Jump to content
FORUMS
Blainie

Gold Scam Discovered with No Add-Ons Required!

Recommended Posts

LYuH3Su.png

That's right. With a vanilla UI, there are players that can steal all of your gold. Scary stuff!

This was first brought to my attention by a Reddit post from user MrNoobyy. His post reads as follows:

Quote

So recently, there's been a guy on my realm spamming trade chat, claiming to be selling 13/13M with loot and mount on behalf of a top guild on our realm. Every guild he impersonates is a guild with an l somewhere in the name, and he actually makes a guild with a captial I instead of a lower case l, which in game, both show up the same.

He tries to get you to run do a /run command, one I won't type out here, with the claim that it's so the raid frames don't get messed up on the custom UI that the raiders use. Knowing better, I of course didn't run the script - but if you do, from what I can tell, it allows the scammer to execute scripts via whisper, that forces you trade away your gold when he trades you. I'm unsure if this requires an addon to work, as when I told him I'd run the script, he told me to try again, but disable all addons first.

Anyway, I reported him, and he's been showing up differing toons throughout the week, impersonating a different guild each time. Someone posted a topic on the forums about it here: http://us.battle.net/wow/en/forum/topic/20745644941?page=1 - and it turns out this scammer is trying this on multiple realms.

Fast forward a week or so. I logged onto my main, and my GM whispered me, "Can you please type '/run blahblahblah', it's to test a guild addon." Obviously the blahblahblah was the script. The very same script this scammer tries to use.

It turns out my GM was being hacked. By the same person? Can't really know. But it gets a little more interesting. One of the people in the guild did as the hacker asked, and is now whispering other people scripts that he can't even see, the same script the scammer and hacker is using, and also a few others.

No idea what's going on. For lack of a better word, it's like...the script infects the users who run it, forcing them to become part of it.

Does anybody know anything about this? I've googled the /run command in question, and saw a reddit post about this, but nothing about this....whatever is happening in my guild right now.

So it looks like this allows a user to force you to trade over your gold through a script. Previously, this was done through the use of add-ons such as WeakAuras, but it seems they now have the ability to do it on a simple, Vanilla UI. Another user, johsko, posted an explanation for how this might be happening:

Quote

Found parts of the script, but not all of it. It works by replacing a global function that gets called (by the vanilla chat frame) whenever a message is received, with a function that runs the message as if it had been written after /run by the receiver. It allows them to remotely script your UI. The piece of code they whisper you after you input the seemingly harmless /run hooks it up to the chat message event, allowing them to hide any script messages. Meaning they can do anything an addon can, but remotely without you knowing it.

A /reloadui should get rid of it, but until that is done they can use your client for whatever they want, as long as it fits in a whisper.

Edit: This is all with the vanilla UI, no addons needed. It would be easy for Blizzard to fix this particular instance, but they won't really be able to protect against scams like this. There's always going to be some other piece of code someone can tell you to input. The best thing they can do is to disable /script and /run as commands until the player opts in through a setting or something, and put a huge warning on the opt-in to not enable it unless they are absolutely sure they want to.

There has been no official response from Blizzard yet, but a forum thread has been started. Hopefully we'll see acknowledgement and a response soon! 

  • Like 1

Share this post


Link to post
Share on other sites

Agreed, it is interesting, but I believe it is somehow connected to the value that in-game Gold recived (ability to buy game time and black market auction).

Share this post


Link to post
Share on other sites
1 hour ago, Dantalian said:

Agreed, it is interesting, but I believe it is somehow connected to the value that in-game Gold recived (ability to buy game time and black market auction).

Most likely, yeah. Gold is easy to get in WoD for sure, so many people have larger amounts than they had in previous expansions, while it can now be used for game-time for the first time. The value of gold to these people has now gone from just buying mounts and such to actually paying to play the game.

 

Share this post


Link to post
Share on other sites

The whole story is actually pretty spooky, with all that vanilla UI, script writing and infestation stuff. Blizzard, please, react! 

Share this post


Link to post
Share on other sites

I hope players understand what is the risks are of running /script and /run. I personally will never do this until i'm 100% sure this is a valid fix for one of my issues. Don't want to get scammed and lose all my hard earned dollars :P.

I'll keep a close watch to the official forum thread. Really interested.....

Share this post


Link to post
Share on other sites
10 hours ago, Paracel said:

The whole story is actually pretty spooky, with all that vanilla UI, script writing and infestation stuff. Blizzard, please, react! 

