此站点大量使用JavaScript。
请在您的浏览器中启用JavaScript。
正式服
PTR
10.2.5
PTR
10.2.6
How Not to Get "Hacked"
来自 TheReal
[Last Updated]:
2011/07/28
补丁:5.2.0
目录
评分:
Whether or not you've ever lost your account to a hacker, you NEED to read this to prevent it.
Foreword
For the sake of brevity, I will not be making a distinction between
hacking
and
cracking
for this write-up. Through popular use, hacking has become a word with a negative connotation, therefore I'm just going to perpetuate the evolution of language.This guide is a Wowhead community effort. Without several users and moderators, this guide would not be what it is today. Discussion of this guide can continue in its
original home
.
How to Tell if You've Been "Hacked"
The first sign that someone has stolen your account is the dreaded error message you will receive when you try to log in: "The information you entered is not valid." Don't go jumping to conclusions right away; instead, try retyping your user name and password. If you get the same message, start getting suspicious.
First, look up your character in the WoW Armory
US
|
EU
.
If any of your characters are stripped to their skivvies or have new professions or different specs, it's a sure sign someone is using your account for ill intent. If you are in a guild, have guild bank access, and can contact another member of the guild (by phone,
Facebook
, etc.), save your guild some headache and have your character's bank rights stripped until you can secure your account.
How Could this Happen?
Brute Force Attack
This kind of attack on your account is the rarest of the rare. Basically a hijacker learns an account name or guesses it, then tries every conceivable password he can think of. There are even programs out there that will try every word in a dictionary and every positive and negative number for 15 digits, then mix them together, then throw in special characters...basically, everyone's password can be cracked. All that's required is time. Thankfully Blizzard will temporarily freeze your account after several incorrect sign-in attempts, making password cracking by way of repeated attempts VERY time-consuming and not at all worth the investment of resources it would require.
Voluntary Release of Account Information
Most of the time an account is compromised because its owner was tricked into providing the account name and password to a malevolent third party. I will call the following passage The Golden Rule. Repeat this until you know it and would willingly give up your eyes if you forgot it:
My account name and password should only be entered on the game's log-in screen and on the official site. There are no other cases in which I am to consider entering this information anywhere else.
Emails appearing to be from Blizzard sometimes ask you to provide account information because of suspected activity that goes against the game's ToS. Blizzard ALWAYS takes action first and then emails you later. Do not fall victim to a phishing email! Protect yourself with knowledge; read Blizzard's write-up on
how to recognize phishing emails
.
Another piece of information important to those who hijack accounts is the answer to your secret question. What's your secret question and answer? Don't know? You'd better find out and then become HIGHLY suspicious of anyone who wants to know anything that has to do with that question. Someone with access to only your account name and secret answer can hijack your account without your password. Be very protective of the answer and anticipate all the questions that could be asked of you to cause an accidental slip.
Oh, and never purchase powerleveling services. The powerleveler needs your account information to fill the order. Refer to the Golden Rule above.
Involuntary Release of Account Information
Here's where we get into the deep stuff. All manner of malware is capable of directly or indirectly stealing your account information. The most common form of malware that hijackers use is a keylogger. Keyloggers record your every keystroke and then email the log to a remote destination. The log of your key presses could very well contain your WoW account information. You can get your own keylogger by visiting a website that runs a script, exploits an unpatched vulnerability in your web browser, and installs the nasty bugger without your knowledge. Do not fret! Some
free
protections do exist against keyloggers, and we'll look at those in the next section.
Protecting your Account
Proactively
KNOWLEDGE
- Educate yourself about how hackers steal accounts. You've taken the first step by stopping here.
EMAIL ADDRESS
- Use an email address for your Battle.net account that you do not use anywhere else. Create one if you have to.
Yahoo
,
Hotmail
, and
Gmail
(among others) are all free. Gmail can even be configured to forward mail to your usual email address.
AUTHENTICATOR
-
The Blizzard Authenticator
is an excellent tool that will help you maintain some degree of account security if you should choose to ignore the rest of the good advice here. Called a One Time Password Generator (OTP), the authenticator creates a second password that users need to log into the World of Warcraft. The password generated will only be good for about 15 seconds. The authenticator is less than $10 and is easily linked to your WoW account.
