Busy Phishing Week: Cataclysm Beta is Live.

Jul 09 2010

What a week.  Early this week the inital beta program for the Cataclysm expansion went live and the first wave of invites was sent out to the lucky players!

Of course that means we got a MASSIVE wave of Beta Phishing e-mails.

Fortunatly for the player the Phishers aren’t all that original…and the e-mails that went out are the same we’ve all seen telling us to make sure our opt in’s are up to date.

But some did mention downloading the client.

So…for all of you that are eagerly awaiting your chance to get into the Beta here is the lowdown on how the beta works and some safety tips.

  • Yes, you do have to opt-in for the beta.  If you didn’t opt in then you won’t get invited.  Login to your account and make sure you have your beta profile up to date. (Don’t click any links in any e-mails…just login to your battle net account and update your profile.)
  • There isn’t some special, fancy-shmancy domain for the Beta, you get all the information and the link to the downloader from your Battle net account.  Not from any other website.
  • If (and when) you are selected to participate in the Beta you will receive a notification.  It will probably look a lot like the phishes.  So, just don’t trust any of them.   Just login to your battle net account (NOT using any links) and if you are indeed accepted in the beta you will see the box graphic for Cataclysm alongside the box graphic you have now for WOW.

  • There is no other location to download the Cataclysm installer.
  • If you think you have a secondary, legitimate location to download the installer, you don’t.  Only get it by clicking the link from your battle net account.
  • There is not Beta Keys…with the battle net account system the need for Beta keys went the way of the Dodo.
  • There is no other form you need to fill out.
  • There is no other reason to type in another bit of information to get into the beta. (Provided you have your beta profile updated.)

So, there it is.

I’ve said it before and I’m going to say it again:

YOU are the prime target for these phishers.

They’re getting sneaky.

If you have ANY doubt, just don’t click any links at all.

There is no necessary reason to click the links.

Everything you need can be gotten by logging into your battle net account.

Here’s the rundown of the Phishes I got this past week:

  • 11 Beta
  • 3 Selling Account
  • 1 3rd party
  • 1 corrected IP
  • 2 In view of Recent…  (Haven’t seen this on in MONTHS and I get two right in a row…)
  • 1 Account Change Confusion

Comments are off for this post

Lots of Phishes and new twists

Jul 02 2010

Over the past couple of days I’ve gotten 7 phishes.

Mainly the usual stuff with Account Changes, Beta sign ups, banned IP’s

But then there’s a new one.  Well, not really new…its very similar to “In view of recent…” but with a “Good Times” twist:

New Phish

My favorite part of the new one:

your account occurred in the number of illegal transactions in a very long period of time.

Ooooh…sends chills up your spine.  The legal speak of it is just flawless and is so ominous you just HAVE to act now and click the link.

OK, so I jest…its Engrish in its finest form and I don’t know WTF they are talking about.

————————————————————————————————————

New fashion in the Phishing word:  Incident or Case Numbers.

Lately, I’m getting a lot of “Issue #” or “Case #” or “Indicdent #” on the end of the subjects of the phishes.

I’m guessing this is an attempt to make them sound much more official.  Cause after all there is a number I can no reference if I need to talk to somebody about the issue.

And I’m sure when I call Blizzard and give them this number it’ll make sense to them…or NOT.

Domains being used by these Phishers are getting more creative:

  • batltle.net
  • www.worldefwaroraft.com
  • www.wow-identification.com

Then there’s this idiot:

www.worldofwarcraft-logins-blizzardaccounts.com:8088

Well, create a nice domain that could conceivably make someone think its legit.

Then hook up the website on port 8088

So, if you are behind any firewall or proxy at all there is a 94.325% chance you can’t even get to the website.

(For those of you that aren’t as geeky as I am…Web Traffic goes on port 80, and pretty much anything over 900 is blocked automatically by firewalls.  There used to be a convention used by some webmasters to put in dev websites up on port 8080, but port 8088 would be foreign to anyone.)

Oh well, one more chance someone mistakenly clicks a link won’t get hacked.

————————————————————————————————————–

Speaking of which, let me digress for a few minutes.

