Blainie

Gold Scam Discovered with No Add-Ons Required!

13 posts in this topic

LYuH3Su.png

That's right. With a vanilla UI, there are players that can steal all of your gold. Scary stuff!

This was first brought to my attention by a Reddit post from user MrNoobyy. His post reads as follows:

Quote

So recently, there's been a guy on my realm spamming trade chat, claiming to be selling 13/13M with loot and mount on behalf of a top guild on our realm. Every guild he impersonates is a guild with an l somewhere in the name, and he actually makes a guild with a captial I instead of a lower case l, which in game, both show up the same.

He tries to get you to run do a /run command, one I won't type out here, with the claim that it's so the raid frames don't get messed up on the custom UI that the raiders use. Knowing better, I of course didn't run the script - but if you do, from what I can tell, it allows the scammer to execute scripts via whisper, that forces you trade away your gold when he trades you. I'm unsure if this requires an addon to work, as when I told him I'd run the script, he told me to try again, but disable all addons first.

Anyway, I reported him, and he's been showing up differing toons throughout the week, impersonating a different guild each time. Someone posted a topic on the forums about it here: http://us.battle.net/wow/en/forum/topic/20745644941?page=1 - and it turns out this scammer is trying this on multiple realms.

Fast forward a week or so. I logged onto my main, and my GM whispered me, "Can you please type '/run blahblahblah', it's to test a guild addon." Obviously the blahblahblah was the script. The very same script this scammer tries to use.

It turns out my GM was being hacked. By the same person? Can't really know. But it gets a little more interesting. One of the people in the guild did as the hacker asked, and is now whispering other people scripts that he can't even see, the same script the scammer and hacker is using, and also a few others.

No idea what's going on. For lack of a better word, it's like...the script infects the users who run it, forcing them to become part of it.

Does anybody know anything about this? I've googled the /run command in question, and saw a reddit post about this, but nothing about this....whatever is happening in my guild right now.

So it looks like this allows a user to force you to trade over your gold through a script. Previously, this was done through the use of add-ons such as WeakAuras, but it seems they now have the ability to do it on a simple, Vanilla UI. Another user, johsko, posted an explanation for how this might be happening:

Quote

Found parts of the script, but not all of it. It works by replacing a global function that gets called (by the vanilla chat frame) whenever a message is received, with a function that runs the message as if it had been written after /run by the receiver. It allows them to remotely script your UI. The piece of code they whisper you after you input the seemingly harmless /run hooks it up to the chat message event, allowing them to hide any script messages. Meaning they can do anything an addon can, but remotely without you knowing it.

A /reloadui should get rid of it, but until that is done they can use your client for whatever they want, as long as it fits in a whisper.

Edit: This is all with the vanilla UI, no addons needed. It would be easy for Blizzard to fix this particular instance, but they won't really be able to protect against scams like this. There's always going to be some other piece of code someone can tell you to input. The best thing they can do is to disable /script and /run as commands until the player opts in through a setting or something, and put a huge warning on the opt-in to not enable it unless they are absolutely sure they want to.

There has been no official response from Blizzard yet, but a forum thread has been started. Hopefully we'll see acknowledgement and a response soon! 

  • Like 1

Share this post


Link to post
Share on other sites

Interesting to see something like this surfacing when the game is 12 years old :p

  • Like 1

Share this post


Link to post
Share on other sites

Agreed, it is interesting, but I believe it is somehow connected to the value that in-game Gold recived (ability to buy game time and black market auction).

Share this post


Link to post
Share on other sites
1 hour ago, Dantalian said:

Agreed, it is interesting, but I believe it is somehow connected to the value that in-game Gold recived (ability to buy game time and black market auction).

Most likely, yeah. Gold is easy to get in WoD for sure, so many people have larger amounts than they had in previous expansions, while it can now be used for game-time for the first time. The value of gold to these people has now gone from just buying mounts and such to actually paying to play the game.

 

Share this post


Link to post
Share on other sites

The whole story is actually pretty spooky, with all that vanilla UI, script writing and infestation stuff. Blizzard, please, react! 

Share this post


Link to post
Share on other sites

I hope players understand what is the risks are of running /script and /run. I personally will never do this until i'm 100% sure this is a valid fix for one of my issues. Don't want to get scammed and lose all my hard earned dollars :P.

I'll keep a close watch to the official forum thread. Really interested.....

Share this post


Link to post
Share on other sites
10 hours ago, Paracel said:

The whole story is actually pretty spooky, with all that vanilla UI, script writing and infestation stuff. Blizzard, please, react! 

Yeah, it's horrible to think that people can do this sort of stuff. Would be nice to see more PSAs from Blizzard on this.