PARENTAL CONTROLS
- Consider setting up the parental controls through your account management page. Make it so that you can only play when you'd normally play. By taking this measure, you can basically lock everyone out of your account while you're away on vacation or even while you sleep. The password to configure the parental controls is different from the regular account password, so this seems to be a very effective, additional layer of security.
PASSWORD
- Choose a complex password for your account. "Password" is not a strong password. "tqbfjotld" is a little stronger but needs some numbers and/or special characters. Is it too hard to remember though? No. The quick brown fox jumped over the lazy dog; just using the first letters of each word in a common phrase provides better security than something like "qwerty." Go for a mix. "Ph560Yy!" is not entirely difficult and mixes things up nicely to help prevent brute-force attacks.
REMEMBER ACCT NAME
- Use the little box on the sign-in screen that's labeled "remember account name." If you don't have to type it in, some keyloggers cannot see it.
PASSWORD CHANGES
- Change your password every so often. At the very least, change it every 60-90 days. The more often you change your password, the safer you'll be.
MULTIPLE PASSWORDS
- Use a password safe like
KeePass
to store your website passwords. Oh, you only use one password for all 50 sites you visit? Naughty naughty. With KeePass, you can use a different, randomly-generated password on each of those 50 sites and only have to remember the one password to open your password list. And yeah, it's free also. This keeps you from writing down your passwords too, which is also a big security no-no.
ANTIVIRUS
- Be sure your antivirus and antispyware programs are fully up to date and perform regular scans at LEAST once a week and whenever you're done on the pr0n sites. A couple of the best free antimalware programs, I run
Malwarebytes' Antimalware
and
Spybot S&D
. Notable antivirus programs include
Avira
,
MSE
,
TrendMicro
,
Panda
,
Avast!
, and
AVG
.
BE PATCHED
- Keep Windows and the rest of your software updated. Always install the latest version for any browser that you use. Internet Explorer is the most popular browser, so malware is more often written to target its vulnerabilities. Choosing another browser can be helpful as well.
Mozilla Firefox
or
Chrome
can emulate IE (using an add-on) for when you need to visit Internet Explorer specific websites.
Secunia PSI
helps you keep software vulnerabilities patched up. Did you know that when Java updates it does not remove the old version? You can bet Java isn't the only program like this. Adobe Flash is notorious for this behavior.
BROWSER EXTENSIONS
- Install the Mozilla Firefox or Chrome add-ons
Web of Trust
(
Chrome
),
Noscript
and
AdBlock Plus
(
Chrome
). Web of Trust puts a color-coded icon representing a site's trustworthiness beside search engine results, Noscript takes care of those web sites that install keyloggers without your knowledge, and AdBlock Plus keeps spyware from loading too.
SNOOPFREE
- If you're using Windows XP, install
SnoopFree Privacy Shield
. This one is the most important because even if you do get a keylogger, telling SnoopFree to block ALL attempts to hook your keyboard renders keyloggers completely useless. Sure you may have 20 of them, but none of them can read your keystrokes.
VIRUSTOTAL
- Upload any suspicious file
and every new add-on
to
VirusTotal
. They'll scan it using 39 different virus scanning products and let you know with almost absolute certainty if the file is clean or not.
RESIDUAL THREATS
- Only log into your WoW account from a computer you trust is clean. Logging on from an Internet cafe or a friend's computer can expose you to any malware risk previous users may have left behind, either intentionally or unintentionally.
FREE WI-FI
- Logging into your account over an unencrypted wireless connection is also risky. Packet sniffers can recover information sent over the network. Even though it's nice for Starbucks to offer a free wireless hotspot, don't use it for WoW.
Reactively
Easily the best thing to do if your account has been stolen is to visit
Blizzard's Automated Account Recovery
page. If for some reason you can't recover your account through the recovery page, the second-best option is to call them early in the morning and try to get in line early. Find your region in the list below and dial your region's number.
