Blainie

wow Gold Scam Discovered with No Add-Ons Required!

13 posts in this topic

LYuH3Su.png

That's right. With a vanilla UI, there are players that can steal all of your gold. Scary stuff!

This was first brought to my attention by a Reddit post from user MrNoobyy. His post reads as follows:

Quote

So recently, there's been a guy on my realm spamming trade chat, claiming to be selling 13/13M with loot and mount on behalf of a top guild on our realm. Every guild he impersonates is a guild with an l somewhere in the name, and he actually makes a guild with a captial I instead of a lower case l, which in game, both show up the same.

He tries to get you to run do a /run command, one I won't type out here, with the claim that it's so the raid frames don't get messed up on the custom UI that the raiders use. Knowing better, I of course didn't run the script - but if you do, from what I can tell, it allows the scammer to execute scripts via whisper, that forces you trade away your gold when he trades you. I'm unsure if this requires an addon to work, as when I told him I'd run the script, he told me to try again, but disable all addons first.

Anyway, I reported him, and he's been showing up differing toons throughout the week, impersonating a different guild each time. Someone posted a topic on the forums about it here: http://us.battle.net/wow/en/forum/topic/20745644941?page=1 - and it turns out this scammer is trying this on multiple realms.

Fast forward a week or so. I logged onto my main, and my GM whispered me, "Can you please type '/run blahblahblah', it's to test a guild addon." Obviously the blahblahblah was the script. The very same script this scammer tries to use.

It turns out my GM was being hacked. By the same person? Can't really know. But it gets a little more interesting. One of the people in the guild did as the hacker asked, and is now whispering other people scripts that he can't even see, the same script the scammer and hacker is using, and also a few others.

No idea what's going on. For lack of a better word, it's like...the script infects the users who run it, forcing them to become part of it.

Does anybody know anything about this? I've googled the /run command in question, and saw a reddit post about this, but nothing about this....whatever is happening in my guild right now.

So it looks like this allows a user to force you to trade over your gold through a script. Previously, this was done through the use of add-ons such as WeakAuras, but it seems they now have the ability to do it on a simple, Vanilla UI. Another user, johsko, posted an explanation for how this might be happening:

Quote

Found parts of the script, but not all of it. It works by replacing a global function that gets called (by the vanilla chat frame) whenever a message is received, with a function that runs the message as if it had been written after /run by the receiver. It allows them to remotely script your UI. The piece of code they whisper you after you input the seemingly harmless /run hooks it up to the chat message event, allowing them to hide any script messages. Meaning they can do anything an addon can, but remotely without you knowing it.

A /reloadui should get rid of it, but until that is done they can use your client for whatever they want, as long as it fits in a whisper.

Edit: This is all with the vanilla UI, no addons needed. It would be easy for Blizzard to fix this particular instance, but they won't really be able to protect against scams like this. There's always going to be some other piece of code someone can tell you to input. The best thing they can do is to disable /script and /run as commands until the player opts in through a setting or something, and put a huge warning on the opt-in to not enable it unless they are absolutely sure they want to.

There has been no official response from Blizzard yet, but a forum thread has been started. Hopefully we'll see acknowledgement and a response soon! 

1 person likes this

Share this post


Link to post
Share on other sites

Interesting to see something like this surfacing when the game is 12 years old :p

1 person likes this

Share this post


Link to post
Share on other sites

Agreed, it is interesting, but I believe it is somehow connected to the value that in-game Gold recived (ability to buy game time and black market auction).

Share this post


Link to post
Share on other sites
1 hour ago, Dantalian said:

Agreed, it is interesting, but I believe it is somehow connected to the value that in-game Gold recived (ability to buy game time and black market auction).

Most likely, yeah. Gold is easy to get in WoD for sure, so many people have larger amounts than they had in previous expansions, while it can now be used for game-time for the first time. The value of gold to these people has now gone from just buying mounts and such to actually paying to play the game.

 

Share this post


Link to post
Share on other sites

The whole story is actually pretty spooky, with all that vanilla UI, script writing and infestation stuff. Blizzard, please, react! 