Apparently users (or maybe its the tech support) of  “My Space” seem to have the complete wrong definition of “getting phished”

Do a search on Twitter for “Phished” and you get a ton of posts by My Space users who have gotten hacked and people taking over their accounts but they always post something like “sheesh…I got phished again”

Either that, or they are getting phished and are just to light headed to stop clicking links in e-mails?

Comments are off for this post

Phish: Your account occurred in the number of illegal transactions

Jul 02 2010

Here’s the e-mail:

Return-Path: evilmicol@hotmail.com
Received: from pt ([114.234.99.163]) by BLU0-SMTP71.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 1 Jul 2010 20:57:21 -0700
Reply-To:
From: “noreply@blizzard.com” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: World of Warcraft Verification – Account Issue NO.1343534354

Hello!

We are very sorry to inform you that your account occurred in the number of illegal transactions in a very long period of time. We have not received any complaints about your transactions. But if other players send complaints about your account to us, we will permanently ban your account.

So we have issued this warning letters to you. You should go to the account management website to check your account status as soon as possible(http://www.battle.net/account), you can also find them here.

Billing & Account Services can be reached at 1-800-59-BLIZZARD (1-800-592-5499 Mon-Fri, 8Am-8PM Pacific Time) or at billing@blizzard.com.

Regards,
The World of Warcraft Support Team
Blizzard Entertainment

http://www.blizzard.com/support/wowindex/

Links to: www.worldefwaroraft.com

OK, let’s see here:

  • No Personalized greeting.
  • Header says Hotmail (Surprise!)
  • bad english/spelling
  • Makes no sense at all.

This one is a mix between the “Good Times” and “In view of recent…” Phishes.

I figured it deserved its own page.  It certainly is entertaining enough.

We are very sorry to inform you

Not only are they sorry, they are VERY sorry to inform me…

that your account occurred in the number of illegal transactions

What?

So….during a number of illegal transactions my account “occurred” in them?

What does that mean?  Some joker standing on a dark street in a shadowed doorstep whispering “pssst…buddy…you wanna by a watch FROM THIS GUYS ACCOUNT?”

in a very long period of time

Well…at least I didn’t do it in a short period of time.

I guess they’ve been watching these illegal transactions happen for the past couple of years but didn’t decide to do anything.

Kind of like the stories you hear where this guy went through a neighborhood and randomly shot through windows of houses, while everyone was on their front porches watching.  Of course no one called the police cause everyone thought someone else already had.

And then I woke up and said “WHAT??”

We have not received any complaints about your transactions.

Yet, here you are informing me of them?  Why haven’t you done this in the past?  Oh ya…read my last note….

But if other players send complaints about your account to us, we will permanently ban your account.

OMG…If someone complains you bring “teh ban hammer!!”

I better not piss anyone off in these illegal transactions eh?

Oh ya…read my last note about reading the last note…

You should go to the account management website to check your account status as soon as possible

Yes, I should, because, after all, since this happened in a very long period of time something may have happened in the last few hours since I logged out and now.  We all know you are taking such quick action on this.

Oh ya, NOT.

So, ya…Not Blizzard.

  • Received again:

Return-Path: xepoz@hotmail.com
Received: from jwa ([221.6.42.24]) by BLU0-SMTP100.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 5 Aug 2010 07:43:06 -0700
Sender: xepoz@hotmail.com
From: “WoWAccountAdmin@blizzard.com” <WoWAccountAdmin@blizzard.com>
To: <jayras@gmail.com>
Subject: World of Warcraft — Account Action Notification

Links to: www.worldofwarcraft-account-security-verification.com

  • Received again:

Return-Path: david14_38@hotmail.com
Received: from wpvotpzp ([114.106.199.241]) by BLU0-SMTP35.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 6 Aug 2010 00:25:43 -0700
From: “wowaccountadmin@blizzard.com” <david14_38@hotmail.com>
To: <jayras@gmail.com>
Subject: World Of Warcraft-Account Instructions

Links to: www.worldofwarcraft-battle-account-authecon.com

  • Received again, but MUCH simpler variation:

Return-Path: soddermann@hotmail.com
Received: from ripygnjh ([174.139.92.48]) by BLU0-SMTP75.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 4 Aug 2010 06:58:50 -0700
Reply-To: <wowaccountadmin@blizzard.com>
From: “wowaccountadmin” <wowaccountadmin@blizzard.com>
To: <jayras@gmail.com>
Subject: WOW Account Management:N0.5865
Hellodz?/P>

We have the evidence to prove that your account involved in the controversial game currency transaction .If your account is found violating Terms of Use, it can, and will be suspended/closed/or terminated.