Phone Support:
(Hours: 8 a.m. - 8 p.m. Pacific Time, seven days a week)
US Account & Billing: 1-800-592-5499
Technical Support: 1-949-955-1382
Australia Account & Billing: 1-800-041-378
Mexico Account & Billing: 001-888-578-7628
Argentina Account & Billing: 0800-333-0778
Chile Account & Billing: 1230-020-5554
Online Support:
Support Web Form:
http://www.blizzard.com/support/webform.xml
Account & Billing: billing@blizzard.com
Mac Support: macsupport@blizzard.com
Technical Support: wowtech@blizzard.com
World of Warcraft Accounts: wowaccountadmin@blizzard.com
Scanning your Machine:
Restart your computer in Safe Mode with Networking. If you're unsure how to do that, just
Google
it.
Launch World of Warcraft but do not sign in.
Press Alt+Tab to go back to your desktop.
Start a complete antivirus scan.
Once the antivirus scan completes, run complete malware scans with your antimalware programs.
If your scans come up empty, restart your computer normally and try the scan process again. If you still come up empty, chances are that you're not infected and you may have been phished or in some other way gave up your account details.
Blizzard Authenticator Options
Order Keychain Authenticator from the
Blizzard Store
. Currently $6.50 US.
Download the Mobile Authenticator on
iTunes® App Store™
for free.
Download the Mobile Authenticator on
Android™ Market
for free.
Download the Mobile Authenticator on
BlackBerry® AppWorld™
for free.
Download the Mobile Authenticator on
Zune®
for free.
In addition, Blizzard has a
Battle.net Dial-in Authenticator
(U.S. Residents Only) you can activate from your Battle.net Account page by clicking the
Security Options
setting at the top. The dial-in authenticator is free to use and will prompt you to call a toll-free number from a phone you've designated and enter the on-screen security code. The process takes less than a minute and will happen infrequently as long as you primarily login from the same location/computer.
Acknowledgments
Special thanks to
Gryphon
,
Headphonez
,
Federalagent
,
lolstorm
,
aptana
,
kardd
,
Sas148
, and
Strandvaskeren
.
Please make additional suggestions and point out any dead links or grammar mistakes as you see fit.
[Get Wowhead]
高级会员
[$2]
[A Month]
[Enjoy an ad-free experience, unlock premium features, & support the site!]
评论
评论来自
asakawa
Good guide. Good initiative!
评论来自
Glowyrm
Really nice, hopefully this will help some people guard their accounts better. I'm a techy and this is all good advice! Great work.
评论来自
kebokaj
I got hacked once.
I think it was after logging in to warcraft in an internet cafe where it was installed.
I should have known better, I felt dirty after it happened.
评论来自
893161
Good guide! Having been on the receiving end of two hacks, I have had to learn this stuff.
You put it into an informative and easy to use guide! Props to you!
评论来自
Slylady
Nice Guide (: There is some good info in here!
评论来自
894295
Very informative guide. Guild mate recently lost his toon after a phishing hack, I'm definitely sending him this link (maybe in a couple of days when smoke stops coming out of his ears).
评论来自
ohiggins
Nice guide, nice info...
评论来自
Glowyrm
Well I just remembered I have a great story to share that goes really well here. It's not exactly informative like the guide itself but rather a fun story pertaining to the subject of being hacked.
I have been hacked 3 times in my 7 year WoW "career". Each time I was actually kinda happy I got hacked, in a twisted kind of way (
except for that 3rd time, which is when I decided to get an Authenticator and never got hacked again
).
The reason for this is because I was 5-10k richer each time I got my account back. Blizzard has always been extremely quick to get me back into the game and make sure anything lost was found.
One time I was richer simply because the hacker was most likely a gold farmer and used my character to make some gold but got kicked off before he could transfer it off.
Another time, when I had gotten hacked, I had tons and tons of herbs in my bags and bank and apparently the hacker sold them all on the AH and made me a huge amount of gold. The GM that restored my account also restored all of the stacks of herbs but left the gold that was made from the selling of the originals.
So while hacking is usually a nasty experience for people, I have always gotten my account back within 24 hours or so with all my gear and tons of extra gold I didn't have before, lol.
The 3rd time I got hacked made me miss a raid though
(end game hardcore raiding was my thing until a recent "break"
) so that's when I put my foot down and got the Authenticator!
It's the best thing I have done for my account and it's so cheap (
plus you get an awesome pet!
) that it's something everyone should do.