Share this post


Link to post
Share on other sites

I hope players understand what is the risks are of running /script and /run. I personally will never do this until i'm 100% sure this is a valid fix for one of my issues. Don't want to get scammed and lose all my hard earned dollars :P.

I'll keep a close watch to the official forum thread. Really interested.....

Share this post


Link to post
Share on other sites
10 hours ago, Paracel said:

The whole story is actually pretty spooky, with all that vanilla UI, script writing and infestation stuff. Blizzard, please, react! 

Yeah, it's horrible to think that people can do this sort of stuff. Would be nice to see more PSAs from Blizzard on this.

Share this post


Link to post
Share on other sites

So as nice as this sounds in theory a user/addon is unable to accept a trade without a corresponding hardware event. The AcceptTrade() function has been protected from being called outside of hardware events since it's inception. While you could in theory run addon scripts remotely almost all important functions are protected currently. The only method to circumvent this efficiently would be for the remote user to add additional keybinds (possible as SetBinding() is only protected during combat) or to add additional UI elements that could register a click event (implausible with the character restriction on a whisper). 

 

TL;DR: Good on you guys for alerting the community that had missed the original post, but at this time it is implausible that this is being used for what is claimed as the API simply won't allow that. That said there is plenty of damage that can be done with the unprotected functions.

Share this post


Link to post
Share on other sites
4 hours ago, Psifour said:

So as nice as this sounds in theory a user/addon is unable to accept a trade without a corresponding hardware event. The AcceptTrade() function has been protected from being called outside of hardware events since it's inception. While you could in theory run addon scripts remotely almost all important functions are protected currently. The only method to circumvent this efficiently would be for the remote user to add additional keybinds (possible as SetBinding() is only protected during combat) or to add additional UI elements that could register a click event (implausible with the character restriction on a whisper). 

 

TL;DR: Good on you guys for alerting the community that had missed the original post, but at this time it is implausible that this is being used for what is claimed as the API simply won't allow that. That said there is plenty of damage that can be done with the unprotected functions.

Another post from Reddit on how this is happening, in addition to the one above:

Quote

Software developer here.

This actually doesn't involve any addons at all. It is somewhat misleading. What the /run command does is redirect calls to a built-in WoW API function (RemoveExtraSpaces) to another built-in WoW API function (RunScript) instead.

I suspect the attacker discovered that the default UI calls RemoveExtraSpaces on any text received via chat, including whisper. Once you run that initial script anything else they whisper to you is then interpreted as further /run commands so they've rather trivially enabled themselves to remotely execute anything on your client that can be done via /run.

After that point the cryptic bit including CHAT_MSG_ADDON is actually registering itself for an event anytime a new message is received, either locally or remotely. More than likely this is just setting up additional infrastructure to enable him to further take over your client and probably restore your chat in the process while maintaining an extra hidden button to allow him to continue to remotely execute things.

This is why he's asking you to disable your addons because he was thinking that some other addon was actually interfering with his simple RemoveExtraSpaces hack. I'm surprised we've never seen this sort of thing before as it seems quite trivial. Again though, nothing he's doing requires you to have any addons at all as RemoveExtraSpaces and CHAT_MSG_ADDON are both elements of the default WoW API (a function and event respectively).

If this happened to you a good first step to protect yourself would probably be to:

/run RemoveExtraSpaces=nil /run z:UnregisterAllEvents();

Which will undo the hooking of RemoveExtraSpaces to RunScript, and then remove the event handlers for CHAT_MSG_ADDON from the "z" button the attacker created.

 

Share this post


Link to post
Share on other sites

This is scary, but  ive never seen one on Dalaran-EU

1 person likes this

Share this post


Link to post
Share on other sites
14 hours ago, Klynwe said:

This is scary, but  ive never seen one on Dalaran-EU

I've personally never seen it on my realm either, but it seems there has been a few reports on numerous servers on the forum thread

1 person likes this

Share this post


Link to post
Share on other sites
On 7/8/2016 at 3:26 AM, Klynwe said:

This is scary, but  ive never seen one on Dalaran-EU

Stormrage has seen it.

