Blainie

wow Gold Scam Discovered with No Add-Ons Required!

13 posts in this topic

LYuH3Su.png

That's right. With a vanilla UI, there are players that can steal all of your gold. Scary stuff!

This was first brought to my attention by a Reddit post from user MrNoobyy. His post reads as follows:

Quote

So recently, there's been a guy on my realm spamming trade chat, claiming to be selling 13/13M with loot and mount on behalf of a top guild on our realm. Every guild he impersonates is a guild with an l somewhere in the name, and he actually makes a guild with a captial I instead of a lower case l, which in game, both show up the same.

He tries to get you to run do a /run command, one I won't type out here, with the claim that it's so the raid frames don't get messed up on the custom UI that the raiders use. Knowing better, I of course didn't run the script - but if you do, from what I can tell, it allows the scammer to execute scripts via whisper, that forces you trade away your gold when he trades you. I'm unsure if this requires an addon to work, as when I told him I'd run the script, he told me to try again, but disable all addons first.

Anyway, I reported him, and he's been showing up differing toons throughout the week, impersonating a different guild each time. Someone posted a topic on the forums about it here: http://us.battle.net/wow/en/forum/topic/20745644941?page=1 - and it turns out this scammer is trying this on multiple realms.

Fast forward a week or so. I logged onto my main, and my GM whispered me, "Can you please type '/run blahblahblah', it's to test a guild addon." Obviously the blahblahblah was the script. The very same script this scammer tries to use.

It turns out my GM was being hacked. By the same person? Can't really know. But it gets a little more interesting. One of the people in the guild did as the hacker asked, and is now whispering other people scripts that he can't even see, the same script the scammer and hacker is using, and also a few others.

No idea what's going on. For lack of a better word, it's like...the script infects the users who run it, forcing them to become part of it.

Does anybody know anything about this? I've googled the /run command in question, and saw a reddit post about this, but nothing about this....whatever is happening in my guild right now.

So it looks like this allows a user to force you to trade over your gold through a script. Previously, this was done through the use of add-ons such as WeakAuras, but it seems they now have the ability to do it on a simple, Vanilla UI. Another user, johsko, posted an explanation for how this might be happening:

Quote

Found parts of the script, but not all of it. It works by replacing a global function that gets called (by the vanilla chat frame) whenever a message is received, with a function that runs the message as if it had been written after /run by the receiver. It allows them to remotely script your UI. The piece of code they whisper you after you input the seemingly harmless /run hooks it up to the chat message event, allowing them to hide any script messages. Meaning they can do anything an addon can, but remotely without you knowing it.

A /reloadui should get rid of it, but until that is done they can use your client for whatever they want, as long as it fits in a whisper.

Edit: This is all with the vanilla UI, no addons needed. It would be easy for Blizzard to fix this particular instance, but they won't really be able to protect against scams like this. There's always going to be some other piece of code someone can tell you to input. The best thing they can do is to disable /script and /run as commands until the player opts in through a setting or something, and put a huge warning on the opt-in to not enable it unless they are absolutely sure they want to.

There has been no official response from Blizzard yet, but a forum thread has been started. Hopefully we'll see acknowledgement and a response soon! 

1 person likes this

Share this post


Link to post
Share on other sites

Interesting to see something like this surfacing when the game is 12 years old :p

1 person likes this

Share this post


Link to post
Share on other sites

Agreed, it is interesting, but I believe it is somehow connected to the value that in-game Gold recived (ability to buy game time and black market auction).

Share this post


Link to post
Share on other sites
1 hour ago, Dantalian said:

Agreed, it is interesting, but I believe it is somehow connected to the value that in-game Gold recived (ability to buy game time and black market auction).

Most likely, yeah. Gold is easy to get in WoD for sure, so many people have larger amounts than they had in previous expansions, while it can now be used for game-time for the first time. The value of gold to these people has now gone from just buying mounts and such to actually paying to play the game.

 

Share this post


Link to post
Share on other sites

The whole story is actually pretty spooky, with all that vanilla UI, script writing and infestation stuff. Blizzard, please, react! 

Share this post


Link to post
Share on other sites

I hope players understand what is the risks are of running /script and /run. I personally will never do this until i'm 100% sure this is a valid fix for one of my issues. Don't want to get scammed and lose all my hard earned dollars :P.

I'll keep a close watch to the official forum thread. Really interested.....

Share this post


Link to post
Share on other sites
10 hours ago, Paracel said:

The whole story is actually pretty spooky, with all that vanilla UI, script writing and infestation stuff. Blizzard, please, react! 

