World of Warcraft scam allows attackers to take control of victim's User Interface

[Petrovic]

According to G Data, a new World of Warcraft scam is being used that uses social engineering to try and trick victims into entering a special command. When a victim enters this command it would allow attackers to take control of victim's in-game WOW interface, make unauthorized trades, and find the victim's location anywhere in the game.

 

From a post on the site OwnedCore, which is a site devoted to exploits and hacks for online games, this attack has been utilized for quiet some time, but only recently has been posted publicly.

 

Post on OwnedCore

There has also been a lot of discussion on Reddit and the official WoW forums about people who have been tricked into using this attack.

 

Reddit post about the Attack

How the RemoveExtraSpaces WoW Attack Works
This attacks works by scammers using social engineering to try and trick the victim into entering a special command. Some attackers tell victims that if they enter the command they will get a special item or mount, while others state they should enter it to fix bugs during Raids. If they are successfully able to trick the victim into executing the command, it then allows the attacker to send chat messages that can control the victim's interface.

 

The command that attackers are trying to trick users into entering is:

/run RemoveExtraSpaces=RunScript

In order to understand how this attack works, it is important to understand how the The WoW user interface is implemented. The WoW interface and its add-ons are programmed in a scripting language called LUA, which can also be used to extend the functionality of the WoW graphical user interface. By default, whenever a user receives a chat message in WoW, the interface executes the RemoveExtraSpaces function, which trims the chat string of extra spaces.  When a victim enters the command, it will cause the RunScript command to be executed every time the RemoveExtraSpaces would normally be executed. This then allows the attacker to send commands to the victim, which will now use the RunScript command to execute the chat message as a LUA script.

 

The following images from G Data show how this works. In the first image, the victim is about to enter the command that makes it so that the RunScript command is executed every time a RemoveExtraSpaces command is executed.

 

Victim about to enter the Run command

The next image shows an attacker sending a chat message to the victim with a LUA command that will be executed in the victim's user interface.

 

Attacker sends chat message that will be executed

The last image shows that the command is executed on the user interface and the message with the string Test is displayed.

 

Successful execution of command via Chat

How to Protect yourself from this WoW Attack
Unfortunately, at this time there is no way to protect yourself from this attack other than not typing in commands sent to you by other players. All online game players should be wary of anything sent to them that supposedly can provide special perks or items. If someone you trust send you a command to enter in your interface, I still suggest you do search for that command on the web to determine exactly what it will do before you enter it.

 

According to G Data, Blizzard has a released a pre-release for their upcoming Legion add-on that includes a warning when someone tries to input a script into their user interface.

 

Script Warning

Unfortunately, once a user clicks Yes and allows the custom scripts, the warning will never appear again unless you remove the SET AllowDangerousScripts "1" line from the WoW config-cache.wtf  file.

Article source

[Vic Vega]

Quote

World of Warcraft scam allows attackers to take control of victim's User Interface

WoW!