They’re getting sneakier!

Jun 28 2010 Published by jayras under Posts

So, for those that asked (and care) my back is doing much better.

I managed to last 3 days+ of not sneezing, but then managed to sneeze 5 times on Saturday…all “normal” sneezes that just had a twinge on my already damaged back and nothing catastrophic again.

Over the past week I’ve received 10 phish e-mails. 4 Bad Beta Barrages, 2 Account Change crack ups. 1 Facebook funkiness Phish.

And then 3 strange ones…

First…

This one looks to be a new variant on the Corrected Hacker IP Phish, it uses the 3 IP Ranges, but at least this time the 3 IP ranges are all the same.

It’s the domain it links too that makes it stand out. It’s SNEAKY!!

The link displays in the e-mail as:

http://us.battle.net/login.xml?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam

But the actual link is (Remember folks, don’t go to these addresses, they are purposely not set a links you can click!)

http://us.battle.net-https3asfdffaa2f3f5g-worldofwarcraft.com/

Now, if you remember from earlier lessens, work backwards to see who is the owner of the domain, based on periods (.)

So…break this one apart (working backwards) you get:

  • com – Standard, almost everything is a COM…we’re good so far.
  • net-https3asfdffaa2f3f5g-worldofwarcraft

Here is where it starts…

After the net is NOT a period, it’s a dash, so that’s not a domain separator so that’s not the end of the domain segment. its net-https3….which is basically some well crafted face rolling.

We’ve all seen links crop up, that are a lot like the displayed link…with %3A’s and %2F’s and the like.

These are called “escape codes” that are done to prevent invalidating a URL, %3A is actually a colon ( : ), %2F is actually a slash ( / )

But in the domain above they left out the %’s (Which aren’t allowed in domain names) and put in some gobbledy gook that’s similiar to trick you into thinking the net was the end of the domain and the rest is just part of the URL that we see everywhere.

Then the rest:

  • battle
  • us

So by lessons earlier…the domain is a COM domain (originally for commercial use, but turned into the “default” domain)

And the domain name is : net-https3asfdffaa2f3f5g-worldofwarcraft

Which looks like worldofwarcraft, but isn’t.

Like I said, SNEAKY!

Oh…and not Blizzard.

And then there’s more sneakiness…

I got 2 e-mails that made it look like my account and characters are being restored from a hack.

Not have been hacked, I know this is obviously a Phish. My guess is the phishers are attempting to blast out these e-mails to hit someone who is already hacked (Which doesn’t make ANY Sense at all…as the account is already hacked, or the user is hopefully a lot more skeptical on these things by now…)

Or they are trying to invoke the “Panic response” from people. The ones that aren’t currently logged in…catching up on their e-mails. See this e-mail and PANIC and scream “OMG what happened??!!!??” and click the link to find out and then BOON…GOT YA…Hook, line and sinker…

Content of the e-mail is fairly coherent, and I can believe its a copy from an actual e-mail one would receive when getting restored. (Can’t validate it 100% though.)

The e-mail has 3 links, 2 of them are “safe”, but one is not.

It’s fairly obvious too. The displayed link and where the link takes you are the same: wowarmybattle.com

So ya, not Blizzard.

The second e-mail is a list of items restored. All real items, but nothing any of my characters would be caught dead wearing (Diabolic Skiver and Scholomance Gear??)

Just one link in this one going to: blizzard-game-info-admin.com

Which is not Blizzard.

Comments are off for this post

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/