New Home and the Phish Phrenzy

Aug 20 2010

So here we are at the new place.

I’ve chosen a more…spartan….theme.

Just enough formatting to not think I’m just using Notepad, but nothing too distracting.  Please, let me know what you think.

I’m not updating the Phish pages with the new entries.  I’m still looking into that.

On to the subject at hand:

This week has been quite active when it comes to Phishes, I got about double what I got last week.

That vast majority of them were still Beta phishes (12 of them) but there seems to be a resurgence of the “account changes”  kind.

Also, the 2 new ones we reported last week have been active this week.

Here’s the counts:

  • Suspicious activity: 2
  • Beta: 12
  • Account Invasion getting worse: 3
  • Official BS: 1
  • Number of illegal transactions: 2
  • Account Modification: 6

I guess the idea of pasting in paragraphs from several different official e-mails to make a “valid” new phish is catching on.  Biggest problem the phishers have to date is they can’t seem to paste in ENTIRE paragraphs.

I’ve gotten quite a few e-mails that start off mid sentence…like:

Hello
The Battle.net account is a centralized account system that will let you manage all of the Blizzard Entertainment games you play, including World of Warcraft and future games, in one place without having to remember multiple sets of login information.

Ya, that may look like it makes sense, but then it launches into:

We highly recommend that you take this opportunity to verify your account information.

And then:

Blizzard only collects personal information on a voluntary basis.The personal information you provide Blizzard will allow us to fulfill your product or service order; alert you of new products or services, features, or enhancements

So ya, now you are so twisted around trying to figure out the context of these three paragraphs that you end up with no idea what the e-mail is about….

Which is maybe thier goal.  Put together enough “verbiage” in one place that it stupefies the user into thinking its legitimate.

What’s that old saying?  Oh ya:  If you can’t dazzle them with brilliance, baffle them with bullshit.

Well my dear phishers, this is bullshit of the most stinkiest kind…but I’m not baffled…are you?

Oh!!

I got this GREAT e-mail this morning…

This phisher has pretty much just given up, no attempt at all to try to sound official or anything, just one very small, barbless hook:

Your account has been closed. To prevent your account stolen.
Please verify your account information.

Visit:battle.net/account/support/login-support.xml
Verification will be lifted after the close! Continue to play!

No greeting, no signature, not official wording or fluff.

Just right to the point…”We locked you out! So click here!!”

Of course, his English could be better…but there ya go.

So, let me know what you think of the new theme.  For now this post will be duplicated on the old site to maintain continuity.  But probably starting next week I’ll wipe the old site and put up a static message just linking here.

As for the Phish Library.  I’m still looking into that.  I’ve had a few friends drive me towards using WordPress exclusively and pointed me in the direction of a few plugins, but that didn’t pan out.

I’m not saying I’m giving up totally on WordPress, if someone shows me how to get this done I’d jump on it in a heartbeat.

Basically here is the challenge:

Continue Reading »

Comments are off for this post

New Phishes and I’m moving!

Aug 13 2010

Well, looks like the level of Phish activity wasn’t as frantic as it was last week, but I still did get a fair number of Phishes.

Including 2 new phishes!!

Suspicious Activity is a lovely little Phish where they are saying your payment has been canceled due to suspicious activity and you have to login to verify…wait…locked…logged in…AAAAHH!!

Automatic Recovery a really neat Phish.  This one claims they have a new website for recovering hacked accounts, which requires you to visit a site and wait for 2 days while they investigate.  And then…and this is the best part…if you don’t hear from them in 2 days, do it all over again!

Here are the counts of last weeks activity:

5 Beta

1 Account Change Confusion

1 Controversial Account Transaction

3 Selling Account

3 Account Invasion

On another note:  I feel I’ve reached the limits of patience with trying to do a Phish Library in WordPress.  It’s a great blogging tool, and I’ll still use WordPress for my blog.  But trying to keep a library of pages just doesn’t fit in WordPress’ feature set.

So, it inspired me to get a real domain!!!

Yes, that’s right

I’ve got an official domain for this wonderful site now:

Welcome to PhishWorld.com!

The world of Phishes, all for you at a low LOW price of just $19.95

…ok, maybe not

But ya, http://phishworld.com is up (Although not a lot is there…just my fish tank.) and the blog should be up in short order over at:

http://blog.phishworld.com

So, get ready to update your bookmarks and when I get the blog running I’ll post a notice.

For now, everything will stay the way it is and all content will still be in WordPress until I get the library all up and running the way I like, it’ll just be all on blog.phishworld.com

YEAH ME!!!