Today, on the PTR, I tried running a simple /run command that wipes out all action bars at once and the following warning popped up. Seems Blizzard took note to a degree.

Scripts.jpg

1 person likes this

Share this post


Link to post
Share on other sites
18 minutes ago, Sajakain said:

Stormrage has seen it.

Today, on the PTR, I tried running a simple /run command that wipes out all action bars at once and the following warning popped up. Seems Blizzard took note to a degree.

Scripts.jpg

Saw this mentioned in a reddit thread, very happy to see it coming into the game.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Bitterivy
      Praetorian Guard, established in early 2011, is a Horde guild on Khaz Modan - US looking to rebuild its ranks.  Looking for all classes/specs at the moment.  (Tanks, Healers, Melee DPS, and Ranged DPS.)  Plans for raiding after gearing up.  Raid times will be tailored to fit the core raiding team.
      Low level players welcome.  (Happy to help with content or questions.) 100 - 110 leveling help, gearing up, and world quest/daily gangs. Heroics, Mythics, and Raiding with enough geared players. PvP teams optional and separate from raiding. Guild bank with 7 tabs and guild repairs. Legacy raids, dungeons, and world events will be done for fun. Achievement runs, help with mount runs, and legendary quests will be available. Friendly environment and a no drama policy. Contact:
      GM: Bitterivy
      Battle.net: Bitterivy#1250
      Skype:  bitterfreakingivy
    • By Taveren
      Iron Genesis is recruiting Horde on Zul'jin for Mythic raiding. We are currently 4/7M EN. Rank 50 on Zul'jin.
       
      Openings: DPS (ranged preferred, melee considered); healers (resto shaman /disc priest preferred)
       
      We will clear mythic, and expect frequent attendance, flask/food/pots, knowledge of fights, etc. However, we are understanding, like to have a good time, and pretty laid back. We have weekly heroic EN clears for alts and clear ToV as well. We also run an excessive amount of mythic pluses all week long.
       
      If you are interested, please submit an application on our discord server: https://discordapp.com/invite/jjaRJNM
       
      In your application include: battle tag/armory link/recent logs/prior guild info with reason for switch/bit of a bio and what you want from raiding. If you have any questions, feel free to include them in your application, or reach out to one of our recruiters:
       
      Taaveren - Taveren#1397
       
      Wildoer – Wildoer#1724
       
      Akeldama - Archon#1123
       
      Raid Times: 8:00PM EST - 11:30PM EST Raid Schedule: Tuesday/Thursday
       
      Here are our logs if you would like to take a
      look: https://www.warcraftlogs.com/guilds/reportslist/30922/
       
