A Gold-Stealing Script Is Rapidly Spreading Across 'World of Warcraft'

Running an add-on script forces victims to give away in-game gold.

Ian Birnbaum

Image: Blizzard

World of Warcraft players are being attacked by a scammer or scammers with a sophisticated combination of social engineering and malicious code this week that forces them to give up their in-game money.

In a reddit thread posted Wednesday morning, one user described a persistent scammer who impersonates well-respected player groups ("guilds," in World of Warcraft parlance) and sends private messages to targets.

The attacker asks players to type a command into their chat window, ostensibly to test an add-on or configure a custom user interface. These mods are common, especially for high-level players, and many guilds require members to use custom interfaces or guild-specific mods. If players run the provided script, the attacker will begin communicating with the victim's user interface, opening trade windows, emptying in-game bank accounts full of valuable player items and in-game currency, and sending out new attacks to the victim's friends.

"One of the people in the guild did as the hacker asked, and is now whispering [sending a private message directly] other people scripts that he can't even see, the same script the scammer and hacker is using, and also a few others," the user wrote. "No idea what's going on. For lack of a better word, it's like...the script infects the users who run it, forcing them to become part of it."

Chat transcript of an attempted hack, posted by a WoW forum user. The actual text of the add-on and script have been edited out. Annotations added by the author. Image: Hucklebuck

In this chat transcript posted by a WoW player who also encountered the scammer, the attack begins with the request to run a script. The attacker immediately sends a direct message that would, if the victim had actually taken the bait, began to give the hacker control.

A character taken over by this attack will begin to send direct messages to their friends with the malicious code. Many players know not to run scripts or install software sent them by random people from the internet, but they're more likely to trust their best friend, long-time gaming buddy, or high-ranking superior within their guild. This attack is spreading because this process is effective—think of it as an in-game spear phishing attack.

The process involved here is very similar to an attack that began earlier this year using WeakAuras, a common add-on that sets up custom scripts and shares them with others. "This Aura, if loaded by you, will force you to trade the scammer all of your gold if a trade is initiated, regardless whether it is you or the scammer who initiates the trade," a user warned others in January. "You won't see a trade screen. You won't get to click a button to confirm it. All you will hear is the sound of coins, and your gold will be gone."

A character taken over by this attack will begin to send direct messages to their friends with the malicious code

Redditors who looked at the script don't think that the more recent attack is exactly the same as the WeakAuras attack.

Initially, it seemed as if this attack was taking advantage of a vulnerability in WoW add-ons, but users have since discovered that they were vulnerable even if they didn't have any add-ons installed. The malware in this case is, in fact, automated, and it attacks WoW's standard user interface.

Blizzard doesn't officially support add-ons and categorically does not support any of the real-world cash to in-game gold trades that are often being advertised to begin this kind of attack. This puts the burden of caution on players—as one moderator in the WoW subreddit reminds players, "Also note that Blizzard does NOT support paid runs for cash or gold, if you get scammed, your gold is gone."

Blizzard did not respond to a request for comment.

Update: This article initially stated that a WoW add-on named Prat is what allowed this script to spread from player to player. Since publication, players have discovered that the script could attack WoW's standard user interface, even if the player didn't have any add-ons installed. This article has been updated to reflect that.