World of Warcraft add-on trojan steals account, authenticator info

Fake version of Curse Client responsible for compromised accounts

A Trojan masquerading as a popular add-on for World of Warcraft was responsible for compromising user accounts even with authenticators, Blizzard revealed today.

According to a post on the MMORPG's support forum, a fake version of the Curse Client contained the trojan. The spoofed client appeared on a forged version of Curse's website, which ranked highly on major search engines for the term "curse client."


The hacked Curse Client transmitted account information, passwords, and even authenticator keys to the attackers as part of the login process, but otherwise functioned normally.

Blizzard recommends that users who believe they may have been compromised delete the client and run the latest version of Malwarebytes, then follow the steps listed on its support page.

"For those of you interested in these [man-in-the-middle] style attacks, this is the only confirmed case we've seen in several years outside of the 'Configuring/HIMYM' trojan in early 2012 that hit a handful of accounts," a Blizzard support agent wrote. "These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!"

World of Warcraft had 7.6 million subscribers as of November 2013, making it the most popular subscription based MMO nine years after its launch. Blizzard's service was targeted for denial-of-service attacks this week allegedly intended to disrupt a single Twitch streamer.