Share this post


Link to post
Share on other sites

So as nice as this sounds in theory a user/addon is unable to accept a trade without a corresponding hardware event. The AcceptTrade() function has been protected from being called outside of hardware events since it's inception. While you could in theory run addon scripts remotely almost all important functions are protected currently. The only method to circumvent this efficiently would be for the remote user to add additional keybinds (possible as SetBinding() is only protected during combat) or to add additional UI elements that could register a click event (implausible with the character restriction on a whisper). 

 

TL;DR: Good on you guys for alerting the community that had missed the original post, but at this time it is implausible that this is being used for what is claimed as the API simply won't allow that. That said there is plenty of damage that can be done with the unprotected functions.

Share this post


Link to post
Share on other sites
4 hours ago, Psifour said:

So as nice as this sounds in theory a user/addon is unable to accept a trade without a corresponding hardware event. The AcceptTrade() function has been protected from being called outside of hardware events since it's inception. While you could in theory run addon scripts remotely almost all important functions are protected currently. The only method to circumvent this efficiently would be for the remote user to add additional keybinds (possible as SetBinding() is only protected during combat) or to add additional UI elements that could register a click event (implausible with the character restriction on a whisper). 

 

TL;DR: Good on you guys for alerting the community that had missed the original post, but at this time it is implausible that this is being used for what is claimed as the API simply won't allow that. That said there is plenty of damage that can be done with the unprotected functions.

Another post from Reddit on how this is happening, in addition to the one above:

Quote

Software developer here.

This actually doesn't involve any addons at all. It is somewhat misleading. What the /run command does is redirect calls to a built-in WoW API function (RemoveExtraSpaces) to another built-in WoW API function (RunScript) instead.

I suspect the attacker discovered that the default UI calls RemoveExtraSpaces on any text received via chat, including whisper. Once you run that initial script anything else they whisper to you is then interpreted as further /run commands so they've rather trivially enabled themselves to remotely execute anything on your client that can be done via /run.

After that point the cryptic bit including CHAT_MSG_ADDON is actually registering itself for an event anytime a new message is received, either locally or remotely. More than likely this is just setting up additional infrastructure to enable him to further take over your client and probably restore your chat in the process while maintaining an extra hidden button to allow him to continue to remotely execute things.

This is why he's asking you to disable your addons because he was thinking that some other addon was actually interfering with his simple RemoveExtraSpaces hack. I'm surprised we've never seen this sort of thing before as it seems quite trivial. Again though, nothing he's doing requires you to have any addons at all as RemoveExtraSpaces and CHAT_MSG_ADDON are both elements of the default WoW API (a function and event respectively).

If this happened to you a good first step to protect yourself would probably be to:

/run RemoveExtraSpaces=nil /run z:UnregisterAllEvents();

Which will undo the hooking of RemoveExtraSpaces to RunScript, and then remove the event handlers for CHAT_MSG_ADDON from the "z" button the attacker created.

 

Share this post


Link to post
Share on other sites
14 hours ago, Klynwe said:

This is scary, but  ive never seen one on Dalaran-EU

I've personally never seen it on my realm either, but it seems there has been a few reports on numerous servers on the forum thread

  • Like 1

Share this post


Link to post
Share on other sites
On 7/8/2016 at 3:26 AM, Klynwe said:

This is scary, but  ive never seen one on Dalaran-EU

Stormrage has seen it.

Today, on the PTR, I tried running a simple /run command that wipes out all action bars at once and the following warning popped up. Seems Blizzard took note to a degree.

Scripts.jpg

  • Like 1

Share this post


Link to post
Share on other sites
18 minutes ago, Sajakain said:

Stormrage has seen it.

Today, on the PTR, I tried running a simple /run command that wipes out all action bars at once and the following warning popped up. Seems Blizzard took note to a degree.

Scripts.jpg

Saw this mentioned in a reddit thread, very happy to see it coming into the game.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Stan

      Hallow's End starts in World of Warcraft this week. What's new this year?
      Hallow's End 2017 Update (Oct 17 - Nov 1)
      You can now queue up for the Headless Horseman at lower levels, so the chances of getting The Horseman's Reins mount are better than last year. You can transmogrify holiday-themed gear throughout the event. A new pet has been added this year. Naxxy is a mini version of Naxxramas. You can purchase it for 150 Tricky Treats. It's BoE, and you can sell it. Naxxy Abilities
      Plague Breath (Level 1) Sticky Web (Level 2) Leech Life (Level 4) Death Coil (Level 10) Frost Nova (Level 15) Drain Blood (Level 20)
    • By Starym