Comments are off for this post

Phish: Automatic Recovery

Aug 13 2010

Here’s the e-mail:

Return-Path: swalterbentley@hotmail.com
Received: from wowff.com ([98.126.10.159]) by BLU0-SMTP59.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 9 Aug 2010 18:27:52 -0700
Sender: swalterbentley@hotmail.com
From: “wowaccountadmin”
To: <jayras@gmail.com>
Subject: World of Warcraft Account Password verification

Greetings ,

We have determined that the World of Warcraft account MUZU been accessed/compromised by someone not authorized to do so by the World of Warcraft Terms of Use (http://www.worldofwarcraft.com/legal/termsofuse.html).

To protect your privacy and security, we have temporarily disabled this account. Any recurring subscriptions have been suspended to prevent further monetary charges. In order to regain access to the account, you must complete the steps below to secure the account and your computer.

Please keep this email for your reference until the account recovery process has been completed.

STEP 1: SECURE THE ACCOUNT, YOUR COMPUTER AND YOUR EMAIL ADDRESS
Account compromises most often occur when a player shares login information with an unauthorized third party or plays on a computer that has a virus, Trojan, or key-logger. We recommend following the http://us.battle.net/security/checklist.html on our Account Security site at http://us.battle.net/security/index.html.

STEP 2: RECOVER THE ACCOUNT
We now provide a secure website for you to verify that you have taken the appropriate steps to secure the account, your computer, and your email address. Please go to this site and follow the instructions:

http://us.battle.com/account/support/password-reset-confirm.htm?ticket=BC9E6EFC85206C409C5A42AE45F2373752E47BCA161020F76C40DC2D8C7

STEP 3: VERIFY YOUR SUBMISSION WAS RECEIVED
We will contact you with further instructions once we have received and processed your submission. If you do not receive a reply within 48 hours of submitting this form, please resend it from the address listed above.

Please be aware that if unauthorized access to this account continues after the recovery process is complete, it may lead to further action against the account.

Regards,

Neil G.
Game Master Bahrdrak
Customer Services
Blizzard Entertainment
www.blizzard.com/support

Let’s see here:

  • Header shows the e-mail is from Hotmail.
  • No Personalized Greeting
  • They list an account name of “MUZU” which is no longer possible.
  • Link goes to eu.btttle.net
  • Another link goes to: eu.battlp.com Double danger on this one…

OK, this e-mail is a trip.
First big mistake they made is actually specifying an account name in the body of the e-mail.

We have determined that the World of Warcraft account MUZU been accessed/compromised by someone not authorized

Since the Phisher really has no idea who you are, they have a one in 30 million chance of getting this right (Assuming they are actually specifying a valid account name.)
Problem here is: They aren’t specifying a valid account name. Long ago Blizzard decided to have all WOW accounts authenticate through Battle.net
Battle.net accounts use the e-mail address as the account name. Which means an account name of “MUZU” is no longer possible.

Ooops. Guess they missed that memo?

Step 2 is a new one. They are claiming Blizzard has locked your account, but they have a recovery website in order for you to “verify that you have taken the appropriate steps to secure the account.”
Which would they would have to find some way to scan your computer for viruses/malware/trojans, validate you have the appropriate patches (Not to mention they must have a list of the appropriate patches) and somehow verify you secured your e-mail with a new password. OR even created a new e-mail account.
If Blizzard DID have that ability, they could simply add that to the Launcher and there would be no more hacked accounts EVER!!
But since the vast majority of that currently requires human intervention they can’t do that.

But, then we have step 3:

We will contact you with further instructions once we have received and processed your submission.

Which would imply they can’t do that automatically and are asking you a bunch of questions to be evaluated at a later time.

Now, this next bit is my favorite part of the e-mail:

If you do not receive a reply within 48 hours of submitting this form, please resend it from the address listed above.

WOW, that is just BRILLIANT!
They are basically taking this verification process can take up to 2 days.
Which gives the phisher a free 2 day pass to strip your account down.
Then, to add insult to injury, they advise you to go through the same Phishing steps if you don’t hear back from them. Giving them more chances to ensure you gave them the proper information to get into your account for another 2 days!

So, if you fall for this one, you get a chance to fall for it twice!!

Oh ya…BTW…Not Blizzard.

