They’re getting sneakier!

Jun 28 2010 Published by jayras under Posts

So, for those that asked (and care) my back is doing much better.

I managed to last 3 days+ of not sneezing, but then managed to sneeze 5 times on Saturday…all “normal” sneezes that just had a twinge on my already damaged back and nothing catastrophic again.

Over the past week I’ve received 10 phish e-mails. 4 Bad Beta Barrages, 2 Account Change crack ups. 1 Facebook funkiness Phish.

And then 3 strange ones…

First…

This one looks to be a new variant on the Corrected Hacker IP Phish, it uses the 3 IP Ranges, but at least this time the 3 IP ranges are all the same.

It’s the domain it links too that makes it stand out. It’s SNEAKY!!

The link displays in the e-mail as:

http://us.battle.net/login.xml?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam

But the actual link is (Remember folks, don’t go to these addresses, they are purposely not set a links you can click!)

http://us.battle.net-https3asfdffaa2f3f5g-worldofwarcraft.com/

Now, if you remember from earlier lessens, work backwards to see who is the owner of the domain, based on periods (.)

So…break this one apart (working backwards) you get:

  • com – Standard, almost everything is a COM…we’re good so far.
  • net-https3asfdffaa2f3f5g-worldofwarcraft

Here is where it starts…

After the net is NOT a period, it’s a dash, so that’s not a domain separator so that’s not the end of the domain segment. its net-https3….which is basically some well crafted face rolling.

We’ve all seen links crop up, that are a lot like the displayed link…with %3A’s and %2F’s and the like.

These are called “escape codes” that are done to prevent invalidating a URL, %3A is actually a colon ( : ), %2F is actually a slash ( / )

But in the domain above they left out the %’s (Which aren’t allowed in domain names) and put in some gobbledy gook that’s similiar to trick you into thinking the net was the end of the domain and the rest is just part of the URL that we see everywhere.

Then the rest:

  • battle
  • us

So by lessons earlier…the domain is a COM domain (originally for commercial use, but turned into the “default” domain)

And the domain name is : net-https3asfdffaa2f3f5g-worldofwarcraft

Which looks like worldofwarcraft, but isn’t.

Like I said, SNEAKY!

Oh…and not Blizzard.

And then there’s more sneakiness…

I got 2 e-mails that made it look like my account and characters are being restored from a hack.

Not have been hacked, I know this is obviously a Phish. My guess is the phishers are attempting to blast out these e-mails to hit someone who is already hacked (Which doesn’t make ANY Sense at all…as the account is already hacked, or the user is hopefully a lot more skeptical on these things by now…)

Or they are trying to invoke the “Panic response” from people. The ones that aren’t currently logged in…catching up on their e-mails. See this e-mail and PANIC and scream “OMG what happened??!!!??” and click the link to find out and then BOON…GOT YA…Hook, line and sinker…

Content of the e-mail is fairly coherent, and I can believe its a copy from an actual e-mail one would receive when getting restored. (Can’t validate it 100% though.)

The e-mail has 3 links, 2 of them are “safe”, but one is not.

It’s fairly obvious too. The displayed link and where the link takes you are the same: wowarmybattle.com

So ya, not Blizzard.

The second e-mail is a list of items restored. All real items, but nothing any of my characters would be caught dead wearing (Diabolic Skiver and Scholomance Gear??)

Just one link in this one going to: blizzard-game-info-admin.com

Which is not Blizzard.

Comments are off for this post

Recycling Phises and a drugged up Yoda Phish.

Jun 22 2010 Published by jayras under Posts

Well, since my last post I got 5 phishes.  So I guess they are still out there to get me.

I got a new Phish…about Aion…which I have never played.

Here it is.

The first sentence of this Phish makes it sound like its Yoda, on Acid, that was hit by a 2X4 in the back of the head.

Then…

I got 2 more Beta invites for the Cataclysm Beta.  Content is nothing special, just a copy paste from the Cataclysm page.

One of them, however, forgot to change the subject.  It was “Account Administration”

Sloppy…sloppy…sloppy…

I got two Phishes that I haven’t seen in a very long time.  One was the one that stated my payment method has violated 3rd parties.

I’m still trying to figure out what that could possibly mean.  Are they talking about a stolen credit card?  Or is a Mastercard, from Key Bank, in Dogspatch, CA offending to the sensibilities of the billing system?

Other one was a “You’re selling your account” Phish…blah.

If that wasn’t all….

On the bus ride to work this morning I sneezed.

No big deal right?

Well, when I sneezed I got this sharp, BURNING, pain in my lower back/side

It hurt like a bugger!

Then 20 minutes later I sneezed again, and it hurt WORSE.

So I went to the doctor, they said it was probably nothing more than straining a muscle, or worse case I ripped a muscle or tendon.  They shot me up with Dilaudid, which made me really loopy, but like Vicodin made my nose itch like a son of a bitch.

Have to add that to a list of drugs to avoid.

They gave me a prescription of Oxycodone, which doesn’t make my nose itch.  Theoretically I can go to work tomorrow, if I can stand walking…we’ll see.

YEAH ME!

Comments are off for this post

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/