How to spot a Phish

You’re sitting there reading and now you ask:

“That’s all fine and dandy…but is this e-mail from a hacker or is it from Blizzard?”

That is a good question.

In some cases it is BLINDINGLY Obvious.

But there are some really good Phishers out there.  But look for these signs and you can spot even the best of them.

Before we begin, let me first say:  Error on the side of caution!!

There is NOTHING that Blizzard will send you that you can’t verify by logging in or calling them.

If there is the even slightest glimmering or an idea that a possibility exists that even remotely questions your thinking that the e-mail is not legit, just delete it.

Don’t click the links, don’t follow the instructions.

Delete it.

Then use your pre-defined bookmark, or type in the address manually and verify the information yourself.

Or e-mail Blizzard, or call Blizzard and ask.

Now that’s over with, here is what to look for:

1. E-mail address.

For any e-mail application or e-mail services I Can show you in 1.2 seconds how to change your From/reply to e-mail to be George Clooney.  Or Bill Gates…or Jewel Saite, or the Pope….

Or….Account Admin @ Blizzard.com

Don’t trust the Reply to, look at both the Reply to and the SENDER (Which is in the header, not the FROM Address.)  Although I can show you how to change your reply to address, the sender is MUCH Trickier, and in most cases unless you have ROOT access to Blizzards servers its impossible to send an e-mail AS Blizzard. Occasionally you can run into a SMTP Server that doesn’t check and validate Sender, but they don’t last long.  Most, if not all, SMTP Servers will not allow you to send an e-mail with an address other than the domain it belongs too.

So…

In G Mail, here is what to look for (All my examples are in GMail…for how to get to the header and other information on your mail client/service there is a handy-dandy Blizzard article here for it:

“How to Identify Fake or Phishing Emails”

OR else consult with the documentation/support of your e-mail client/service.)

In Gmail:

eMail - No Details
eMail – No Details.

In the message you see the Title of the email, below that you see the reply to address like this:

Note the “show details” link there in the center/right of the message, clicking that link gives you more details about the e-mail.  It’s not the complete header, but for now its a start.

Now it shows the Date/Time the e-mail was sent and the subject again…

And NOW, it shows “mailed-by” which is where the e-mail is mailed from.

eMail - with Details

eMail - with Details

Notice the e-mail is NOT from Blizzard…

It’s from Hotmail…which is the source of the majority of the Phishing e-mails.  Unfortunately, Hotmail doesn’t seem to care much about this.  If this came from GMail or another more secure source they probably would have a harder time getting the e-mails out.

Now…clear the the right of the e-mail is a down arrow, clicking on this shows a menu, choosing “Show Original” will reveal the Entire header.

Like:

Delivered-To: <this is your address>me@gmail.com
Received: by 10.229.3.66 with SMTP id 2cs127461qcm;
Fri, 28 May 2010 04:59:09 -0700 (PDT)
Received: by 10.204.1.136 with SMTP id 8mr87728bkf.92.1275047948726;
Fri, 28 May 2010 04:59:08 -0700 (PDT)
Return-Path: <boguss_80@hotmail.com>
Received: from blu0-omc3-s15.blu0.hotmail.com (blu0-omc3-s15.blu0.hotmail.com [65.55.116.90])
by mx.google.com with ESMTP id w11si5628982bka.77.2010.05.28.04.59.08;
Fri, 28 May 2010 04:59:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of boguss_80@hotmail.com designates 65.55.116.90 as permitted sender) client-ip=65.55.116.90;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of boguss_80@hotmail.com designates 65.55.116.90 as permitted sender) smtp.mail=boguss_80@hotmail.com
Received: from BLU0-SMTP19 ([65.55.116.72]) by blu0-omc3-s15.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 28 May 2010 04:58:02 -0700
X-Originating-IP: [112.216.160.78]
X-Originating-Email: [boguss_80@hotmail.com]
Message-ID: <BLU0-SMTP1974D4063EA673501766B187EB0@phx.gbl>
Return-Path: boguss_80@hotmail.com
Received: from ekjcz ([112.216.160.78]) by BLU0-SMTP19.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 28 May 2010 04:58:01 -0700
From: “noreply@blizzard.com” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: World of Warcraft – Account Authenticator
Date: Fri, 28 May 2010 19:58:12 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_09CE_012A5307.103E1380″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 28 May 2010 11:58:01.0614 (UTC) FILETIME=[05CBDAE0:01CAFE5D]

From this header there is information on where the mail really came from.