In order to keep this from occurring, you should immediately verify that you are the original owner of the account.We highly recommend that you take this opportunity to verify your account information.To do so, simply click here:

http://www.battle.net/index/login

Blizzard staff will verify your account information submitted in two days, please do not modify your account information during this time . It will not affect your game uptime.

For more information, click here for answers to Frequently Asked Questions or to contact the Blizzard Billing & Account Services team.

Sincerely,
Account Administration
Blizzard Entertainment
Online Privacy Policy

Links to: us-battlefusbattlenet.com

2 responses so far

They’re getting sneakier!

Jun 28 2010

So, for those that asked (and care) my back is doing much better.

I managed to last 3 days+ of not sneezing, but then managed to sneeze 5 times on Saturday…all “normal” sneezes that just had a twinge on my already damaged back and nothing catastrophic again.

Over the past week I’ve received 10 phish e-mails. 4 Bad Beta Barrages, 2 Account Change crack ups. 1 Facebook funkiness Phish.

And then 3 strange ones…

First…

This one looks to be a new variant on the Corrected Hacker IP Phish, it uses the 3 IP Ranges, but at least this time the 3 IP ranges are all the same.

It’s the domain it links too that makes it stand out. It’s SNEAKY!!

The link displays in the e-mail as:

http://us.battle.net/login.xml?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam

But the actual link is (Remember folks, don’t go to these addresses, they are purposely not set a links you can click!)

http://us.battle.net-https3asfdffaa2f3f5g-worldofwarcraft.com/

Now, if you remember from earlier lessens, work backwards to see who is the owner of the domain, based on periods (.)

So…break this one apart (working backwards) you get:

  • com – Standard, almost everything is a COM…we’re good so far.
  • net-https3asfdffaa2f3f5g-worldofwarcraft

Here is where it starts…

After the net is NOT a period, it’s a dash, so that’s not a domain separator so that’s not the end of the domain segment. its net-https3….which is basically some well crafted face rolling.

We’ve all seen links crop up, that are a lot like the displayed link…with %3A’s and %2F’s and the like.

These are called “escape codes” that are done to prevent invalidating a URL, %3A is actually a colon ( : ), %2F is actually a slash ( / )

But in the domain above they left out the %’s (Which aren’t allowed in domain names) and put in some gobbledy gook that’s similiar to trick you into thinking the net was the end of the domain and the rest is just part of the URL that we see everywhere.

Then the rest:

  • battle
  • us

So by lessons earlier…the domain is a COM domain (originally for commercial use, but turned into the “default” domain)

And the domain name is : net-https3asfdffaa2f3f5g-worldofwarcraft

Which looks like worldofwarcraft, but isn’t.

Like I said, SNEAKY!

Oh…and not Blizzard.

And then there’s more sneakiness…

I got 2 e-mails that made it look like my account and characters are being restored from a hack.

Not have been hacked, I know this is obviously a Phish. My guess is the phishers are attempting to blast out these e-mails to hit someone who is already hacked (Which doesn’t make ANY Sense at all…as the account is already hacked, or the user is hopefully a lot more skeptical on these things by now…)

Or they are trying to invoke the “Panic response” from people. The ones that aren’t currently logged in…catching up on their e-mails. See this e-mail and PANIC and scream “OMG what happened??!!!??” and click the link to find out and then BOON…GOT YA…Hook, line and sinker…

Content of the e-mail is fairly coherent, and I can believe its a copy from an actual e-mail one would receive when getting restored. (Can’t validate it 100% though.)

The e-mail has 3 links, 2 of them are “safe”, but one is not.