Yeah, it's horrible to think that people can do this sort of stuff. Would be nice to see more PSAs from Blizzard on this.

Share this post


Link to post
Share on other sites

So as nice as this sounds in theory a user/addon is unable to accept a trade without a corresponding hardware event. The AcceptTrade() function has been protected from being called outside of hardware events since it's inception. While you could in theory run addon scripts remotely almost all important functions are protected currently. The only method to circumvent this efficiently would be for the remote user to add additional keybinds (possible as SetBinding() is only protected during combat) or to add additional UI elements that could register a click event (implausible with the character restriction on a whisper). 

 

TL;DR: Good on you guys for alerting the community that had missed the original post, but at this time it is implausible that this is being used for what is claimed as the API simply won't allow that. That said there is plenty of damage that can be done with the unprotected functions.

Share this post


Link to post
Share on other sites
4 hours ago, Psifour said:

So as nice as this sounds in theory a user/addon is unable to accept a trade without a corresponding hardware event. The AcceptTrade() function has been protected from being called outside of hardware events since it's inception. While you could in theory run addon scripts remotely almost all important functions are protected currently. The only method to circumvent this efficiently would be for the remote user to add additional keybinds (possible as SetBinding() is only protected during combat) or to add additional UI elements that could register a click event (implausible with the character restriction on a whisper). 

 

TL;DR: Good on you guys for alerting the community that had missed the original post, but at this time it is implausible that this is being used for what is claimed as the API simply won't allow that. That said there is plenty of damage that can be done with the unprotected functions.

Another post from Reddit on how this is happening, in addition to the one above:

Quote

Software developer here.

This actually doesn't involve any addons at all. It is somewhat misleading. What the /run command does is redirect calls to a built-in WoW API function (RemoveExtraSpaces) to another built-in WoW API function (RunScript) instead.

I suspect the attacker discovered that the default UI calls RemoveExtraSpaces on any text received via chat, including whisper. Once you run that initial script anything else they whisper to you is then interpreted as further /run commands so they've rather trivially enabled themselves to remotely execute anything on your client that can be done via /run.

After that point the cryptic bit including CHAT_MSG_ADDON is actually registering itself for an event anytime a new message is received, either locally or remotely. More than likely this is just setting up additional infrastructure to enable him to further take over your client and probably restore your chat in the process while maintaining an extra hidden button to allow him to continue to remotely execute things.

This is why he's asking you to disable your addons because he was thinking that some other addon was actually interfering with his simple RemoveExtraSpaces hack. I'm surprised we've never seen this sort of thing before as it seems quite trivial. Again though, nothing he's doing requires you to have any addons at all as RemoveExtraSpaces and CHAT_MSG_ADDON are both elements of the default WoW API (a function and event respectively).

If this happened to you a good first step to protect yourself would probably be to:

/run RemoveExtraSpaces=nil /run z:UnregisterAllEvents();

Which will undo the hooking of RemoveExtraSpaces to RunScript, and then remove the event handlers for CHAT_MSG_ADDON from the "z" button the attacker created.

 

Share this post


Link to post
Share on other sites
14 hours ago, Klynwe said:

This is scary, but  ive never seen one on Dalaran-EU

I've personally never seen it on my realm either, but it seems there has been a few reports on numerous servers on the forum thread

  • Like 1

Share this post


Link to post
Share on other sites
On 7/8/2016 at 3:26 AM, Klynwe said:

This is scary, but  ive never seen one on Dalaran-EU

Stormrage has seen it.

Today, on the PTR, I tried running a simple /run command that wipes out all action bars at once and the following warning popped up. Seems Blizzard took note to a degree.

Scripts.jpg

  • Like 1

Share this post


Link to post
Share on other sites
18 minutes ago, Sajakain said:

Stormrage has seen it.

Today, on the PTR, I tried running a simple /run command that wipes out all action bars at once and the following warning popped up. Seems Blizzard took note to a degree.