    • By mischievous
      Current Progression:
      T18 13/13M
      T19 7/7M, 3/3H
      Classes Needed:
      Shadow Priest
      Discipline Priest
      Hunter
      An Exceptional Tank
      Any Exceptional Healers
      Always looking for exceptional DPS of any class.
      Raid Days and Times (All times in EST as that is our server time):
      -9/hrs total
      -Tue/Wed/Thu - 8:45 to 11:45pm
      -Off night activities aplenty!
      -Note that we have an optional 4th raid day the first week of a new tier.
      Raid Info:
      -Loot Council (BDLC Addon)
      -1 alt Split Runs (first week or two of the tier)
      -Two to three week trial period
      -25 to 30 man roster w/ rotating bench
      -Competitive raid spots
      Who We Are:
      -Horde on Bleeding Hollow (Chicago Datacenter)
      -Progression Raiding
      -Emphasis on Efficiency
      -Sparkling Personalities
      -Adult Humor
      -Serious When It Counts
      What We Want:
      -Adults who raid simply because progression is fun
      -A history of raiding success with logs to back it up
      -Computer that doesn't choke in raids + reliable internet connection
      -A working mic and an owner who uses it appropriately
      -Skin thick enough to withstand our torture/commentary
      -Into post-raid cuddling on TS (social, does Mythic+ with us, etc.)
      Contacts:
      Esurient - GM - starvingsun#1436
      Amisti - Co-GM - amisti#1417
      Mischievous - Officer - giggles#1351
      website to apply: shiftycasuals.wowlaunch.com
    • By Jovovich
      [US-Arthas][H]Unhuman (Francais) EN:6/7M ToV:3/3H www.unhuman.ca
      Unhuman est à la recherche de nouveaux visages qui seraient intéressés à joindre ses rangs!
      Forum: http://forum.unhuman.ca/forum/7-recrutement/
      Raiding:
      - [Raid] Starlight Bros EN:6/7M ToV:3/3H 2soirs Mardi et Dimanche 7hpm à 10h30pm (EST)
      - [Raid] Insanity EN:4/7M ToV:2/3H 2soirs Mardi et Mercredi 7h30pm à 10h30pm (EST)
      - [Raid] Fluffy EN:4/7M ToV:2/3H 2soirs Mercredi et Jeudi 6h15pm à 9h15pm (EST)
      - [Raid] Soldati EN:2/7M ToV:3/3N 2soirs 
      - [Raid] Les Gosus de Notre-Dame 1/7M ToV:3/3N 2soirs Mardi et Mercredi 7hpm à 10hpm (EST)
      PvP:
      - Nous sommes toujours a la recherche d'un PvP Leader pour gerer notre section de PvP
      Communauté:
      - Plus de  500 accounts
      Unhuman est plus qu'une guilde de raiding performante, c'est aussi la plus grosse communauté Francophone sur World of Warcraft US. Nous comptons présentement plus de 500 accounts actifs. Depuis sa création en 2006, Unhuman cherche à offrir à ses raiders un environnement de jeu qui favorise la progression et ce avec des joueurs d'excellent calibre. Nous sommes constamment à la recherche de nouveaux joueurs que ce soit PVE ou PVP, mais aussi des masters du Pet Battles, des champions de l'Archéologie ou peu importe ce qui vous branche ingame. Vous êtes donc assuré de trouver ce que vous cherchez chez nous peu importe votre style de jeu.
      Pour toutes questions...
      - http://unhuman.ca/
      - Jovovich-Arthas, Guild Master
      - Murielle-Arthas, Officier
      - Jdo-Arthas, Officier
      - Mottuer-Arthas, Officier
      - Izzaeth-Arthas, Officier
    • By Jovovich
      [US-Arthas][H]Unhuman (French) EN:6/7M ToV:3/3H www.unhuman.ca
      Unhuman is RECRUITING!
      Forum: http://forum.unhuman.ca/forum/7-recrutement/
      Raiding:
      - [Raid] Starlight Bros 6/7M ToV:3/3H 2day Tuesday and Sunday 7hpm to 10h30pm (EAST)
      - [Raid] Insanity 4/7M ToV:2/3H 2day Tuesday and Wednesday 7h30pm to 10h30pm (EAST)
      - [Raid] Fluffy 4/7M ToV:2/3H 2day Wednesday and Thursday 6h15pm to 9h15pm (EAST)
      - [Raid] Soldati 2/7M ToV:3/3NH 2day 
      - [Raid] Les Gosus de Notre-Dame 1/7M ToV:3/3N 2day Tuesday and Wednesday 7hpm to 10hpm (EAST)
      PvP:
      - We're still looking for a PvP Leader, if you're interested see with Jovovich#1699
      Community:
      - More than 500 account
      Unhuman is a performing raiding guild with multiple raid groups, it's one of the biggest, for not saying the biggest one, french community on World of Warcraft US. We have over 500 active accounts. Unhuman has been created in December 2006 and will continue to live for a long time, Unhuman is trying to give to our raiders everything they need to be focus only on good progression!. Unhuman is always looking for new players of all kind, PvE or PvP, even with Battle pets or Archeologists or anything else you can do in the game....You will be sure to find your way with Unhuman!
      For any question...
      - http://unhuman.ca/
      - Jovovich-Arthas, Guild Master
      - Murielle-Arthas, Officier
      - Jdo-Arthas, Officier
      - Mottuer-Arthas, Officier
      - Izzaeth-Arthas, Officier