Yeah, it's horrible to think that people can do this sort of stuff. Would be nice to see more PSAs from Blizzard on this.

Share this post


Link to post
Share on other sites

So as nice as this sounds in theory a user/addon is unable to accept a trade without a corresponding hardware event. The AcceptTrade() function has been protected from being called outside of hardware events since it's inception. While you could in theory run addon scripts remotely almost all important functions are protected currently. The only method to circumvent this efficiently would be for the remote user to add additional keybinds (possible as SetBinding() is only protected during combat) or to add additional UI elements that could register a click event (implausible with the character restriction on a whisper). 

 

TL;DR: Good on you guys for alerting the community that had missed the original post, but at this time it is implausible that this is being used for what is claimed as the API simply won't allow that. That said there is plenty of damage that can be done with the unprotected functions.

Share this post


Link to post
Share on other sites
4 hours ago, Psifour said:

So as nice as this sounds in theory a user/addon is unable to accept a trade without a corresponding hardware event. The AcceptTrade() function has been protected from being called outside of hardware events since it's inception. While you could in theory run addon scripts remotely almost all important functions are protected currently. The only method to circumvent this efficiently would be for the remote user to add additional keybinds (possible as SetBinding() is only protected during combat) or to add additional UI elements that could register a click event (implausible with the character restriction on a whisper). 

 

TL;DR: Good on you guys for alerting the community that had missed the original post, but at this time it is implausible that this is being used for what is claimed as the API simply won't allow that. That said there is plenty of damage that can be done with the unprotected functions.

Another post from Reddit on how this is happening, in addition to the one above:

Quote

Software developer here.

This actually doesn't involve any addons at all. It is somewhat misleading. What the /run command does is redirect calls to a built-in WoW API function (RemoveExtraSpaces) to another built-in WoW API function (RunScript) instead.

I suspect the attacker discovered that the default UI calls RemoveExtraSpaces on any text received via chat, including whisper. Once you run that initial script anything else they whisper to you is then interpreted as further /run commands so they've rather trivially enabled themselves to remotely execute anything on your client that can be done via /run.

After that point the cryptic bit including CHAT_MSG_ADDON is actually registering itself for an event anytime a new message is received, either locally or remotely. More than likely this is just setting up additional infrastructure to enable him to further take over your client and probably restore your chat in the process while maintaining an extra hidden button to allow him to continue to remotely execute things.

This is why he's asking you to disable your addons because he was thinking that some other addon was actually interfering with his simple RemoveExtraSpaces hack. I'm surprised we've never seen this sort of thing before as it seems quite trivial. Again though, nothing he's doing requires you to have any addons at all as RemoveExtraSpaces and CHAT_MSG_ADDON are both elements of the default WoW API (a function and event respectively).

If this happened to you a good first step to protect yourself would probably be to:

/run RemoveExtraSpaces=nil /run z:UnregisterAllEvents();

Which will undo the hooking of RemoveExtraSpaces to RunScript, and then remove the event handlers for CHAT_MSG_ADDON from the "z" button the attacker created.

 

Share this post


Link to post
Share on other sites

This is scary, but  ive never seen one on Dalaran-EU

1 person likes this

Share this post


Link to post
Share on other sites
14 hours ago, Klynwe said:

This is scary, but  ive never seen one on Dalaran-EU

I've personally never seen it on my realm either, but it seems there has been a few reports on numerous servers on the forum thread

1 person likes this

Share this post


Link to post
Share on other sites
On 7/8/2016 at 3:26 AM, Klynwe said:

This is scary, but  ive never seen one on Dalaran-EU

Stormrage has seen it.

Today, on the PTR, I tried running a simple /run command that wipes out all action bars at once and the following warning popped up. Seems Blizzard took note to a degree.

Scripts.jpg

1 person likes this

Share this post


Link to post
Share on other sites
18 minutes ago, Sajakain said:

Stormrage has seen it.

Today, on the PTR, I tried running a simple /run command that wipes out all action bars at once and the following warning popped up. Seems Blizzard took note to a degree.