It’s fairly obvious too. The displayed link and where the link takes you are the same: wowarmybattle.com

So ya, not Blizzard.

The second e-mail is a list of items restored. All real items, but nothing any of my characters would be caught dead wearing (Diabolic Skiver and Scholomance Gear??)

Just one link in this one going to: blizzard-game-info-admin.com

Which is not Blizzard.

Comments are off for this post

Recycling Phises and a drugged up Yoda Phish.

Jun 22 2010

Well, since my last post I got 5 phishes.  So I guess they are still out there to get me.

I got a new Phish…about Aion…which I have never played.

Here it is.

The first sentence of this Phish makes it sound like its Yoda, on Acid, that was hit by a 2X4 in the back of the head.

Then…

I got 2 more Beta invites for the Cataclysm Beta.  Content is nothing special, just a copy paste from the Cataclysm page.

One of them, however, forgot to change the subject.  It was “Account Administration”

Sloppy…sloppy…sloppy…

I got two Phishes that I haven’t seen in a very long time.  One was the one that stated my payment method has violated 3rd parties.

I’m still trying to figure out what that could possibly mean.  Are they talking about a stolen credit card?  Or is a Mastercard, from Key Bank, in Dogspatch, CA offending to the sensibilities of the billing system?

Other one was a “You’re selling your account” Phish…blah.

If that wasn’t all….

On the bus ride to work this morning I sneezed.

No big deal right?

Well, when I sneezed I got this sharp, BURNING, pain in my lower back/side

It hurt like a bugger!

Then 20 minutes later I sneezed again, and it hurt WORSE.

So I went to the doctor, they said it was probably nothing more than straining a muscle, or worse case I ripped a muscle or tendon.  They shot me up with Dilaudid, which made me really loopy, but like Vicodin made my nose itch like a son of a bitch.

Have to add that to a list of drugs to avoid.

They gave me a prescription of Oxycodone, which doesn’t make my nose itch.  Theoretically I can go to work tomorrow, if I can stand walking…we’ll see.

YEAH ME!

Comments are off for this post

Phish: Aion

Jun 22 2010

Here’s the e-mail:

Return-Path: steph1650@hotmail.com
Received: from xdukpom ([122.139.26.139]) by BLU0-SMTP53.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 18 Jun 2010 20:38:46 -0700
From: “NCsoft Support”
To: <jayras@gmail.com>
Subject: Aion account lockout notice

jayras

Your account fraud Aion other members account password. Prohibited for 72 hours. As soon as possible to verify your account login [Don't click that link!]
If you do not verify your account as soon as possible, your account will be permanently locked!

GM Ash
Aion Game Surveillance Unit

Let’s see here:

  • Header shows it’s from Hotmail.
  • Rudimentary, but poor, attempt at personalization.
  • Spelling, english horrible.
  • e-mail makes no sense whatsoever.3
  • Links to: aion.dipns.com

To quote Steven King:  Jumping Jesus on a Pogo Stick!

WTF is that first sentence even TRYING to say?

Your account fraud Aion other members account password.

Most of these non-english speaking hackers using Bablefish I can figure out the gist of their message, but this one eludes me.

The backward speak is almost akin to Yoda speak…but still….

Wait, I know what it is:

1. Take Yoda and give him Acid.
2. Make Yoda watch Fantasia.
3. When the scene comes up where the Hippos are dancing with the alligators THWACK him in the back of the head with a 2X4

That’s what that sentence looks like.

Prohibited for 72 hours.

Well, that sentence is equally as useless, but at least I can understand it.  I just don’t know what is prohibited for 72 hours?  And after 72 hours whatever action that is will be allowed again?

As soon as possible to verify your account login [Link that is not NC Soft or Aion]
If you do not verify your account as soon as possible, your account will be permanently locked!

There’s a twist. Not only do I need to “verify I am how you are e-mailing” but I do that by logging in.

Wait…

I feel like I’ve just been insulted.

This e-mail is about one of two things.

Either they caught me doing something illegal and have “banned” me for 72 hours.

Or they think I was hacked and have locked me out for 72 hours.