评论来自
Monday
I'd definitely recommend that you keep advertising this around the forums. More people need this information!
评论来自
Kalx
Just a tidbit on your password section:
The example you gave, while it's indeed mixed, it's still too short, wouldn't take long for a really good brute force get throught it (something around 1 week at 500/guesses a second). I usually recommend passwords of 13-16 characters, which, depending on how its formed, could take years of guessing.
评论来自
Elosha
Recently, I got hacked despite of having a very strong password, not giving nor leaving it anywhere, having a sense for malware/phishing, not having been victim of either of them, possessing a hardware + personal firewall, using a Mac, etc. – they somehow got the password and were able to log in without problems.
So I tell you: The only thing which can actually protect you atm is that damn
Authenticator!
It's much more difficult to hack than just getting the password from somewhere – which seems possible even if you really pay attention – and simply logging in to your account.
You don't have to buy it for $$ via credit card from the Blizz Store. It is available for most smartphones and so-called mobile media devices like iPod Touch and tablets as a free download in the corresponding software store (or at the Blizz website for some devices). Get it if you want more than just a feeling of security! If that isn't an option for you, you should buy the hardware Authenticator anyway.
Trust me – when Blizz returns the contents of all your bags and banks by in-game mail and you have to put all that back in place, you will seriously wish that you hadn't been hacked and had used that thing. Not to mention problems that may arise in your guild because the thief used the guild's bank vault as all-you-can-eat. And much worse, the strange feeling of penetrated privacy, especially if you respected all anti-hacking stuff and then Blizz tells you that it could have been a keylogger – there wasn't such a thing, but I panicked in the first place :(
And don't do the mistake to remove the authenticator if you need to re-log often due to game crashes or disconnects. :/
PS: There's no need to downvote a good advice … lol.
评论来自
930175
Authenticator is free for smart phones, good information for those of us that are broke... mainly bc we just bought a smartphone
评论来自
931142
Thanks for the guide! this is very helpful for players! :D
评论来自
639649
Just need people to stop buying gold and power-levelling services and whilst that won't eliminate hacking altogether it will reduce it.
I don't know why anyone should buy gold any more, it is easy to accumulate gold now even I can do it. Experience is easy to come by too, so it makes me wander how lazy someone has to be to spend real life money on something so easy to get.
评论来自
286985
First things first: Thanks for a great guide.
Although I have never been hacked myself, either due to luck or thanks to me being overly suspicious of anything regarding the safety of my account, I will make sure to add some of the protection you adviced. Thanks again.
评论来自
940032
and it may sound stupid but NEVER log from a computer other than yours.
the only time I was stolen of my account was because my, at the time, girlfriend got a nice keylogger on her pc and I used it to enter WoW.
result? I was the sacrifice and she kept her account safe. it was my worst weekend ever. fearing all the time that I would lose everything I had. and I cursed every hour for a couple weeks until I recovered (almost) all my items (and the guild items)
you can be sure. she is not my girlfriend anymore.
pd: at least I learned an important lesson. when you are on a weekend with your girlfriend you have better things to do than playing WoW even for a couple minutes.
评论来自
942258
If you don't want to install KeePass on your machine, LastPass is a web-based alternative. In addition, regarding brute force searches, modern GPUs can process 1,000+ guesses in a second. (If not on their own machines, then they might have commandeered a botnet, or using Amazon's cloud to do it on the cheap.)
So, just to make sure this really hits home:
"Make sure your password is long and complicated. It might be hard, but that's why they are password vault software avalible. Don't forget to protect the vault too!"
评论来自
Sas148
I think it would be appropriate for you to add a section detailing the various types of Authenticators offered by Blizzard (most of which are free and can be set up in a matter of minutes).
Note: This has since been added.
评论来自
Kardd
The email addresses you listed don't work anymore I think. You get a bounce back telling you to fill out the webform.
Also the phishing email link should now point to:
http://us.battle.net/en/security/theft#phishing
评论来自
magicsimon
Follow these 3 guide lines and you will as good as bulletproof for just about all WoW hacks:
Buy an Authenticator (Log into your Battlenet account to see how you purchase it)
Your password should be something that you never use anywhere else. It should be something that is not related to you in anyway. Even better if it doesn't really make sense. Never tell anyone your password. Blizzard will never ask for your password!