       
      We're getting two more days of testing on Antorus bosses, this time mostly focused on Raid Finder, with Wednesday being all about the Forbidden Descent part of the raid and Hope's End coming on Friday and will remain open over the weekend.
      October 18-24 (source)
      Wednesday, October 18th - Friday, October 20th
      Forbidden Descent - Raid Finder Antorus, the Burning Throne
      13:00 PDT (16:00 EDT, 22:00 CEST)
      Friday, October 20th
      Varimathras - Mythic Antorus, the Burning Throne
      13:00 PDT (16:00 EDT, 22:00 CEST)
      Aggramar - Mythic Antorus, the Burning Throne
      14:00 PDT (17:00 EDT, 23:00 CEST)
      Hope's End - Raid Finder Antorus, the Burning Throne
      15:00 PDT (16:00 EDT, 22:00 CEST)
      Hope's End Raid Finder will remain open over the weekend.
      As always, this testing schedule is very fluid and subject to the realities of a PTR environment. We might have to change the time of a testing session, change the bosses being tested, or cancel a test entirely, due to bugs, server hardware issues, etc. Keep an eye on this forum for the latest information, and thank you in advance for testing and providing feedback.
      Q: How do I get into the raid zone?
      A: In Dalaran, Orgrimmar, or Stormwind, you may speak to Nexus-Lord Donjon Rade Sr. in order to teleport into the raid zone while it is open for testing. (The option to teleport into a zone will not be available when the zone is not open for testing.)
      Q: What character should I use to test the raid?
      A: Whichever you prefer. We will be scaling players' effective level to 110 for raid testing, and their item level to an appropriate threshold for the encounter(s) being tested.
      Q: How long does testing last?
      A: The primary purpose of testing is to give us the information we need to balance the encounters, evaluate how mechanics are playing out in practice, and identify bugs. Once we're satisfied that we've received that information for a given boss, we'll be shutting down testing. Usually this takes anywhere from 45 minutes to 2 hours, but there are no guarantees.
    • By Stan

      Argus the Unmaker drops interesting trinkets with secondary on-equip effects and Blizzard explained how they work in more detail.
      Path of the Titans Trinkets
      The final boss of the upcoming raid drops trinkets that have two on-equip effects. While the primary effect functions just like any other trinket, the secondary on-equip effect only activates under certain conditions.
      Aggramar's Conviction - Mark of Aggramar Aman'Thul's Vision - Mark of Aman'thul Eonar's Compassion - Mark of Eonar Golganneth's Vitality - Mark of Golganneth Khaz'goroth's Courage - Mark of Khaz'goroth Norgannon's Prowess - Mark of Norgannon Clarifications
      The secondary "When empowered by the Pantheon..." proc on the trinkets will only activate within Antorus the Burning Throne raid. Only four unique buffs are needed to trigger the secondary proc (down from 6). Aman'Thul's Vision ignores the rule as a "wild card" and the item does not count toward the Legion Legendary cap, so you can have 3 Legendary items equipped at the same time. Pantheon's Blessing is used to upgrade Pantheon trinkets up to item level 1,000. Blizzard (Source)
      Hey guys,

      A slightly different discussion here, but just popping in with a note that the secondary Equip effect on the Antorus trinkets that note "When empowered by the Pantheon...", such as 'Aman'Thul's Grandeur' on Aman'Thul's Vision or 'Khaz'goroth's Shaping' on Khaz'goroth's Courage will only function within the Antorus raid once it is live.

      Currently on the PTR this effect works outside of the raid, but its worthwhile to offer some clarification so there's no confusion once the raid itself is live.

      If you have any questions on this, let me know!
      While it won't function in Mythic+ we did change the six requirement so you only need four unique buffs to trigger the Pantheon secondary proc inside Antorus. You can have any possible combination of the unique five to activate this additional proc. Aman'Thul's Vision ignores the rule as a "wildcard" filling any gap that you might be missing from the other five.

      So for example you can have two Aman'Thul's and two of the other uniques and it will trigger the Pantheon proc.

      Keep in mind we're still tweaking and making changes to the trinkets so please keep voicing your feedback about it :)
      Currently all of the trinkets on PTR behave like Aman'Thul's Vision does in the Pantheon proc but will be changed to be unique before it goes live, other than Aman'Thul's which will stay as a wild card. 