Scripts.jpg

Saw this mentioned in a reddit thread, very happy to see it coming into the game.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Stan

      Squirky is a new capturable Murloc pet that can be found on the Seabreak Isle (Azsuna). In this mini-guide we're looking at how to capture him.
      There are murlocs and crabs that hit hard and it's easy to aggro groups of mobs. Make sure to approach Squirky on your flying mount and click him as soon as you land so you begin the battle before entering combat. The pet cannot be caged.
      Abilities
      Squirky has the following abilities
      Level 1 - Punch Level 2 - Clobber Level 4 - For Adventure! Level 10 - Fish Slap Level 15 - Stampede Level 20 - Bubble Pet Model

      Location coords Seabreak Isle - Azsuna (20,21)

    • By Starym

       
      Tomb of Sargeras is coming within a month (hopefully) and we got the official preview with developer insights and some background lore for the raid and each individual boss. Mythic testing is on the way this weekend so the tentative mid-June release date might actually be possible, although near the end of the month seems more likely. In any case, enjoy the pretty detailed preview:
      Blizzard (source)
      Through dangers untold and hardships unnumbered, the combined forces of the Class Orders have fought their way through the Broken Shore to reach the Tomb of Sargeras. With weapons of great power and the Pillars of Creation at hand, the defenders of Azeroth must face these last foes before the portal is sealed, cutting off the Burning Legion’s access to Azeroth.
      Minimum Level: 110
      Location: The Broken Shore
      Bosses: 9
      Difficulty: Raid Finder, Normal, Heroic, Mythic
      Aegwynn used this sacred temple of Elune to lock away the defeated Sargeras’ avatar. She hoped it would remain dormant, buried deep within the earth, but the lure of power has continued to draw foul entities to this site. When Gul’dan reentered the tomb, he tore down Aegwynn’s wards and opened a doorway for the Legion to invade. Now the fel army tears at the vault, hoping to reclaim their master’s power.
      Encounters and Bosses
      You can learn a bit about each of the bosses below. Make sure you check out the in-game Adventure Guide (Shift-J) for a full list of tips for Healers, Damage Dealers, and Tanks. 
      Goroth
      As punishment for past failures Goroth’s flesh is marred with searing wounds. With every movement this behemoth makes, his flesh crackles and hisses with unending torment, a scourge he is happy to inflict upon those who oppose him.
      Demonic Inquisition
      Anticipating the arrival of mortal forces invading the Tomb of Sargeras, Kil’jaeden has called on his best captors, Atrigan and Belac, to lock down the interlopers and prevent them from using the Pillars to advance deeper into the dungeon.
      Harjatan
      Harjatan was trained from birth to demolish his enemies. Through a conquest of savage brutality, he gathered throngs of cave dwelling murlocs who see him as a god. Now, the naga brute merely has to bark a command and hordes of devout followers set themselves to task.
      Mistress Sassz’ine
      Mistress Sassz’ine has spent a lifetime binding the denizens of the ocean to her dark will. With this power, she summons nightmares from the briny depths to wash away any who dare challenge her.
      Sisters of the Moon
      The Sisters of the Moon served as wardens for the temple long before the avatar of Sargeras was buried beneath it. Even in death, the sisters maintained their vigil, but over the millennia something twisted their ability to distinguish friend from foe. Their madness slowly consumed them, and now any who enter their sacred chambers are put to death.
      The Desolate Host
      Once, this was a sacred burial site for the night elves, until the Legion corrupted these grounds with the Engine of Souls. This foul machine draws upon the energy of the dead, twisting them into abominations.These tormented spirits have become monstrosities, looking to feed on any who descend into the tomb’s depths.
      Maiden of Vigilance
      Charged by Aegwynn to defend the Tomb of Sargeras, the Maiden of Vigilance has stood watch for hundreds of years. Yet, the guardian did not foresee what effect the avatar’s seeping fel energy would have on this titan construct. Slowly warped by this maleficence, the maiden now seeks to destroy any in her path.
      Fallen Avatar
      When Aegwynn defeated the Avatar of Sargeras, she was unable to destroy his avatar. In an effort to seal it away, the armor was entombed beneath the Temple of Elune, where it remained dormant for hundreds of years. Now, with the Legion tearing down the tomb’s barriers, Kil’jaeden is in a position to reanimate the armor and unleash its power on Azeroth.
      Kil’jaeden
      Since striking the bargain that chased the Draenei into the stars, Kil’jaeden believed the Legion could not be stopped—yet, none of his deceptions have prevented you from reaching this critical moment. Infuriated that Sargeras’ promise of victory has never come to pass, the demon lord prepares to face you himself, for a final battle that will shape Azeroth’s destiny forever.
      We’ll see you in the tomb!
    • By Stan