Scripts.jpg

Saw this mentioned in a reddit thread, very happy to see it coming into the game.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Starym
      There's more class changes coming to the PTR and Visions of N'zoth, as Discipline Priests' Schism will only increase damage done from Priest effects only. For other class changes, featuring more Priest tweaks, as well as Druid, Mage, Monk, Paladin and Warlock entries, check out our initial coverage of patch 8.3.
      Disc Priest (source)
      I’ve added the following new fix to the notes in the OP:
      Priest
      Discipline Schism now increases damage done from Priest spells and abilities only. Developers’ notes: This is intended to be consistent with other class cooldowns. Other Patch 8.3 Content:
      Visions of N'Zoth Class Changes Visions of N'Zoth Development Notes New Forsaken Leadership in Patch 8.3 (Spoilers) Azshara's Bargain and the Key to Defeating N'Zoth (Spoilers) I'lgynoth's Whispers in Patch 8.3 (Analysis) Allied Races & Pandaren Death Knight Textures Added on 8.3 PTR Official Mechagnomes & Vulpera Preview Mechagnome & Vulpera Unlock Requirements Vulpera Heritage Armor Preview Mechagnome Heritage Armor Preview Mechagnome & Vulpera Dance Animations Vulpera Tidbits: Racial Mount, Shaman Totems, Hunter Pet Corrupted Rings with Kiss/Curse Effects from Ny'alotha New Essences in Patch 8.3 Ny'alotha Cloth Sets Preview Ny'alotha Plate Sets Preview Wrathion's Legendary Cloak Preview Alpaca Mounts in Patch 8.3 N'Zoth Serpent Mount in Patch 8.3 Aqir Flying Mount in Patch 8.3 Assaults in Patch 8.3 N'Zoth's Model in Patch 8.3 Ny'alotha Raid Boss Names & Descriptions Goblin & Worgen Heritage Armor Sets Preview Visions of N'Zoth Content Update Preview Ny'alotha Raid Testing: October 17th & 18th
    • By Starym
      There's been a lot of feedback on the Auction House changes introduced on the PTR and today Blizzard have responded to a lot of it, with some answers about how the AH will work in general, as well as PTR specific issues.
      Auction House (source)
      We think you can do this by using a combination of the “Uncollected Only” checkbox in the filter dropdown and the Armor/Weapon categories on the left.
      ...
      All versions of the same pet will be grouped in the same page. Since the auctions on that page will be mix of various levels, rarities, and stats, it’ll be up to the buyer to determine which pet they want to buy.
      ...
      At this time, we’re continuing with the 48-hour max duration the WoW auction house has always had.
      ... Thank you to everyone who has provided feedback so far!
      Here are some known issues that will be fixed on upcoming PTR builds:
      Dressing Room support (CTRL click) Linking to chat (Shift click) Durations showing the wrong times Then there's a lot of responses to current issues that are either PTR specific, or will be resolved quickly:
      AH (source)
      We don’t have wildcard functionality, but you can simply search for the first few words (example: Notorious Combatant’s Intuitive Staff) and it will return all items matching that.
        Not at this time, but thank you for the suggestion.
        The “Uncollected Only” filter will return all items that you don’t have the appearance for. As a result, you may see several items for the same appearance.
        There is a “Usable Only” filter that will only show you recipes you can learn.
        Not at this time, but thank you for the feedback.
        Not at this time, but thank you for the suggestion.
      ... Thanks! We’re aware of duration displays issues, and we’re working on that right now.
       