But MAGICALLY, if I login (as this is ME and not anyone else) I’ll be verified and I’ll be able to get back in?

Wow…that logic tree just died.

So ya, not NC Soft (or Blizzard…)

Update:

  • Received again:

Return-Path: yolis.68@hotmail.com
Received: from gr ([98.126.10.160]) by BLU0-SMTP26.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 21 Jul 2010 20:17:31 -0700
Reply-To: <support@ncsoft.com>
From: “NCsoft Support” <support@ncsoft.com>
To: <jayras@gmail.com>
Subject: Aion Account Identification:mwkdd5hg

Links to: www.access-ncsoft.com

  • Received again:

Received: from lyx ([98.126.10.160]) by BLU0-SMTP10.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 23 Jul 2010 18:07:19 -0700
Reply-To: <support@ncsoft.com>
From: “NCsoft Support” <support@ncsoft.com>
To: <jayras@gmail.com>
Subject: Aion Account Identification:yqiyfuay

Links to: www.aionverify-ncsoft.com

  • Received again:

Return-Path: jared4520@hotmail.com
Received: from yrhqpbkz ([183.90.187.103]) by BLU0-SMTP21.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 25 Jul 2010 00:53:26 -0700
Reply-To: <support@ncsoft.com>
From: “NCsoft Support” <support@ncsoft.com>
To: <jayras@gmail.com>
Subject: Aion Account Identification-NO.00154

Links to: www.ncsoft-aionsecurity.info

  • Received again:

Return-Path: djflowmstr@hotmail.com
Received: from vwklobwyz ([123.8.188.172]) by BLU0-SMTP37.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sat, 31 Jul 2010 18:04:30 -0700
Reply-To: <support@ncsoft.com>
From: “support@ncsoft.com” <support@ncsoft.com>
To: <jayras@gmail.com>
Subject: Aion Account Issue-N0.0969

Links to: www.ncsoft-aionsecurity.us

Comments are off for this post

Quiet week.

Jun 18 2010

Well,

Haven’t really had much in Phishes this week, and I even managed to take a day off of work.

All I got this week was a IP Ban notice (The FINAL notice…oooooooh) and a couple of password change phishes.

Maybe I scared them all off?

ya…right…

Comments are off for this post

Weekend Fun

Jun 14 2010

This weekend was a nice weekend.  It’s nice seeing the sun for a change.

Apparently we received the average amount of rainfall for the entire month of June in the first 5 days of June.

But Friday we finally saw the sun and it was a nice weekend.

Phish wise:

  • Well, I got the unreadable Cataclysm beta invite.

Amusingly, the Hotmail address it came from was “Diablo or Die”…which made me chuckle.

  • I also got a Facebook Phish.

This one was funny….

Title of the e-mail was:

“You have 5 or more unread message(s)…”

Then it said I received a message from Facebook…click here to read it.

Self fulfilling prophecy in that e-mail?  I have 5 unread messages…and at least one is from the system itself…

Anyway…it wasn’t from Facebook, but looked really close…so be careful out there and be leery of Facebook messages and just don’t click the links.  Type in facebook.com manually!

  • Also, I got a corrected IP Phish.

This one wasn’t ridiculous enough to say “You logged into IP Range A, IP Range B is hackers, so we’re banning IP Range C”

In this case it was just “YOu logged into IP Range A” and we’re banning it.

Unfortunately for the Hacker (And fortunately for us) they still can’t speak English which makes it all the easier to say “Not Blizzard”

Comments are off for this post

Phish: Hacker IPs – The corrected version.

Jun 14 2010

Here’s the e-mail:

Return-Path: tx_rose_71@hotmail.com
Received: from xeo ([59.175.118.208]) by BLU0-SMTP16.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 13 Jun 2010 18:52:58 -0700
From: “wowaccountadmin@blizzard.com” <wowaccountadmin@blizzard.com>
To: <jayras@gmail.com>
Subject: Login IP Blacklisted

Greetings,

This is an automated notification sent from our account security system. You logined your account successfully at 17:40 on June 12th form the 203.57.127.* IP range. According to the report of many players, we found that the account published spam information in the game which harassed other users seriously. This action has violated the EULA.