      Still as always subject to change but that's the current plan.
      All trinkets have received updates in the latest Patch 7.3.2 PTR build:
      Aggramar's Conviction
      Mark of Aggramar - Taking damage has a chance to increase your Armor Versatility by 1,197 2,697 for 15 14 sec. When empowered by the Pantheon, your maximum health is increased by 652,038 459,366 for 15 sec, and you are healed to full health. Approximately 2.2 1.4 procs per minute. Aman'Thul's Vision
      Mark of Aman'thul - Your spells and abilities have a chance to grant you 741 1,089 Speed, Avoidance, and Leech for 12 sec. When empowered by the Pantheon, your Intellect is increased by 1.414 1,087 for 15 sec. Approximately 2.5 1.4 procs per minute. Eonar's Compassion
      Mark of Eonar - Your healing effects have a chance to grow an Emerald Blossom nearby, which heals a random injured ally for 23,392 36,100 every 2 sec. Lasts 14 12 sec. When empowered by the Pantheon, your next 4 direct healing spells grant the target a shield that prevents 65,204 71,132 damage for 30 sec. Approximately 2 1.2 procs per minute. Golganneth's Vitality
      Mark of Golganneth - Your damaging abilities have a chance to create a Ravaging Storm at your target's location, inflicting 63,728 148,698 Nature damage split among all enemies within 6 yds over 8 6 sec. When empowered by the Pantheon, your autoattacks cause an explosion of lightning dealing [ 870,400% 1,357,400% of Mainhand Weapon Speed ] Nature damage to all enemies within 8 yds of the target. Lasts 15 sec. Approximately 4 1.8 procs per minute. Khaz'goroth's Courage
      Mark of Khaz'goroth - Your damaging attacks have a chance to make your weapon glow hot with the fire of Khaz'goroth's forge, causing your autoattacks to do [ 929,400% 1,327,700% of Mainhand Weapon Speed ] additional Fire damage for 12 sec. When empowered by the Pantheon, your Critical Strike, Haste, Mastery, or Versatility is increased by 1.413 2,614 for 15 sec. Khaz'goroth always empowers your highest stat. Approximately 2 1.4 procs per minute. Norgannon's Prowess
      Mark of Norgannon - Your damaging spells have a chance to increase your Intellect by 1,303 3,257 for 12 sec. When empowered by the Pantheon, you gain 6 charges of Norgannon's Command for 15 sec. Your damaging spells expend a charge to inflict an additional 34,321 45,760 damage to the target, from a random school of magic. Approximately 3 1.4 procs per minute.
    • By Stan

      Yesterday, the final boss of Antorus the Burning Throne was tested on Heroic difficulty. Here's a video preview of the encounter.
      WoWReloe uploaded a video of the fight, where the raid team managed to bring him down to 26%. All stages and transition phases included, so definitely check it out!
      Stage 3
      At 5:47 during the second transition phase, Argus retreats and Constellar Designates spawn.
      The Discs of Norgannon grants each Constellar Designate a 200% increased damage vulnerability from a single school.
      Vulnerability Types
      Arcane Vulnerability Fire Vulnerability Frost Vulnerability Holy Vulnerability Nature Vulnerability Physical Vulnerability Shadow Vulnerability You need to be careful with interrupts, because of Impending Inevitability. When you interrupt a Constellar Designate, he will become immune to interrupts for the next 20 seconds (Inevitability), so you should interrupt Cosmic Beacon over Starblast.
      Periodically, Constellar Designates will enter melee range and gain the effects of Blades of the Eternal and Sword of the Cosmos.
      Stage 4
      When you reach Stage 4, Argus kills all players with Reap Soul. It's very similar to the Lich King encounter back in Wrath. You're not able to resurrect for a short time and then Eonar casts Gift of the Lifebinder, creating a tree that can be used to return players back to life, as long as it it is healed up (Withering Roots). 
      Gift of the Lifebinder - Eonar causes the Gift of the Lifebinder to spring forth to save the players. While the Gift of the Lifebinder lives, players may freely Release Spirit after dying. If players move to the tree as ghosts, they will be returned to life, at the cost of some of the Gift of the Lifebinder's Life Energy. When the Gift of the Lifebinder's Life Energy is depleted, it becomes the Withered Gift of the Lifebinder. Withered Gift of the Lifebinder Players may heal the Withered Gift of the Lifebinder. Additionally, when they use it to resurrect, it is afflicted by Withering Roots. Withering Roots - Inflicts 850,000 Nature damage every 2 sec. This effect stacks. The tank debuff gets nasty in the last stage and lasts until the fight is over (Deadly Scythe). In the final stage, Reorigination Modules will spawn and they need to be killed as soon as possible to decrease radius of their Initialization Sequence.
      For all Argus' abilities, check out the Dungeon Journal entry here. Argus will probably have a secret phase on Mythic difficulty involving Sargeras.
    • By Stan

      A new ban wave went out earlier today, targeting users of third-party software.
      Blizzard has suspended accounts that were found to be using bots. For more details about the ban wave check out the ongoing discussion on reddit.
      Blizzard (Source)
      We’ve recently taken action against a number of accounts that were found to be using third-party programs that automate gameplay. These programs (commonly called cheats, bots, or hacks) automate certain aspects of gameplay, or provide unintended advantages and abilities to the player. This type of cheating undermines other players' experience and severely upsets the balance of the game environment.

      As a reminder, in order to ensure fair play and competitive integrity, we closely monitor these and other activities that violate the Terms of Use.

      We’re committed to providing an equal and fair playing field for everyone in World of Warcraft, and will continue to take action against those found in violation of our Terms of Use. Cheating of any form will not be tolerated.