Our own Gareth Harmer has this to say about a new WoW exploit that is being widely discussed on Reddit:
When it comes to MMO accounts, there are some golden rules: never share your password, never run dubious software, and use two-factor authentication wherever possible.
According to reports from World of Warcraft players, it's now time to add another one to the list: never use chat commands from people you don't know. Ignore it, and you may find your characters without two copper coins to rub together.
The new scam initially sounds plausible enough. A perpetrator starts by selling slots to a Mythic raid - something that already happens regularly. To add plausibility, the perpetrator might impersonate an existing raid group, usually by having a similar name.
After inviting a potential mark to the raid group, they'll follow it up by asking the victim to run a chat command, usually under the pretence that it's to fix a raiding addon the group uses.
This single command allows the perpetrator to send scripts to the victim's Warcraft client, simply by whispering (private messaging) them. It does this by redirecting a command to clean up chat text, to a different command that's responsible for running scripts. Simple, yet incredibly effective.
The most common use for these nefarious scripts? Handing over all the victim's gold coins to the next person that opens a trade with them, which will usually be either the scam perpetrator or an ally of theirs. All the while, the victim is unaware that their Warcraft client has been compromised, until they notice that their in-game purse is mysteriously empty.
This new exploit is possible due to Warcraft's built-in command system and addon engine, which allows a user to run commands directly without checking or confirming. It also enables chat messages to bypass input checks - something that's a big no-no in programming circles.
While it's likely that Blizzard will end up reviewing and patching Warcraft's command, scripting and addon framework, players are left with little option but to be vigilant. If you see a scam like this taking place, report it and leave the group.