Petrovic Posted July 25, 2016 Share Posted July 25, 2016 According to G Data, a new World of Warcraft scam is being used that uses social engineering to try and trick victims into entering a special command. When a victim enters this command it would allow attackers to take control of victim's in-game WOW interface, make unauthorized trades, and find the victim's location anywhere in the game. From a post on the site OwnedCore, which is a site devoted to exploits and hacks for online games, this attack has been utilized for quiet some time, but only recently has been posted publicly. Post on OwnedCore There has also been a lot of discussion on Reddit and the official WoW forums about people who have been tricked into using this attack. Reddit post about the Attack How the RemoveExtraSpaces WoW Attack Works This attacks works by scammers using social engineering to try and trick the victim into entering a special command. Some attackers tell victims that if they enter the command they will get a special item or mount, while others state they should enter it to fix bugs during Raids. If they are successfully able to trick the victim into executing the command, it then allows the attacker to send chat messages that can control the victim's interface. The command that attackers are trying to trick users into entering is: /run RemoveExtraSpaces=RunScript In order to understand how this attack works, it is important to understand how the The WoW user interface is implemented. The WoW interface and its add-ons are programmed in a scripting language called LUA, which can also be used to extend the functionality of the WoW graphical user interface. By default, whenever a user receives a chat message in WoW, the interface executes the RemoveExtraSpaces function, which trims the chat string of extra spaces. When a victim enters the command, it will cause the RunScript command to be executed every time the RemoveExtraSpaces would normally be executed. This then allows the attacker to send commands to the victim, which will now use the RunScript command to execute the chat message as a LUA script. The following images from G Data show how this works. In the first image, the victim is about to enter the command that makes it so that the RunScript command is executed every time a RemoveExtraSpaces command is executed. Victim about to enter the Run command The next image shows an attacker sending a chat message to the victim with a LUA command that will be executed in the victim's user interface. Attacker sends chat message that will be executed The last image shows that the command is executed on the user interface and the message with the string Test is displayed. Successful execution of command via Chat How to Protect yourself from this WoW Attack Unfortunately, at this time there is no way to protect yourself from this attack other than not typing in commands sent to you by other players. All online game players should be wary of anything sent to them that supposedly can provide special perks or items. If someone you trust send you a command to enter in your interface, I still suggest you do search for that command on the web to determine exactly what it will do before you enter it. According to G Data, Blizzard has a released a pre-release for their upcoming Legion add-on that includes a warning when someone tries to input a script into their user interface. Script Warning Unfortunately, once a user clicks Yes and allows the custom scripts, the warning will never appear again unless you remove the SET AllowDangerousScripts "1" line from the WoW config-cache.wtf file. Article source Link to comment Share on other sites More sharing options...
Vic Vega Posted July 25, 2016 Share Posted July 25, 2016 Quote World of Warcraft scam allows attackers to take control of victim's User Interface WoW! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.