Abusing the Armory


Over time these cries died down and the armory became a part of everyday WoW life.  Numerous sites use the armory for data (like WowJutsu and Wow Heroes).  Even the simple task of asking for feedback on your gear and spec choices is made simple through the site.  I can’t imagine not having access to this kind of info when I PUG difficult instances, nor could I imagine trying to recruit for a guild without it.

But recently, the armory has begun to be used for evil.

In the past week, players have

reported receiving in-game mail from what appears to be their guild leader or officers of the guild directing them to go view a promotional video or something similar.  The link is to an .exe, which turns out to be a keylogger.  When you look closely, you’ll find that the from name is off by one character, typically an accented vowel whose accent is hard to discern in the mailbox frame.  In my old US guild, two people (including an officer) were hacked due to this – and not due to the same mail – one officer was taken out by a mail purporting to be from another officer, then a member was hit by a mail from what appeared to be yet another officer.

I’ll take a moment for a PSA on some preventative measures:


Alternatively, stop being noobs.  Preferably, do both.  But if you had an authenticator, it would save you from your own stupidity.

I would hope by now that nobody would follow a link to an .exe file that they received in their internet email.  So why do they do so when the mail is in-game?  Because it appears to come from a trusted person.  This type of phising attack combines social engineering to play on human nature.

The reason I talk about the armory in this post is that the social engineering trick being used here wouldn’t be possible without the armory.  Before the armory, it wasn’t possible to see what guild rank someone was within the guild without being a member.  Even with the armory you can’t tell what the rank name is – just that they are rank 2 or 7 – but it’s a fair bet that rank 2 is an officer.

Without the armory, this particular scam wouldn’t be possible.

Should Blizzard make changes to the armory to prevent this type of abuse?  If so, what?  Require a login to see guild roster information?  Don’t show rank information without being logged in?  Only show rank info to members of the guild being viewed (the way the guild bank is today)?  Surely hackers (who are invariably involved with gold sales in some way) would keep a “clean” account that they could log into the armory with, sidestepping this measure.

What about the person who legitimately needs to find the officer of a guild to talk about applying, or to report some bad behaviour on the part of a member?  I suspect that that last use case is not compelling enough to keep the information available, even to logged in users.

So Blizzard, how long to remove that column from everyone except members of the guild?

More importantly, how long until people start thinking critically?  It’s not paranoia if they’re really out to get you, and the evidence suggests that they are.

Update: wow.com has an article detailing this and other scams making the rounds at the moment.