriminals distributed the PC-infecting malware through a Web site that distributed a bogus version of Curse Client, a third-party application used to install add-ons and modifications for several games, including WoW.
Once installed, the malware set up a man-in-the-middle attack in which the username, password and passcode were intercepted and then used to log into the WoW player's account. During the hijacking, users were left wondering why they were unable to get into the game.
Such attacks, also used to bypass two-factor authentication in some online banking sites, demonstrate the weakness of using the same channel, called in-band authentication, for inputting all data, experts say.
"The Warcraft hack is a huge vulnerability for major enterprises and Web sites relying on in-band authentication," said Evan Grimm, founder and chief technology officer for Toopher, a multifactor authentication vendor.
To neutralize such an attack, the second type of authentication after entering the username and password has to happen through a second channel. For example, a passcode could be typed into a mobile app on a smartphone.
Another alternative would be to send a text message notifying users of the IP address and geographical location of the computer trying to log into their accounts. If they don't recognize the PC, users can choose to reject the login attempt.
"It's still a user element, obviously, where you have to have the recognition that 'Hey, I don't live in China, so what's happening,'" Mark Stanislav, security evangelist for Duo Security, said.
The importance of user education is the second lesson learned in the WoW attack, since players were somehow tricked into installing the rogue Curse Client.
"While this attack was made towards gamers, the reality is that the enterprise is susceptible to such attacks as well and further reinforces the need to adequately train users to not install software from unknown sources," Stanislav said.