Notice the “Return-Path” see how that is NOT Blizzard? :

Return-Path: <boguss_80@hotmail.com>

Compare this to what it shows up as in the header of a REAL Blizzard e-mail:

Return-Path: <noreply@battle.net>

Further down you can see:

Received: from blu0-omc3-s15.blu0.hotmail.com (blu0-omc3-s15.blu0.hotmail.com [65.55.116.90])

I’m pretty sure, even with the economy the way it is, that Blizzard isn’t have to resort to using a free mail service to send out their e-emails.

From a real Blizzard e-mail it shows:

Received: from smtp12.us.worldofwarcraft.com (ext-smtp12.us.battle.net [12.129.242.48])

So, as you can see, just by the e-mail address and header you can see it’s not From Blizzard.

2. Greeting

Beyond the e-mail address there are many, MANY other clues to lead you to point at the e-mail and scream PHISHER!!

For one, the greeting.  You have registered with Blizzard in order to get a World of Warcraft Account.  Because of this, they know your name, they know you address, they even know your credit card number, and they definitely know your e-mail address.

Don’t you think they would actually use this information?

Look at this greeting:

Greetings!
Recently, the problem of account invasion is getting worse and worse which cause enormous players’equipments and virtual currency stolen. This severely damages the benefits of mass players, also causes our company lose a lot of customers.
Ever sine 1985 there existed the technology to customize the greeting with known information, like NAME…
Compare this to the greeting you get from an ACTUAL communication from Blizzard:
Hello Jay,

Blizzard Entertainment has recently received a request to change the…

See the difference?  Most companies would spend the extra effort (very LITTLE Effort) to actually adress you by name, this is doubly true if they are addressing you in regards to account issues.  Companies know they need to assure you that the communication is genuine, and by address you specifically it goes a LONG way to prove the validity of an e-mail.
The reason the Phishers can’t address you by name is because they don’t know it.  They have no idea who you are.  In reality, they don’t even know your e-mail address.
You are getting the e-mail because they either typed in random characters to send out the e-mail, or they get it from lists that are passed around from known “good” addresses (Which can be gotten from one or more of hundreds of sources.)
But the Phisher just writes one e-mail and it gets mailed out to everyone they possibly can.  They don’t bother to personalize it because it would take too much of their effort and they probably don’t have the information to personalize it anyway.
3. English, bad spelling, total and complete moronic mistakes.
A lot of the phishing e-mails make it very apparent that the sender uses English as a second (or third?) language.  This makes sense as the majority of the Gold selling sites are in China or Korea where English is definitely not the native tongue.  And since the majority of the hack attempts are from Gold selling companies, it only makes sense these are poorly translated.  (These companies don’t have the extra money to actually pay translators to handle their illicit communications.)
Look at this from a phishing e-mail:
Recently, the problem of account invasion is getting worse and worse which cause enormous players’equipments and virtual currency stolen. This severely damages the benefits of mass players, also causes our company lose a lot of customers.
Improper use of punctuation.
Not sure what the difference between a player and an “enormous player” is, but it make me think these guys are calling me fat.
Then they call me fat again by saying “mass players”
Overall, this whole paragraph is almost impossible to read and figure out what they are trying to say.
The rest of the e-mail doesn’t fare any better:
Our company has to adopt some measures to safeguard our common benefits in order to strengthen the safety of mass players’accounts, and firmly resist the account to be stolen again.Through our company’s research and investigation to xxx customers,we will make the following decisions: we launch a package of updated code strengthen system and dynamic code protection card which can effectively prevent the accounts invaded. We will send this package of code protection system to players free of charge.Please open this connection:  http://www.worldofwarcraft.com/

If your account passes the check successfully, we will send this package of dynamic code protection card to you in the form of e-mail.