Get a proper anti virus protection software like Trend Micro Titanium. Yes it costs money, but with 30-60 thousand new harmful virus's etc. each month I would say that is about worth it!
I got hacked 3-4 times over a couple of years. Since I got an Authenticator, proper anti virus protection and made my password very unique. Since then I havent been hacked, which is about 3 years now I think.
One question:
When are you making the guide for How To Get Hacked? :D
评论来自
spartanentropy
just a heads up, there is also a authenticator for the desktop/laptop from I-tunes.
评论来自
Ladria
A great guide! Ive been hacked once, and god knows it was a pain to find out(as a Guild Master) I had cleaned out the entire guild bank, lost all my gear and money and there had been alot of weird stuff happening on my characters.
The worst part was to talk to the GM`s and try to fix it, then get spammed by endless mails from both my chars AND all the Guild Bank stuff. *
Sigh
*
So yeah, be on your toes even
before
you may get hacked -
protect your pc and account!
Great guide with a lot of information on both how to sort it out if you`ve been hacked and ways to prevent it! *
Thumbs up
*
Ladria, EU Frostwhisper
评论来自
Jollygood
Blizzard can be pretty proactive, even if you don't do a lot of these things. I was on vacation. I took the laptop to another city, turned off parental controls (which I do to myself so I can be awake at work in the morning), and got locked out of my account. Good on them. IIRC, I had to do some alternate form of contact with them (which was reasonably quick) and was able to access my account again.
I do support the parental controls feature. They can't log in if they can't log in. If you only play from, say, 6PM to midnight, you are leaving a smaller window for them to break in with.
评论来自
WorgN6
Using really long email addresses can help cut down on the brute force as well.
As far as I know the email specification allows for names up to 255 characters.
So for example
Cake_pants_fourtythousand_x925098@DOMAIN.COM
Oh, never use Internet Explorer.
Ever.
评论来自
Xytrixz
Very nice guide, will help lots of people prevent the trauma of that dreaded conclusion I'm sure :) I know the trauma's of a hack, my girlfriend was hacked before as she found out when trying to log in at my house, she was in hysterics because god knows the amount of time she has put into her toons. Luckily on this occasion it was a false alarm, but her reaction alone says it all, stay safe, stay happy.
评论来自
chomahead
no sharing account details :P
评论来自
programmdude
Virus scanning addons would only yield a result if the addon contains binary files(.exe or the mac package), and the only addon the even comes close is playerscore which has an optional .exe download.
It's because addons use a scripting language(lua) that doesn't run on your computer, rather it runs through WoW. And WoW doesn't have any way of getting your password through addons.
评论来自
Arxroth
Nice guide here.
Basically I got nothing to add here, except that get the authenticator.
Also I have had a long time my account bound to email address which I use only from secure computer to communicate with blizz, should there be reason.
评论来自
smlbutstrong
Nice guide on keeping your hard work safe.
I use
passwordMeter
to check how strong my passwords are. Its free and give a nice analysis of your password.
评论来自
i3ai3oman
nice guide! it is really basic stuff, but most people not aware of this.
just like add one thing, some of the addon from app store that requires login info hacks too.
I once download a app(can't remember name) that allow me to use my iphone as fishing rod(motion) and next thing i know my bank, guild bank got striped badly.
luckily recover most of the item, but lost privilege on guild bank access ever since.
评论来自
recronin
Though I use a Mac, I would like to add some tips regardless of what platform you use (some of which were already mentioned):
- Get the authenticator. It's free for iOS and others, and if you use the same computer to play WoW it only asks you for the authentication code every once in a while.
- Use a different password for every single account you use on every internet service. This includes not only WoW, but email, social media, and any other website. Otherwise, if a hacker gains access to one of your usernames and passwords he/she has all of them.
- Use a password manager to make the above easier. Using a mac I've been using a password manager for years called "1Password" - not sure if there is a Windows port however. 1Password can automatically generate a random and complex password for any site that you visit. A random/complex password is necessary.
- Never respond to an email requesting your username, password or any other personal info. Nobody but you ever needs to know it, no matter the threat or where the request came from.