As too many customers’ complaints, the IP range above has been blacklisted. We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you check your account status here as soon as possible. If you have any questions, please visit http://us.battle.net.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
1pvhhvbsyehowbyl5jlrtbzbk6hocts0f
Regards,
0t2blcs4xehrgtpnskamhjdgfhnqzp7zh
Blizzard Account System
Blizzard Entertainment

So, let’s see here…

  • Header shows e-mail is from Hotmail.
  • Bad English and misspellings.
  • Link goes to: www.blizzard-status-info.com

Well, well ,well…

You can teach a hacker new tricks…

This is almost word for word of the “Hacker IP” Phish, but they fixed it so it doesn’t look like they are COMPLETE Morons.

Of course, they still can’t speak English so it’s not hard to say this is a Phish and not real…

You logined your account successfully

That is kind of like a double negative…a double positive?

As too many customers’ complaints

That made no sense in the first e-mail…and still doesn’t make any sense…

In order to guarantee the legitimacy of your account, we need you check your account status here as soon as possible.

You just banned my IP so I can’t…oh wait…you’re trying to trick me into thinking that my account was logged into another computer in a different IP Range.

Very tricksy you are…

This works because more people don’t know what their IP address is…I know I don’t….as far as I’m concerned my IP address is 10.71.63.23…

But I haven’t bothered to look at what my REAL IP Address is…I just don’t care.

I do love how they put the link to the REAL website in case I have any questions…which is where I would send anyone to verify anything they get in e-mail (Not to the link of course, but to the real website.)

So, ya…Not Blizzard.

Update:

  • Received again:

Return-Path: guntherfrastaun@hotmail.com

Received: from abhclkayq ([219.140.29.132]) by BLU0-SMTP74.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);

Fri, 11 Jun 2010 19:52:53 -0700

From: “wowaccountadmin@blizzard.com” <wowaccountadmin@blizzard.com>

To: <jayras@gmail.com>

Subject: Battle.net Final Warning

  • Received again:

Return-Path: sammisin@hotmail.com
Received: from mqc ([222.69.176.184]) by BLU0-SMTP46.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 23 Jun 2010 18:31:43 -0700
Received: from servera07.tk2adsmtp4.msn.com ([207.46.222.236]) by snt0-mc3-f8.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 15 Jun 2010 18:13:20 -0700
Received: from by2gbipcme01.phx.gbl ([10.2.94.20]) by servera07.tk2adsmtp4.msn.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 15 Jun 2010 18:13:18 -0700
X-AUTH-Result: PASS
X-Originating-Email: [WoWAccountAdmin@blizzard.com]
X-Mailer: CME-V6.5.4.3; MSN
From: “Blizzard Entertainment” <WoWAccountAdmin@blizzard.com>
To: <jayras@gmail.com>
Subject: World of Warcraft Warning – Notice NO.507430

Dear customer,

This is an automated notification sent from our account security system. You logined your account successfully at 4:27 on June 20th from the 125.94.112.* range, but our system shows the 125.94.112.* IP range exists a large number of hackers. As too many customer complains, the 125.94.112.* IP range has been blacklisted. We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you check your account status as soon as possible. You should login to the Account Management Websit with the following link: http://us.battle.net/login.xml?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,

Blizzard Account System
Blizzard Entertainment

This one looks to be a new variant on the Corrected Hacker IP Phish, it uses the 3 IP Ranges, but at least this time the 3 IP ranges are all the same.

It’s the domain it links too that makes it stand out. It’s SNEAKY!!

The link displays in the e-mail as:

http://us.battle.net/login.xml?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam

But the actual link is (Remember folks, don’t go to these addresses, they are purposely not set a links you can click!)

http://us.battle.net-https3asfdffaa2f3f5g-worldofwarcraft.com/

Now, if you remember from earlier lessens, work backwards to see who is the owner of the domain, based on periods (.)

So…break this one apart (working backwards) you get:

  • com – Standard, almost everything is a COM…we’re good so far.
  • net-https3asfdffaa2f3f5g-worldofwarcraft

Here is where it starts…

After the net is NOT a period, it’s a dash, so that’s not a domain separator so that’s not the end of the domain segment. its net-https3….which is basically some well crafted face rolling.