Comments are off for this post

Phish: Suspicious Activity

Aug 13 2010

Here’s the e-mail:

Return-Path: <noreply@battle.net>
Received: from 20100629-2109 (host-66-59-248-49.static.linkline.com [66.59.248.49])
by mx.google.com with ESMTP id n11si10217572anh.49.2010.08.08.20.47.36;
Sun, 08 Aug 2010 20:47:40 -0700 (PDT)
Received-SPF: fail (google.com: domain of noreply@battle.net does not designate 66.59.248.49 as permitted sender) client-ip=66.59.248.49;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of noreply@battle.net does not designate 66.59.248.49 as permitted sender) smtp.mail=noreply@battle.net
Message-Id: <4c5f7a5c.0bf0640a.34c5.2113SMTPIN_ADDED@mx.google.com>
From: noreply@battle.net
Subject: Flag this messageBattle.net Account Locked
To: jayras@gmail.com
Sender: noreply@battle.net

Due to suspicious activity, your Battle.net account has been locked. To restore access to this account, please follow
these steps:

Step 1: Secure Your Computer

In the event that your computer has been infected with malicious software such as a keylogger or trojan, simply changing
your password may not deter future attacks without first ensuring that your computer is free from these programs. Please
visit our Account Security website to learn how to secure your computer from unauthorized access.

Step 2: Secure Your E-mail Account

After you have secured your computer, please create a new password for your e-mail account since it may also be
compromised. Be sure to check your e-mail filters and rules and look for any e-mail forwarding rules that you did not
create. For more information on securing your e-mail account, visit this Support page.

Step 3: Log in your Account
You must Log in your Battle.net account. Please click this link:

http://us.wow-batt1e.net/account/login.html?app=wam&ref=https%3A%2F%2Fwww.worldofwarcraft.com%2Faccount%2F&eor=0&app=bam

If you still have questions or concerns after following the steps above, feel free to contact Customer Support at

http://www.worldofwaroraft.com/account/login.html?.

Sincerely,
The Battle.net Account Team
Online Privacy Policy

Let’s see here:

  • Header shows it’s from Battle.net, but with an invalid sender (I hate that Google still allows this!)
  • Links to: us.wow-batt1e.net Which almost looks like battle.net, but its wow- and that l is actually a 1 (one)
  • Also links to: www.worldofwaroraft.com WOW…double bad on this one.

Hmmm…Good advice on Steps 1 and 2…
Step 3 however…we’re running into a logic gap…
E-mail started off saying:

Due to suspicious activity, your Battle.net account has been locked.

But now it tells you to:

Step 3: Log in your Account
You must Log in your Battle.net account.

See the problem there? The account is LOCKED, but I MUST login to my account.
Oh CRAP
WHAT DO I DO??!!!???

So, ya, slight logic gap there…
Of course, if I still have questions I can go to that other Phishing website to get an answer…

So, ya…Not Blizzard.

Comments are off for this post

Phish: Controversial Currency Transaction.

Aug 06 2010

Here’s the e-mail:

Return-Path: wigoz_88@hotmail.com
Received: from xg ([125.45.155.171]) by BLU0-SMTP91.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 2 Aug 2010 10:56:08 -0700
Reply-To:
From: “wowaccountadmin@blizzard.com” <wowaccountadmin@blizzard.com>
To: <jayras@gmail.com>
Subject: you must complete the steps below to secure the account and your computer

Blizzard Entertainment is dedicated to creating the most epic gaming experiences ever; making sure that your information is safe and secure is an important part of that effort.
We have the evidence to prove that your account  involved in the controversial game currency transaction .The investigation will be continued by Blizzard administration to determine the action to be taken against your account.
To ensure the legitimacy of your account, we need you here to check your account status as soon as possible.
Any recurring subscriptions have been suspended to prevent further monetary charges. In order to regain access to the account, you must complete the steps below to secure the account and your computer.
The Battle.net account is a centralized account system that will let you manage all of the Blizzard Entertainment games you play, including World of Warcraft and future games, in one place without having to remember multiple sets of login information.
We highly recommend that you take this opportunity to verify your account information.To do so, simply click here:

https://us.battle.net/login/login.xml?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam

Blizzard only collects personal information on a voluntary basis.The personal information you provide Blizzard will allow us to fulfill your product or service order; alert you of new products or services, features, or enhancements; handle/route your customer service or technical support questions or issues; and/or notify you of upgrade opportunities, contests, promotions, or special events and offers. Blizzard may enhance or merge the personal information collected at a Blizzard site with data from third parties. Blizzard may also provide your personal information to other companies or organizations that offer products or services that may be of interest to you. In such cases, we will notify you that the information will be shared and provide you with an opportunity to opt-out.
For more information, click here for answers to Frequently Asked Questions or to contact the Blizzard Billing & Account Services team.
Sincerely,
The Battle.net Account Team

Let’s see here:

  • Header shows it’s from Hotmail.
  • No greeting at all, let alone personalized
  • Subject is a mess
  • Bad english, although spelling is pretty good.
  • “flow” of e-mail gives you the impression its at least 3 e-mails pasted together.
  • Link goes to : us.bbattlle.com

So ya…

you must complete the steps below to secure the account and your computer

That’s not a subject…that would be a quote from an e-mail.  “Account Security” would be a good subject…or better yet…”Battle.NET Account Security.”