In 3 days after you receiving the e-mail, if you don’t submit your information, we have right to freeze your account, every player is obligated to protect the safety of the account. You must work together with us to be determined to crack down all the behaviors of destroying games.

If you had already authenticator your account, please disregard this automatic notification.

Regards,

The World of Warcraft Support Team
Blizzard Entertainment

http://www.blizzard.com/support/wowindex/

Massive run on sentences, no to little punctuation….
Then there is the statement:  “Through our company’s research and investigation to xxx customers, …”
Well, xxx eh?  so does that mean 30 customers?  Or would this be the perfect example of almost moronic mistakes that these hackers make in these Phishing e-mails.
My favorite is the declaration of how they are going to send “this package of dynamic code protection card” in the form of e-mail.
Wonders of technology, soon I’ll be able to order pizza and get it sent to me in the form of e-mail with my matter replicator.
4. Sending you somewhere that is NOT Blizzard.
The sole purpose of these e-mails are designed to get you to click a link that will take you to a site that is definitely NOT Blizzard’s site.
If you view source, or hover over the link (WITHOUT Clicking it!!)
You will see a domain that is not Blizzard, but may be VERY similar.
For your protection it would be best if you just didn’t click anything ever.
But, you can also do a second look and see if it’s a valid address or not.
In the e-mail above there was a link, from looking at it, it went to http://www.worldofwarcraft.com/
But in reality, it did not.
Using view source, or hovering over it you would see it went to:
[NOTE: Again I stress you should NEVER, EVER go to these sites.  I am listing this domain as an example only!!  By no means should you EVER go to this domain.  PERIOD.]
www.worldofwarcraft-authenticator-securety.com
Look at the trick…first glance you see www.worldofwarcraft
You have to remember that an address has a specific pattern that in no way can be violated.
This address pattern is “Internet Law”
No browser, web server, computer, proxy, firewall, anti-virus program, your mother, your grandmother, your best friend can ever change this “law”
If someone tells you I’m wrong, tell them to send me an e-mail at jayras@gmail.com and tell me how I’m wrong.  Because I’m not
Structure is this:
[protocol]://[domain]/[uir-stem (Which is directory/filename)]?[uri-query (Which is some query strings websites use.)]
In some cases this can have other parts like port, or username/password but they are very rare and hardly ever used.
For the domain, it will NEVER, EVER have a directory structure to it.  This is a trick they are trying to put over on you, they use the familiarity of the main site and add on what can be viewed as a valid directory structure, but in reality it is part of the domain name.
For a domain name look at it from right to left to distinguish the Owner of the domains.  These parts are separated by a period [.]
So, for example:
www.sub1.sub2.sub3.battle.net
This belongs to battle.net
Work from the right you see:
net — This means its part of the “net” TLD…this is not really all that important, you can get some basic information like country and domain type out of it, but not company or anything else.
battle — This is the domain name, this is the part that tells you who owns this site.  In this case its Battle…which is Battle Net.
sub3 — Sub domain off of battle.net
sub2 — Another sub domain…but still part of battle.net
sub1 — Another sub domain…but still part of battle.net
www — Another sub domain…this is a naming convention to mean its a WWW site.  There is no “law” saying you have to use this, but convention and tradition make this very well-known.
In this case the “company” or website is worldofwarcraft-authenticator-securety
Which would not be World of Warcraft, not Blizzard and not Battle Net
And security is misspelled.
These are but a few of the methods they use to trick you.
For your amusement, and hopefully to further educate you I’ll have all phishing e-mails I get on this blog that you can go through and get further insight into how these phishers try to trick you into clicking a link to either have you give them your information right out, or launch a payload that will infect your computer with a virus / key logger.
Return-Path: <noreply@battle.net>

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/