      Last time we wrote about a new area that was added to Darkmoon Island and now it's open for testing and contains the Blight Boar band that performs their concert in the Cauldron of Rock cave.
      Related Achievements
      Hey, You're a Rockstar! Mosh Pit Perfect Performance Stage Dive Taking this Show on the Road Henry Gust
      Sells the following masks / dance sticks
      Blighthead Bitter Wounds Mask Blighthead Electric Beehive Mask Blighthead Grim Smile Mask Blighthead Mohawk Mask Blighthead Romero Mask Blighthead Slack-Jaw Mask Devlynn Styx Mask Green Dance Stick Purple Dance Stick Producer Jay Maguire will keep you updated when Blight Boar is performing again.
      Once the concert starts, a Death Metal Knight will spawn. There are various debuffs that show how dedicated a fan you are: Casual Fan, Serious Fan, Hardcore Fan, Number One Fan. You can increase (Score Up) your score by protecting the band, or decrease it (Score Down).
      Related spells
      Bassist Drummer Guitarist Vocals Related items
      Cage helms
      Chain-Linked Cage Helm Leather-Lined Cage Helm Lightly-Padded Cage Helm Steel-Reinforced Cage Helm
      Toys
      Blight Boar Microphone changes you into Devlynn Styx Weapon transmog
      Necromedes, the Death Resonator (effect Resonating Death Notes)
      Early Preview
    • By Stan

      A list of all class changes and Tier Set Bonus adjustments of this week's 7.2.5 build.
      Warriors went through lots of changes in the latest build, Fists of Fury now have an 8yd range & more.
      Concordance of Legionfall (Legion Infinite Trait)
      Concordance of the Legionfall Concordance of the Legionfall Concordance of the Legionfall Concordance of the Legionfall Class Changes
      Death Knight
      Chilled Heart // Chilled Heart Crystalline Swords Unholy Frenzy Vampiric Fangs // Vampiric Fangs // Vampiric Fangs Demon Hunter
      Demon Rage Empower Wards Eternal Hunger // Eternal Hunger First Blood Imprison Druid
      Backlash Soul of the Forest Hunter
      Deathstrike Venom Mok'Nathal Tactics Scatter Shot Sniper Shot The Beast Within T.N.T. Wild Protector Monk
      Fists of Fury Keg Smash Purifying Brew Stormstout's Last Gasp Paladin
      Blessing of the Ashbringer Eye of Tyr Judgment of Blood Seraphim's Blessing Priest
      Call to the Void Lash of Insanity Plea Power Word: Shield The Alabaster Lady Rogue
      Assassination Rogue Flat % increase - Assassination Rogue Toxic Blade Shaman
      Crashing Lightning Earth Shield Ethereal Form Spark of Ra-den Smoldering Heart Warlock
      Affiliction Warlock Flat % increase - Affliction Warlock Haunt Warrior
      Fury Warrior Flat % increase - Fury Warrior Deadly Calm Exploit the Weakness Fervor of Battle Focused Rage Frenzy Opportunity Strikes // Opportunity Strikes Ravager Rend Titanic Might Trauma Whirlwind Tier Set Bonus Update
      Death Knight
      Item - Death Knight T20 Frost 2P Bonus Druid
      Item - Druid T20 Restoration 4P Bonus Paladin
      Item - Paladin T20 Protection 2P Bonus Item - Paladin T20 Protection 4P Bonus Shaman
      Item - Shaman T19 Enhancement 4P Bonus Item - Shaman T20 Elemental 2P Bonus
    • By Stan

      This week's 7.2.5 PTR Build added 27 new Legendary items to the game.
      Here's a list of all new Legendary items added in Build 24163. The second round of new items can be found here and for "Hellfire Amulets" don't forget to check out the first round.
      Death Knight
      Cold Heart Death Screamers Soulflayer's Corruption Demon Hunter
      Chaos Theory Oblivion's Embrace Druid
      Behemoth Headdress Fury of Nature Radiant Moonlight Hunter
      Celerity of the Windrunners Parsel's Tongue Unseen Predator's Cloak Mage
      Contained Infernal Core Mantle of the First Kirin Tor Shattered Fragments of Sindragosa Monk
      The Wind Blows Paladin
      Pillars of Inmost Light Scarlet Inquisitor's Expurgation Priest
      Heart of the Void Rogue
      The Curse of Restlessness The Empty Crown The First of the Dead Shaman
      Primal Ascendant's Stormcallers Smoldering Heart Warlock
      The Master Harvester Warrior
      Ararat's Bloodmirror The Great Storm's Eye Valarjar Berserkers