I swear…they aren’t even putting forth the effort anymore…are we really THAT gullible these days?

Blizzard Entertainment is dedicated to creating the most epic gaming experiences ever; making sure that your information is safe and secure is an important part of that effort.

Pretty sure that semi-colon should have been a period and start a new sentence.  Although the statement is a good one.  And is true.

We have the evidence to prove that your account  involved in the controversial game currency transaction .The investigation will be continued by Blizzard administration to determine the action to be taken against your account.

I swore I saw that before, and I swore I already had a page for this particular phish too…

But then I realized it was a combination of two different things….”the controversial game currency transaction” Came from another Phish…the account confusion one.  Where they were telling me the changes I made to the account did this…That second sentence…well, we’ll get to that in a moment…

To ensure the legitimacy of your account, we need you here to check your account status as soon as possible.

This is ALMOST the typical hook they lay.  Normally it’s “We need you to verify your account.” Or “We need you to verify you are the original owner of this account.”  This one is slightly different and ALMOST sounds legitimate.

Any recurring subscriptions have been suspended to prevent further monetary charges.

WOA…now this one is new.  And would be something you would expect Blizzard to do if they really thought your account was compromised.  STOP billing on it, so it has to be acted upon.  Pretty brilliant on the Phisher for coming up with this one…oh…but wait…lets go back a couple of lines….

The investigation will be continued by Blizzard administration to determine the action to be taken against your account.

WHOOPS

Brilliant Hook FOILED By a logic gap.

So, are you determining what action or have you taken action?  Come on…make up your mind…which one is it?

The Battle.net account is a centralized account system that will let you manage all of the Blizzard Entertainment games you play, including World of Warcraft and future games, in one place without having to remember multiple sets of login information.
We highly recommend that you take this opportunity to verify your account information.To do so, simply click here:

And then they do this.  Completely breaks the flow of the e-mail and is obviously a copy of another e-mail which is not pertaining to this topic at all….

Blizzard only collects personal information on a voluntary basis.The personal information you provide Blizzard will allow us to fulfill your product or service order; alert you of new products or services, features, or enhancements; handle/route your customer service or technical support questions or issues; and/or notify you of upgrade opportunities, contests, promotions, or special events and offers. Blizzard may enhance or merge the personal information collected at a Blizzard site with data from third parties. Blizzard may also provide your personal information to other companies or organizations that offer products or services that may be of interest to you. In such cases, we will notify you that the information will be shared and provide you with an opportunity to opt-out.
For more information, click here for answers to Frequently Asked Questions or to contact the Blizzard Billing & Account Services team.

And again…another break in the flow and another obvious copy of yet another e-mail.  Actually, I think this may be a copy from their privacy statement.

But still, nothing to do with the e-mail at hand.

Then, to add insult to injury, the “click here for answers” isn’t a link at all, so there is nothing to click.

It’s almost as if the Phisher is hoping that pasting in a ton of official sounding “mumbo jumbo” at the bottom of his e-mail it’ll make us forget the horrible English at the top of the e-mail, not to mention hoping we’ll forget the crap is completely off topic to the start of the e-mail….

I dunno, I swear they’re just getting lazy.

  • Received again:

Return-Path: tamtsquare1@hotmail.com
Received: from tuj ([123.4.241.223]) by BLU0-SMTP47.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 6 Aug 2010 19:52:26 -0700
Reply-To: <wowaccountadmin@blizzard.com>
Sender: wowaccountadmin@blizzard.com
From: “wowaccountadmin@blizzard.com” <wowaccountadmin@blizzard.com>
To: <jayras@gmail.com>
Subject: To protect your privacy and security, Any recurring subscriptions have been suspended to prevent further monetary charges.

Links to: us.battllie.net

Comments are off for this post

Phishers becoming stupid?

Aug 05 2010

Looking at the batch of Phishes I got over the past week I swear these guys are becoming stupid.

