Showing posts from August, 2011

Suggested change to log in process

While looking though my Spam folder today, the thought occurred that Blizzard has one aspect to the authenticator system that makes it easy to launch a systematic spear phishing campaign against World of Warcraft users.

When you try to log in to or to World of Warcraft the system preforms the following steps:

Enter email address and password
Ask server if the account with that email has an authenticator
Prompt for authenticator
Check both password and authenticator number
Log in

The system will prompt you for the authenticator code even if the password is incorrect before it checks it.

The issue with is, given a list of email addresses, a phishing group could attempt to log in to them. If prompts for an authenticator, they know the account has one attached. Since the farmers have the resources for a wide-spread account takeover operation, it would then be a simple matter to prompt their phishing site to ask for the authenticator code if needed. Since Blizz…