Guide: Spotting Keyloggers
Written by Wildchild.
This guide is written on the US forums by Shorticus of Spinebreaker. It covers some stuff that should be common knowledge to seasoned gamers and internet junkies. On the other hand, I’ve seen many people lose their accounts, some even IRL friends that should have known better. My personal advice for the readers, before i present Shorticus guide is: Use Firewall, Antivirus, Firefox + NoScript addon, and your common sense, since no software can offer a protection against human recklessness. Always be wary and paranoid when it comes to ’strange’ links and files! Even if you use authenticator for battle.net (wow etc), those warms will drill holes in your system, so you’ll have to either fix it, or reinstall. In anyway, it is work… so, it’s better to be safe, then sorry! :>
- What’s a keylogger?
See the links at the end of this post, please.
-A very short post containing a link and very little text
-A topic in a forum that it has nothing to do with (ie, a post about mages in the death knight forums)
-A post in a topic it has nothing to do with, a non-sequitur, or a post that doesn’t mean anything
- These are all indicative of keyloggers because keyloggers are generally hard-coded with one or two messages which they then spam at random. Having little text makes it more likely that random chance causes the message to have something to do with the topic. It also makes you curious to see what’s in that link and makes it more likely that you follow it (and, thus, get infected)
- Broken english
- Links that APPEAR to link to WoW fansites
- Look at the link text you’re using. Many keyloggers will use things that look like reputable WoW fansites such as wowhead, mmo-champion, worldofraids, and similar, but have additional stuff at the beginning, substituted letters (capital i in place of lowercast L, the letter o switches with the number 0, etc), and similar. Do not blindly copy and paste; down that path lies account theft.
-Post history is the same post over and over
- Since keyloggers are just posting the same thing over and over on a program, the keylogger’s recent post history, if they’re actually a keylogger, will probably be dozens of instances of the same post. You can find a poster’s post history by clicking the small magnifying glass next to their character icon.
-Deja Vu
- In the instance of topics, if you see a topic in one forum, then go to another forum and see exactly the same topic, it’s probably a keylogger.
-Outdated Subject
- If the person posting the link is talking about a horribly-out of date issue like the upcoming WoTLK release, patch 2.4, something that’s already in game being leaked, or similar, it’s almost definitely a keylogger.
-Read the topic!
- If it’s an active thread, every post after the keylogger will probably have people pointing out what exactly it is.
-Sexual Content
- I know you’re probably an easily excited 13-year old who’s just discovered internet naughty pictures and thinks they’re the greatest thing ever, but if someone posts a link and claims it’s a picture of something naked, sexy, or naughty in any way on these forums I can give you a 99.99% guarantee it’s a keylogger. Don’t click it.
-SPECIFIC EXAMPLE: “Leaked T7/T8 bonuses”
- The most complex keylogger currently circulating the forums involves multiple keylogged accounts. The one starting the topic posts the link; the next 5-6 posters will be the other hijacked accounts posting responses as though the link is credible; in this case, talking about a supposed website containing the set bonuses for T7/T8. The order the accounts post in is rotated in order to prevent the “cloned post history” issue. Since it appears to be a legitimate conversation, it lowers suspicion, and also means posts alerting to its keyloggerness will be pushed very far down the page.
What to do about it:
-Use a more secure internet browser!
- Internet Explorer’s older versions have tons of security holes the websites keyloggers link to will exploit. More recent versions fill some of these holes. The Firefox browser (especially with the Noscript addon) is fairly secure; as are others, as they generally stop “hidden” downloads that a website invisibly begins to install files on your computer without your knowledge.
- When in doubt, DON’T CLICK THAT LINK!
- You can live without seeing what might be a picture of someone’s big crit or a website with ‘good news!’ on it.
- If you clicked it, change your password IN A SECURE FASHION, and do not log onto the WoW forums or WoW servers until you confirm your computer is clean.
- “In a secure fashion” means “On a different computer which you’re sure is secure.” If you are already logged into the game or forums when you click the link, the keylogger cannot get your password; you have to type it in on your keyboard for it to find it (hence, ‘keylogger’- it records your keystrokes).
Run antivirus and anti-malware programs immediately
- Run your most up-to-date antivirus checker, preferrably more than one. Adittionaly, several freely available programs such as Ad-aware and Spybot search and destroy specifically check for this type of program.
Last resort: Never come to these forums again.
I’ll miss you.
RELEVANT LINKS:
Official blizzard statement on keyloggers: http://forums.worldofwarcraft.com/thread.html?topicId=1778038509&sid=1
Account compromise information center: http://forums.worldofwarcraft.com/thread.html?topicId=3773308319&sid=1
9 Comments so far
Leave a reply
Hot debate. What do you think?
4 
6
Hot debate. What do you think?
5 
3
I open WoW ->
Get to the log in screen ->
Run the application… Which copies my password to clipboard(without me even typing it), and then minimizes for 5 seconds, letting me paste the PW into WoW ->
Click Login ->
Program automatically copies a bunch of jibberish letters to wipe my PW from clipboard, and then closes.
This prevents me from ever having to type my PW, or even copy it manually, and leaves the PW on my clipboard, only long enough to log in.
Hot debate. What do you think?
6 
4
This site http://www.virus.gr/portal/en/content/2009-08%2C-10-august-05-september
show a huge comparative tests of antivirus programs.
Good paid one (1 year subscription): Kaspersky Internet Security
http://www.kaspersky.com
Good free one: AVG
http://free.avg.com
With these… no more problem at all.
P.S. i am not english native so please don’t flame my writing too much
Well-loved. Like or Dislike:
14 
2
Using 2 emails is another good idea. I use one for everday use like, chatting on MSN, yahoo, or signing up to forums an such. An one very very privte email. ONLY used for things like XBL, WoW, an things like that, where I know no one will see it.
Well-loved. Like or Dislike:
4 
0
Helpful guide but i find the best way to prevent keyloggers is…well…to not type your passwords. If you run the osk.exe command it opens an on screen keyboard. Use this to type your passwords into a text document somewhere on your computer. Then it’s just copy/paste every time you want to log in.
Like or Dislike:
3 
0
well i use avast. its FREE, and yes i have seen the “warning trojen, worm, keylogger” pop up on some ad’s on legit sites (wowwiki, wowhead, elitistjerks) so its not just links guys, its ADs too – so even if u never click links, your still at the same risk just by sitting on a website. So my advice, follow all of the above, but also know how to Report ad’s from a site (my antivirus tells me wat the file is, and also exact data info) screen shot, and send to the sites head admin for them to fix and delete the ad.
Like or Dislike:
1 
0
I find the best advise to anyone is if they see these sites and what not in game not to go to them not to mention Blizzard will never wisper you in game chat they normaly have their little window that pops up saying that a GM would like to speak to you.
Like or Dislike:
2 
0
My trick is that I only surf with my I-Pod, even right now. Doubt there’s the slightest chance my computer’ll get affected that way
Like or Dislike:
0 
0