Or just plain lazy.

Look at this new Phish I got:  Controversial Currency Transaction

Everything about it, from the lousy subject, the typical “engrish” to the pasting in of irrelevant garbage just screams Laziness!

Or else, they have no clue what they are doing…

Which is actually good news for the likes of you and me…the stupider they get, the easier it is to identify.

I even got a Phish that had the title of “Blizzard Entertainment Cataclysm beta” but it was a Password Change phish.

….lazy….

The number of Phishes are starting to increase, mainly on the Beta front, but I also got 3 Aion Phishes, which is triple what I’ve ever received!

Here’s the count:

14 Beta Phishes

2 “Illegal Transaction” Phishes.

3 Aion Phishes

2 “Hacker IP” Phishes

1 LOTR Phish

2 Password Phishes (Beta)

2 Account Selling Phishes

For a total of 25.  Been busy…

One of the e-mails I got linked to the domain “bate.blizzcon-logincheck.com”

Which I got a chuckle out of…get it?  BATE….Phish…HAR HAR HAR

On another note….there’s a new tool I found in the fight against Phishes (Well, new to me at least…)

This is a Firefox plugin called “Interclue” which I got for decoding shortened URL’s before I click on them.

I was pleasantly surprised that, without fail, it recognized the links in these e-mails and popped up a warning saying these are reporting Phishing links.

I *LOVE* it!!

You can get it here:

http://interclue.com/

and I recommend it highly.

Oh…one more thing…

As you may have been aware of (and if you aren’t you live under a rock…) Starcraft II was released.

There is an apparent targeted Phishing attack directed at receiving keys or registering keys.  I haven’t seen any of them yet, but here is a post with more information about it:

http://www.lazygamer.co.za/general-news/psa-starcraft-ii-accounts-being-phished/

Comments are off for this post

Security Update at Blizzard, and new Phishes…

Jul 29 2010

Posting a day early, this is just a notice about a specific change Blizzard made last week (That I missed..sorry for not mentioning it sooner.)

I had the unfortunate pleasure of getting locked out of my account.  Luckily it wasn’t a case of getting Hacked.  No, it was more stupid than that.

I got a new iPhone!!

Of course, I didn’t prep my account and I did format and turn in my old iPhone so I no longer had access to it.

When I got home, I soon realized my mistake when I went to login to Warcraft and when I launched my Authenticator it was giving me steps to register my NEW authenticator (WHOOPS)

So, next morning, I use my new iPhone and a headset and sat on Hold for 37 minutes (Yes, I counted…)

They drilled me, asking me question after question, making me PROVE to them that I am who I say I am (Good for you Blizzard!!)

In the end they pulled my old authenticator off, and sent me on my way to put the new one on.

During the process I noticed they added a step.

No longer can you just simply drop in a Serial number and wam BAM you have an authenticator (Which, unfortunately, hackers did all the time.)

No, now you put in the serial number, and then they send you an e-mail!

And from that e-mail you must click the link!

This is perfect…it means any hacker would be notifying themselves to you when they attempt to steal your account, and you are smart enough to scream HEY!! I didn’t do that, and NOT click the link!!

Here’s the new process:

  • Log onto Battle.net Account Management (http://www.battle.net/account/)
  • Click on Settings, then click Manage Security Options
  • Click on Add this authenticator
  • [new]—>Required confirmation link sent to your Battle.net account email address
  • You log onto your email account itself, look for an email titled Battle.net Account Authenticator Addition from noreply@blizzard.com with a link to loop back to Account Management. This contains a one-time use token.
  • Add a mobile or keychain authenticator
  • Now you have an authenticator

More information on the change can be found here:

Forum Post on the new change.

Now, for the bad news…

Blizzard broke one of their cardinal rules…the e-mail you get is not Personalized.

AND…I’ve already received a fishing attempt with this new e-mail (Its is a direct copy…with a new link….)

So, if you are adding an authenticator…make sure you are looking at a good e-mail and not a phish, scrutinize the header and make sure it isn’t from Hotmail, and it is from Blizzard.

