Cyber Incident Victim: Activision Blizzard
Date:
Jan 2014
Location:
United States of America
Summary
World of Warcraft users were targeted by a trojan malware disguised as a legitimate add-on management tool, distributed through unofficial websites appearing in search results. The malicious software compromised accounts by stealing login credentials and authenticator codes simultaneously during entry, bypassing two-factor authentication protections and enabling repeated unauthorized access even after password resets. Blizzard identified the threat as a fake version of the Curse Client, which operated by intercepting real-time authentication data, and provided detection guidance involving specific malicious filenames while recommending security scans for remediation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early January 2014, Blizzard Entertainment warned World of Warcraft players of a sophisticated account-hijacking campaign involving malware disguised as the legitimate Curse Client add-on manager. The malicious software propagated through unofficial websites impersonating the authentic Curse domain, appearing prominently in search engine results for "curse client." Upon installation, the trojan operated in real time to capture both account credentials and authenticator codes generated through Blizzard’s two-factor authentication system, which sent temporary passwords to users’ smartphones. This enabled attackers to bypass security measures even when accounts were protected by Authenticators. Affected users reported repeated unauthorized access to their accounts despite password resets and active two-factor authentication. Blizzard confirmed the trojan was embedded within a functional but counterfeit version of the Curse Client, making detection challenging for victims who relied on visual similarities between the fake and legitimate software. The malware’s ability to intercept authentication credentials at the point of entry allowed persistent compromise, undermining conventional account recovery efforts.
Blizzard publicly disclosed the threat on January 6, 2014, urging users to verify they downloaded Curse Client exclusively from curse.com. The company advised infected players to inspect their systems for files named "Disker" or "Disker64" within startup programs using MSInfo diagnostic tools and provided removal instructions involving manual deletion of fake Curse files followed by scans with updated Malwarebytes software. Antivirus vendors were actively developing signatures to detect and neutralize the trojan at the time of Blizzard’s announcement. The incident underscored risks associated with third-party download sources, as attackers exploited search engine optimization to direct users to spoofed sites. No specific figures regarding the number of compromised accounts or geographic scope were disclosed, but the campaign demonstrated a targeted method to circumvent multifactor authentication—a rarity at the time—by capturing credentials and codes simultaneously during legitimate login attempts.