评论来自
Twizelbang
Get the authenticator + Core Hound Reward
熔火恶犬宝宝
How do I get the special Core Hound Pup pet for authenticator users?
If you have a Battle.net Authenticator or Battle.net Mobile Authenticator attached to your Battle.net account, you'll find the Core Hound Pup item waiting for you in your in-game mailbox the next time you log in. Simply use the item to add it to your pet collection.
http://eu.battle.net/wow/en/blog/3557512
New Languages for Battle.net Mobile Authenticator
Português
Italiano
Polski
评论来自
shadowboy813
The number one way to be sure you don't pick up any key loggers is to never ever ever use windows on an administrator-level account unless you're actually administrating.
Create two user accounts on your windows machine, one adminstrator and one standard user. Do not EVER browse the internet as an administrator. In fact, do not do anything but administer/maintain your computer on the administrator account. For every other task use the standard user account.
To do this, you will have to install WoW in a directory other than the default (the default installation path for WoW is a directory that only administrators have write access to). For example, you can use C:\users\games as a repository of all your gaming software, install games there, and give that directory and all subdirectories write access to all standard accounts.
The reason why browsing as administrator is bad: Administrator accounts have write access to everything. Malware can install itself without your permission and change your startup to make it very very difficult to remove the software. If you ran that browser as a standard user, you may still get the malware, but it will be confined to that limited-access account since standard users can not write to any system directories or the main registry hive. Removing the malware is as simple as logging on the administrator account and cleaning it out with anti-malware software or manually if you choose.
评论来自
rbshanks
Nice guide, good info, I even picked up a new idea from it.
I was hacked about 3 yrs back (no authenticator at the time), and a suggestion from a guild member was to always cut and paste your password from another document. I have a text doc just for passwords on my desktop. This helps stop key loggers:)
A second idea we discussed in guild was about always saying some thing when ever you login, and replying a few times. We even managed to stop a hacking in it's early stages by doing this, but only once.
Thanks for the guide.:)
评论来自
shadowboy813
Here is another very effective way to help your account security out. It's a two-step process.
1: Join an active guild.
2: Greet the guild as soon as you log on, every time, using a consistent greeting (such as "Greetings Programs!").
What effect does this achieve? Well, if you do this consistently and one day you log on but DON'T greet everyone, your guildmates can become suspicious and contact you via phone, facebook, whatever to verify that it is actually you logging on to your account. I have received text messages from my gm when I was basically alt-hopping to manage bank alt stuff. I let him know it was indeed me doing it. Basically if it wasn't me, I'd have found out about the hacking very quickly.
评论来自
spartanentropy
Btw, it would definetly be helpful not to give out your wow login email. treat that as a password too so them phishing/spamming hacker/cracker can't send you them email thinking they are the real blizz employees.
贡献
在发表评论前,请留心以下提示:
您的评论必须为简体中文,否则将会被删除。
不知道如何发评论?参考我们的
格式指南
!
发表前最好先自行校对一次。
有问题可以访问我们的
论坛
来寻求帮助。
发表评论
你没有登录。
请登录
或者
注册账号
来添加你的评论。
使用下面的表格浏览您的截屏。
[Screenshots containing UI elements are generally declined on sight, the same goes for screenshots from the modelviewer or character selection screen.]
质量越高越好!
[Please review our
Screenshot Guidelines
before submitting!]
您没有登录。请
登录
后提交截屏。
将视频URL输入下列表格即可。
URL:
支持:仅限 YouTube
说明:您的视频需通过审核才能在站点上显示。
我们用
Wowhead 客户端
保证数据库的及时更新,向您提供额外的有趣的功能!
两大目的:
它还维护WoW的一个插件
Wowhead Looter
, 在您游戏时采集数据!
它将
采集所得数据
上传至Wowhead,保证数据库时刻掌握最新信息!
您可以用它追踪完成的任务、配方、坐骑、伙伴宠物以及头衔!
您还在等什么?立即
下载客户端
整装待发吧。
我们用 Wowhead 客户端保证数据库的及时更新,向您提供额外的有趣的功能!
两大目的:
您可以用它追踪完成的任务、配方、坐骑、伙伴宠物以及头衔!
您还在等什么?立即 下载客户端 整装待发吧。