We’ve all seen links crop up, that are a lot like the displayed link…with %3A’s and %2F’s and the like.

These are called “escape codes” that are done to prevent invalidating a URL, %3A is actually a colon ( : ), %2F is actually a slash ( / )

But in the domain above they left out the %’s (Which aren’t allowed in domain names) and put in some gobbledy gook that’s similiar to trick you into thinking the net was the end of the domain and the rest is just part of the URL that we see everywhere.

Then the rest:

  • battle
  • us

So by lessons earlier…the domain is a COM domain (originally for commercial use, but turned into the “default” domain)

And the domain name is : net-https3asfdffaa2f3f5g-worldofwarcraft

Which looks like worldofwarcraft, but isn’t.

Like I said, SNEAKY!

Oh…and not Blizzard.

  • Received again…new variant:

Return-Path: <zigurat_js@hotmail.com>
Received: from blu0-omc3-s24.blu0.hotmail.com (blu0-omc3-s24.blu0.hotmail.com [65.55.116.99])
by mx.google.com with ESMTP id g4si684343wbg.47.2010.07.01.22.35.18;
Thu, 01 Jul 2010 22:35:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of zigurat_js@hotmail.com designates 65.55.116.99 as permitted sender) client-ip=65.55.116.99;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of zigurat_js@hotmail.com designates 65.55.116.99 as permitted sender) smtp.mail=zigurat_js@hotmail.com
Received: from BLU0-SMTP19 ([65.55.116.73]) by blu0-omc3-s24.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 1 Jul 2010 22:34:09 -0700
X-Originating-IP: [180.210.206.52]
X-Originating-Email: [zigurat_js@hotmail.com]
Message-ID: <BLU0-SMTP19B9264109A5E67FFAACA5EFCE0@phx.gbl>
Return-Path: zigurat_js@hotmail.com
Received: from afqrmaf ([180.210.206.52]) by BLU0-SMTP19.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 1 Jul 2010 22:33:48 -0700
From: “wowaccountadmin@blizzard.com” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: WOW Issue-NO.0030846

Greetings,

This is an automated notification sent from our account security system. You logined your account successfully at 3:14 on Jun. 29th form the 203.29.211.* IP range. According to the report of many players, we found that the account published spam information in the game which harassed other users seriously. This action has violated the EULA.

As too many customers’ complaints, the IP range above has been blacklisted. We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you check your account status  as soon as possible.

To do so, simply click here:

https://www.battle.net/account/support/login-support.xml

Blizzard staff will verify your account information submitted in two days, please do not modify your account information and password during this time . It will not affect your game uptime.

For more information, click here for answers to Frequently Asked Questions or to contact the Blizzard Billing & Account Services team.

Regards,

Account Administration
Blizzard Entertainment
Online Privacy Policy

Links to: www.wow-identification.com

This one is new.  They cleaned up the English and added a new twist.

According to the report of many players, we found that the account published spam information in the game which harassed other users seriously.

OK, so the English isn’t perfect…but still a far cry from “Engrish”

But, they at least gave a coherent excuse to ban IP Addresses instead of the vague explainations normally given.

But still…not blizzard.

  • Received again:

Return-Path: superdarkritual@hotmail.com
Received: from lfmwsihe ([222.69.162.61]) by BLU0-SMTP55.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 4 Jul 2010 23:37:30 -0700
Date: Mon, 5 Jul 2010 14:35:04 +0800
From: “wowaccountadmin@blizzard.com” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: WOW Issue-NO.0068052

www.wow-verify-m5aqr3gfdblolp0hx3fajlm.com

  • Received Again

Return-Path: dimata@hotmail.de
Received: from gcvfapu ([98.126.10.160]) by BLU0-SMTP63.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sat, 10 Jul 2010 01:53:15 -0700
From: “wowaccountadmin@blizzard.com” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: WOW Account Issue-NO.0028894

Links to: www.secure-battle.net

Comments are off for this post

« Newer posts Older posts »

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/