The World of Warcraft community is abuzz over an infectious, gold-stealing scam affecting players across realms.
This morning, VICE Motherboard reported that a scam with “a sophisticated combination of social engineering and malicious code” is spreading through a sort of viral word-of-mouth chat script.
On Reddit, WoW player MrNoobyy described how another player, impersonating a representative from a known guild, spammed his trade chat claiming to sell Mythic gear and mounts at a good price. When MrNoobyy inquired further in a direct message, the player asked to see MrNoobyy’s gold in a trade window. That’s when things get scammy: The player then pasted a /run command, code that runs a new application, into the chat box, claiming that the guild uses “custom raid bars and alot of stuff interferes with our UI [user interface].” The scammer then asked MrNoobyy to enter that command.
By using /run commands, World of Warcraft players can run special scripts that allow them to do all sorts of things within the game, like design custom user interfaces. The flip side is that users unfamiliar with the code might blindly run a custom script that was created by a scammer, inadvertently doing something unpleasant… like giving them all of their gold.
Most players know not to /whisper to strangers or enter commands they aren’t familiar with. Unfortunately, the scam appears to account for that. MrNoobyy didn’t bite the bait, but he said that a week later, his Guild Master messaged him with the same script. Players who run the command have found that their gold coffers are emptied and they become part of the scam, /whispering the viral script to other players. Victims are more inclined to believe that the messages are legitimate when they’re coming from longtime friends or guild members.
One Redditor said that a number of people in his trade each lost over 500,000 gold, a high sum that requires weeks of toil.
It’s not quite clear exactly how this scam functions. The most well-received explanation on the WoW subreddit reads: “It works by replacing a global function that gets called (by the vanilla chat frame) whenever a message is received, with a function that runs the message as if it had been written after /run by the receiver. It allows them to remotely script your UI. The piece of code they whisper you after you input the seemingly harmless /run hooks it up to the chat message event, allowing them to hide any script messages. Meaning they can do anything an addon can, but remotely without you knowing it.” Essentially, his theory is that another person gains control of the victim through a hidden chat channel enabled by the /run command.
Multiple players have reported the scam to Blizzard, one alleging that it took nine hours for Blizzard to address a repeat offender. Yesterday on the World of Warcraft subreddit, a Blizzard representative said that they’re looking into the scam. Blizzard has not yet responded to a Kotaku request for comment.
Here are Blizzard’s tips for avoiding in-game scams.