Comments are off for this post

Phish: Adding Authenticator

Jul 29 2010

Here’s the e-mail:

Return-Path: ashtonlumley@hotmail.com
Received: from blizzazrd.net ([123.5.166.247]) by BLU0-SMTP83.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 28 Jul 2010 16:01:46 -0700
Reply-To:
Sender: wn@blizzard.com
From: “noreply@blizzard.com” <wowaccountadmin@blizzard.com>
To: <jayras@gmail.com>
Subject: world of warcraft-Notice on the account

Hello,

We’ve received a request to add a Battle.net Authenticator to this Battle.net account(s):jayras@gmail.com. Please click this link to continue with the authenticator attachment process. You will be redirected to Battle.net Account Management (please be prepared to log in) with further instructions.

https://us.battle.net/account/management/add-authenticator.html?authenticatorType=MA&ticket=ruhsimjt6vvg9t5rm0cng3v92e

If you no longer wish to attach an authenticator to this Battle.net account, or if you did not initiate this request, please disregard and/or delete this e-mail.

If you have any questions regarding your Battle.net account, click here for answers to frequently asked questions and contact information for the Blizzard Billing & Account Services team.

Sincerely,
The Battle.net Account Team
Online Privacy Policy

Let’s see here:

  • Header shows its from Hotmail
  • Link goes to bllizzard (Which is not Blizzard…but VERY Close)
  • No personalized greeting: Which unfortunately isn’t a help in this case.

Ironically enough I got this Phish less than 5 days after I actually went through this whole process.

So I can say, without a doubt, this e-mail is an exact copy of the actual e-mail you get when adding an authenticator.

This Phish is really easy to avoid, as long as you don’t panic and actually READ the e-mail.

If you aren’t adding an authenticator to your account THEN DO NOTHING.

“please disreagard and/or delete this e-mail.”

Bets advice a phishing e-mail has EVER Given you.

One unfortunate thing about this e-mail…Blizzard doesn’t personalize this one, which is a real disappointment.  I would think of all their e-mails this one would be personalized…it is one of the RARE e-mails that REQUIRES the link be clicked.

without clicking the link you can’t add an authenticator.

So, just be diligent, and when you are adding an authenticator (Or re-adding if you get a new phone…) just make sure you clear out your e-mail trash first, delete all them fishing e-mails, so when you get the REAL e-mail you won’t mistake it for this one and get Phished.

Comments are off for this post

Cataclysm Beta is Upon us…and boy are the Phishers active.

Jul 23 2010

Miss my update last week?  Ya, well…so did I.  No excuse other than I was distracted.

But this week…we’ve got a new phish!!!

YAY!!! Lets tear it apart, it’s a fun one!

Here’s the e-mail:

Return-Path: a_erika_a@hotmail.com
Received: from gfci ([116.217.116.2]) by BLU0-SMTP99.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 16 Jul 2010 08:42:15 -0700
From: “wowaccountadmin@blizzard.com” <donotrelpy@blizzard.com>
To: <jayras@gmail.com>
Subject: Account disable Notification

Dear players, As World of Warcraft’s development and operations service providers – Blizzard, we have been hard work for efforts to provide better and more just for the players of the game more balanced environment.
Just recently we found that some players to utilize a bug in World of Warcraft make improper business.
This is our fault, we are already investigating the matter.
And will ASAP to all players a satisfactory answer.
In this process, we need your cooperation. You need to log www.worldofwarcarft.com And verify your account login, account information has been to ensure authenticity.
Sincerely, Blizzard Customer Service

Let’s see here:

  • Header is from Hotmail, not Blizzard.
  • Link goes to: www.wow-bm.com  — Interesting domain, but not Blizzard
  • Spelling and English are HORRIBLE.
  • As an extra bonus, the Link text (With the “valid” domain name) is misspelled!

This email is an interesting topic.

Basically they are stating that there is a bug in World of Warcraft that apparently allows players to exploit to their advantage, whatever that is…but they implied they disabled your account accordingly.

Unfortunately for the Phisher (fortunately for us…) the e-mail is BAD, format bad, english bad, spelling bad…just bad BAD:

Dear players, As World of Warcraft’s development and operations service providers – Blizzard

Missing a return key there…so, there’s the first flag that something ain’t right.

And I love this line….

So, they’re Blizzard, World of Warcraft’s development and operations service providers….ya…umm..

WTF?  No, they are Blizzard Entertainment, a Game Software development company that also runs World of Warcraft…

“Operations service providers” they are not…they have an Operations Team/Department that runs World of Warcraft…a service provider they are not.

we have been hard work

forgot an “at” there?

for efforts

ummm…that doesn’t work….”hard at work” and “efforts” are pretty much the same thing…but them both together like that and your English teachers you had in high school will collectively scream and beat you with a ruler…it just don’t make no sense no how (Yes, that was on purpose!)

to provide better and more just

We all need more and better just.  You just can’t have enough just.  And the better the just is the justier it is…or…ya..WHAT?

for the players of the game more balanced environment.