    • By Stan
      In Visions of N'Zoth, you will be able to purchase crates which contain items tied to specific Islands and invasions from a new vendor. Therefore, do not spend your dubloons until Patch 8.3 hits live servers.
      As you probably know, each Island has specific items tied to it ranging from battle pets, mounts, toys up to transmogs that you can get upon finishing an Island Expedition. We've datamined two categories of items that will be available for sale in Patch 8.3 from a new vendor.
      The first category includes Island-specific crates which cost 175 Seafarer's Dubloons each and you can purchase three at a time, depending on the Island Expeditions that are available during that week:
      Crestfall Salvage Dread Chain Salvage Havenswood Salvage Jorundall Salvage Rotting Mire Salvage Skittering Hollow Salvage Snowbloosom Salvage Molten Cay Salvage Un'gol Ruins Salvage Verdant Wilds Salvage Whispering Reef Salvage The second category are invasion-specific crates which cost 75 Seafarer's Dubloons each:
      Elemental Salvage contain items from Elemental invasions. Venture Co 'Salvage' contain items from Tol'vir and Black Dragon invasions. Other Patch 8.3 Content:
      Visions of N'Zoth Class Changes Visions of N'Zoth Development Notes New Forsaken Leadership in Patch 8.3 (Spoilers) Azshara's Bargain and the Key to Defeating N'Zoth (Spoilers) I'lgynoth's Whispers in Patch 8.3 (Analysis) Allied Races & Pandaren Death Knight Textures Added on 8.3 PTR Official Mechagnomes & Vulpera Preview Mechagnome & Vulpera Unlock Requirements Vulpera Heritage Armor Preview Mechagnome Heritage Armor Preview Mechagnome & Vulpera Dance Animations Vulpera Tidbits: Racial Mount, Shaman Totems, Hunter Pet Corrupted Rings with Kiss/Curse Effects from Ny'alotha New Essences in Patch 8.3 Ny'alotha Cloth Sets Preview Ny'alotha Plate Sets Preview Wrathion's Legendary Cloak Preview Alpaca Mounts in Patch 8.3 N'Zoth Serpent Mount in Patch 8.3 Aqir Flying Mount in Patch 8.3 Assaults in Patch 8.3 N'Zoth's Model in Patch 8.3 Ny'alotha Raid Boss Names & Descriptions Goblin & Worgen Heritage Armor Sets Preview Visions of N'Zoth Content Update Preview Ny'alotha Raid Testing: October 17th & 18th
    • By Starym
      Here come some more hotfixes for both retail and Classic, with the Classic side just being the already mentioned Dire Maul bug fix for stacking tribute buffs. On the BfA side we have higher chances for R4 Condensed Life-Force drops off Azshara, PvP fixes for Conflagration and more, increased gold rewards for weekly Island Expedition quests and Naga invasions for rank 70 neck holders and a lot more!
      October 16 (source)
      Items
      Increased the chances for someone who does not have a Rank 4 Condensed Life-Force (Essence) to loot it from Queen Azshara (Mythic difficulty). Pet Battles
      Fixed an issue that allowed some battle pets to become invincible after being resurrected in battle by Finduin or Gillvanas. Player versus Player
      Fixed an issue that caused Fire Mages’ Conflagration (Talent) to interfere with PvP diminishing returns on enemy targets. Resolved an issue that prevented characters that have not yet obtained their 9th weekly Conquest’s Reward from gaining the Spoils of War buff (50% bonus Conquest) during Rated Arenas and Rated Battlegrounds. Quests
      The weekly Island Expeditions quests, “Azerite for the Horde ” and “Azerite for the Alliance ” now reward 2,000 gold for players with a maximum-level Heart of Azeroth (level 70). World Quests
      Naga Incursions now award gold or war resources to players who can no longer progress their Heart of Azeroth (level 70). WoW Classic
      The buffs obtained from the guards in Dire Maul North after completing a tribute run will no longer stack.
    • By Stan
      Ny'alotha, the Waking City is the raid where we deal with N'Zoth and his forces and the armor is obviously heavily-inspired by the Old Gods. Today, we're looking at Cloth sets from the new raid.
      Cloth Sets from Ny'alotha, the Waking City
      Raid Finder

      Normal Difficulty

      Heroic Difficulty

      Mythic Difficulty

      Other Patch 8.3 Content:
      Visions of N'Zoth Class Changes Visions of N'Zoth Development Notes New Forsaken Leadership in Patch 8.3 (Spoilers) Azshara's Bargain and the Key to Defeating N'Zoth (Spoilers) I'lgynoth's Whispers in Patch 8.3 (Analysis) Allied Races & Pandaren Death Knight Textures Added on 8.3 PTR Official Mechagnomes & Vulpera Preview Vulpera Heritage Armor Preview Mechagnomes Heritage Armor Preview Mechagnome & Vulpera Dance Animations Corrupted Rings with Kiss/Curse Effects from Ny'alotha New Essences in Patch 8.3 Ny'alotha Plate Sets Preview Wrathion's Legendary Cloak Preview Alpaca Mounts in Patch 8.3 N'Zoth Serpent Mount in Patch 8.3 Aqir Flying Mount in Patch 8.3 Assaults in Patch 8.3 Vulpera Tidbits: Racial Mount, Shaman Totems, Hunter Pet N'Zoth's Model in Patch 8.3 Mechagnomes & Vulpera Unlock Requirements Ny'alotha Raid Boss Names & Descriptions Goblin & Worgen Heritage Armor Sets Preview Visions of N'Zoth Content Update Preview Ny'alotha Raid Testing: October 17th & 18th  
×
×
  • Create New...