But no Just for the player of the game in less balanced environment.

Just recently we found that some players

Starts off so well…

to utilize a bug in World of Warcraft

…and goes right to shit…

make improper business.

…and then hits bottom.

OMG teh players are make improper business!

I’ve seen that phrase in 3 separate phishes now.  This has to be a bable fish thing trying to translate some Chinese phrase into “Fraud” or “Illegal transaction” and missing the boat entirely.

This is our fault, we are already investigating the matter.

Not bad…not professional, a company would more likely put this like:  “We realize the exploit is due to a fault in the application and we are investigating the matter.”  Or something a little more professionally worded…but not that.

And will ASAP to all players a satisfactory answer.

And again they screw up and make one sentence 2 and make no sense.

In this process, we need your cooperation.

Here comes the hook…

You need to log www.worldofwarcarft.com And verify your account login, account information has been to ensure authenticity.

OMG, the hook has been bent in 18 different directions and looks more like a bird feeder.

WTF is that saying?

account information has been to ensure authenticity.

Wow…just….wow.

NOTE: Look at the domain…World Of Warcarft

That would be a brilliant domain if that is actually where it linked too, but it doesn’t link to it.

So, not only are they hiding their link behind another domain, they can’t even get that spelling right.

Comedy Gold.

But I digress…

So apparently there is a bug in the system that allows the players to gain something without the required effort.  We’ve seen this in the past with WOW and other games.  Some wierd bug which allows you to do some simple action (like kill a beetle) and then get an enormous, unbalincing reward from it.  We’ve seen thinks like killing a level 8 beetle somewhere in one location that spit out 1,000 gold each kill or 1,000,000 experience points (or both?)

These are typically found, FAST and if anyone in between the introduction of the bug and the removal of the bug was exploiting said bug (beyond the “Hey, I tried it once and OMG”) would be, at least, temporarily banned for punishment.  In addition to removing the gains from the account.

I can’t think of one possible bug that could be exploited in any fashion that would put the account in any kind of state where the company running the account couldn’t figure out if the account was valid based on your e-mail.

So, again…asking for “Validating your account” has proven that only phishers need it.

Sincerely, Blizzard Customer Service

So, ya…Not Blizzard.

Here’s the roundup of the last 2 weeks of activity I’ve seen:

IP Range – 1

Selling account – 3

Account Change Confusion – 1

Occurred in the number of illegal transactions – 1

Aion Phish (Haven’t seen this one in a month) – 1

And in the past two weeks…whoa….a TON of Beta Phishes….10 of them.

So like my last update, I would like to take this moment and say:  Just don’t click the links.

None of them.  Just be safe and don’t click anything.  Even if it IS a legitimate e-mail, just don’t click the links.

Better to be safe than sorry, and some of the phishing e-mails are nothing more than a copy of the “official” email and they just changed the link.

For the Beta, there is no reason to click the links.  If you have been selected for the beta, just login to your account on battle.net and it will be Obvious you have access to Cataclysm.

If you aren’t selected for the Beta it will be obvious you aren’t.  There no slim chance you are missing something by not clicking the link.  It’s a box, with the cataclysm artwork, its about 3″ -5″ (Depending on your resolution) high, and its sitting next to your Lich King Box.

If you don’t see a box with Cataclysm on it next to your Lich King box, then you haven’t been selected for the Beta…and the link in the e-mail will not help you.  It will only hurt, cause my friend, you are getting fished.

Sorry folks, I just logged into my account and I see they did a little facelift.

It now looks like this:

Still its really stinking obvious whether or not you are in the beta…if you see that box you are in, if you don’t see the box you are not in.  And if the box isn’t there then no link ever provided to you will ever change that.

Period.

The Phishers are getting REALLY Sneaky with these emails.

The domains they are going to are getting REALLY Close to the real thing.  And in at least 2 attempts I’ve seen them use open SMTP Servers to change the SEND address to a blizzard Address.

These combined into one means these e-mails are REALLY dangerous.

Just

Don’t

Click.

Period.

I’ve engaged Google and asked them why an e-mail from an un-authorized SMTP server is allowed to get to my account with no flags:

http://www.google.com/support/forum/p/gmail/thread?tid=59c97b9827a11b41&hl=en

So far they haven’t replied…but I hope I can persuade them.

Comments are off for this post

Phish: Bug Exploit

Jul 23 2010

Here’s the e-mail:

Return-Path: a_erika_a@hotmail.com
Received: from gfci ([116.217.116.2]) by BLU0-SMTP99.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 16 Jul 2010 08:42:15 -0700
From: “wowaccountadmin@blizzard.com” <donotrelpy@blizzard.com>
To: <jayras@gmail.com>
Subject: Account disable Notification

Dear players, As World of Warcraft’s development and operations service providers – Blizzard, we have been hard work for efforts to provide better and more just for the players of the game more balanced environment.
Just recently we found that some players to utilize a bug in World of Warcraft make improper business.
This is our fault, we are already investigating the matter.
And will ASAP to all players a satisfactory answer.
In this process, we need your cooperation. You need to log www.worldofwarcarft.com And verify your account login, account information has been to ensure authenticity.
Sincerely, Blizzard Customer Service

Let’s see here:

  • Header is from Hotmail, not Blizzard.
  • Link goes to: www.wow-bm.com  — Interesting domain, but not Blizzard
  • Spelling and English are HORRIBLE.
  • As an extra bonus, the Link text (With the “valid” domain name) is misspelled!

This email is an interesting topic.

Basically they are stating that there is a bug in World of Warcraft that apparently allows players to exploit to their advantage, whatever that is…but they implied they disabled your account accordingly.

Unfortunately for the Phisher (fortunately for us…) the e-mail is BAD, format bad, english bad, spelling bad…just bad BAD:

Dear players, As World of Warcraft’s development and operations service providers – Blizzard

Missing a return key there…so, there’s the first flag that something ain’t right.

And I love this line….

So, they’re Blizzard, World of Warcraft’s development and operations service providers….ya…umm..

WTF?  No, they are Blizzard Entertainment, a Game Software development company that also runs World of Warcraft…

“Operations service providers” they are not…they have an Operations Team/Department that runs World of Warcraft…a service provider they are not.

we have been hard work

forgot an “at” there?

for efforts

ummm…that doesn’t work….”hard at work” and “efforts” are pretty much the same thing…but them both together like that and your English teachers you had in high school will collectively scream and beat you with a ruler…it just don’t make no sense no how (Yes, that was on purpose!)

to provide better and more just

We all need more and better just.  You just can’t have enough just.  And the better the just is the justier it is…or…ya..WHAT?

for the players of the game more balanced environment.

But no Just for the player of the game in less balanced environment.

Just recently we found that some players

Starts off so well…

to utilize a bug in World of Warcraft

…and goes right to shit…

make improper business.

…and then hits bottom.

OMG teh players are make improper business!

I’ve seen that phrase in 3 separate phishes now.  This has to be a bable fish thing trying to translate some Chinese phrase into “Fraud” or “Illegal transaction” and missing the boat entirely.

This is our fault, we are already investigating the matter.

Not bad…not professional, a company would more likely put this like:  “We realize the exploit is due to a fault in the application and we are investigating the matter.”  Or something a little more professionally worded…but not that.

And will ASAP to all players a satisfactory answer.

And again they screw up and make one sentence 2 and make no sense.

In this process, we need your cooperation.

Here comes the hook…

You need to log www.worldofwarcarft.com And verify your account login, account information has been to ensure authenticity.

OMG, the hook has been bent in 18 different directions and looks more like a bird feeder.

WTF is that saying?

account information has been to ensure authenticity.

Wow…just….wow.

NOTE: Look at the domain…World Of Warcarft

That would be a brilliant domain if that is actually where it linked too, but it doesn’t link to it.

So, not only are they hiding their link behind another domain, they can’t even get that spelling right.

Comedy Gold.

But I digress…

So apparently there is a bug in the system that allows the players to gain something without the required effort.  We’ve seen this in the past with WOW and other games.  Some wierd bug which allows you to do some simple action (like kill a beetle) and then get an enormous, unbalincing reward from it.  We’ve seen thinks like killing a level 8 beetle somewhere in one location that spit out 1,000 gold each kill or 1,000,000 experience points (or both?)

These are typically found, FAST and if anyone in between the introduction of the bug and the removal of the bug was exploiting said bug (beyond the “Hey, I tried it once and OMG”) would be, at least, temporarily banned for punishment.  In addition to removing the gains from the account.

I can’t think of one possible bug that could be exploited in any fashion that would put the account in any kind of state where the company running the account couldn’t figure out if the account was valid based on your e-mail.

So, again…asking for “Validating your account” has proven that only phishers need it.

Sincerely, Blizzard Customer Service

So, ya…Not Blizzard.

Comments are off for this post

Older posts »

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/