New Phishes and I’m moving!

Aug 13 2010 Published by jayras under Posts

Well, looks like the level of Phish activity wasn’t as frantic as it was last week, but I still did get a fair number of Phishes.

Including 2 new phishes!!

Suspicious Activity is a lovely little Phish where they are saying your payment has been canceled due to suspicious activity and you have to login to verify…wait…locked…logged in…AAAAHH!!

Automatic Recovery a really neat Phish.  This one claims they have a new website for recovering hacked accounts, which requires you to visit a site and wait for 2 days while they investigate.  And then…and this is the best part…if you don’t hear from them in 2 days, do it all over again!

Here are the counts of last weeks activity:

5 Beta

1 Account Change Confusion

1 Controversial Account Transaction

3 Selling Account

3 Account Invasion

On another note:  I feel I’ve reached the limits of patience with trying to do a Phish Library in WordPress.  It’s a great blogging tool, and I’ll still use WordPress for my blog.  But trying to keep a library of pages just doesn’t fit in WordPress’ feature set.

So, it inspired me to get a real domain!!!

Yes, that’s right

I’ve got an official domain for this wonderful site now:

Welcome to PhishWorld.com!

The world of Phishes, all for you at a low LOW price of just $19.95

…ok, maybe not

But ya, http://phishworld.com is up (Although not a lot is there…just my fish tank.) and the blog should be up in short order over at:

http://blog.phishworld.com

So, get ready to update your bookmarks and when I get the blog running I’ll post a notice.

For now, everything will stay the way it is and all content will still be in WordPress until I get the library all up and running the way I like, it’ll just be all on blog.phishworld.com

YEAH ME!!!

Comments are off for this post

Phishers becoming stupid?

Aug 05 2010 Published by jayras under Posts

Looking at the batch of Phishes I got over the past week I swear these guys are becoming stupid.

Or just plain lazy.

Look at this new Phish I got:  Controversial Currency Transaction

Everything about it, from the lousy subject, the typical “engrish” to the pasting in of irrelevant garbage just screams Laziness!

Or else, they have no clue what they are doing…

Which is actually good news for the likes of you and me…the stupider they get, the easier it is to identify.

I even got a Phish that had the title of “Blizzard Entertainment Cataclysm beta” but it was a Password Change phish.

….lazy….

The number of Phishes are starting to increase, mainly on the Beta front, but I also got 3 Aion Phishes, which is triple what I’ve ever received!

Here’s the count:

14 Beta Phishes

2 “Illegal Transaction” Phishes.

3 Aion Phishes

2 “Hacker IP” Phishes

1 LOTR Phish

2 Password Phishes (Beta)

2 Account Selling Phishes

For a total of 25.  Been busy…

One of the e-mails I got linked to the domain “bate.blizzcon-logincheck.com”

Which I got a chuckle out of…get it?  BATE….Phish…HAR HAR HAR

On another note….there’s a new tool I found in the fight against Phishes (Well, new to me at least…)

This is a Firefox plugin called “Interclue” which I got for decoding shortened URL’s before I click on them.

I was pleasantly surprised that, without fail, it recognized the links in these e-mails and popped up a warning saying these are reporting Phishing links.

I *LOVE* it!!

You can get it here:

http://interclue.com/

and I recommend it highly.

Oh…one more thing…

As you may have been aware of (and if you aren’t you live under a rock…) Starcraft II was released.

There is an apparent targeted Phishing attack directed at receiving keys or registering keys.  I haven’t seen any of them yet, but here is a post with more information about it:

http://www.lazygamer.co.za/general-news/psa-starcraft-ii-accounts-being-phished/

Comments are off for this post

Cataclysm Beta is Upon us…and boy are the Phishers active.

Jul 23 2010 Published by jayras under Posts

Miss my update last week?  Ya, well…so did I.  No excuse other than I was distracted.

But this week…we’ve got a new phish!!!

YAY!!! Lets tear it apart, it’s a fun one!

Here’s the e-mail:

Return-Path: a_erika_a@hotmail.com
Received: from gfci ([116.217.116.2]) by BLU0-SMTP99.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 16 Jul 2010 08:42:15 -0700
From: “wowaccountadmin@blizzard.com” <donotrelpy@blizzard.com>
To: <jayras@gmail.com>
Subject: Account disable Notification

Dear players, As World of Warcraft’s development and operations service providers – Blizzard, we have been hard work for efforts to provide better and more just for the players of the game more balanced environment.
Just recently we found that some players to utilize a bug in World of Warcraft make improper business.
This is our fault, we are already investigating the matter.
And will ASAP to all players a satisfactory answer.
In this process, we need your cooperation. You need to log www.worldofwarcarft.com And verify your account login, account information has been to ensure authenticity.
Sincerely, Blizzard Customer Service

Let’s see here:

  • Header is from Hotmail, not Blizzard.
  • Link goes to: www.wow-bm.com  — Interesting domain, but not Blizzard
  • Spelling and English are HORRIBLE.
  • As an extra bonus, the Link text (With the “valid” domain name) is misspelled!

This email is an interesting topic.

Basically they are stating that there is a bug in World of Warcraft that apparently allows players to exploit to their advantage, whatever that is…but they implied they disabled your account accordingly.

Unfortunately for the Phisher (fortunately for us…) the e-mail is BAD, format bad, english bad, spelling bad…just bad BAD:

Dear players, As World of Warcraft’s development and operations service providers – Blizzard

Missing a return key there…so, there’s the first flag that something ain’t right.

And I love this line….

So, they’re Blizzard, World of Warcraft’s development and operations service providers….ya…umm..

WTF?  No, they are Blizzard Entertainment, a Game Software development company that also runs World of Warcraft…

“Operations service providers” they are not…they have an Operations Team/Department that runs World of Warcraft…a service provider they are not.

we have been hard work

forgot an “at” there?

for efforts

ummm…that doesn’t work….”hard at work” and “efforts” are pretty much the same thing…but them both together like that and your English teachers you had in high school will collectively scream and beat you with a ruler…it just don’t make no sense no how (Yes, that was on purpose!)

to provide better and more just

We all need more and better just.  You just can’t have enough just.  And the better the just is the justier it is…or…ya..WHAT?

for the players of the game more balanced environment.

But no Just for the player of the game in less balanced environment.

Just recently we found that some players

Starts off so well…

to utilize a bug in World of Warcraft

…and goes right to shit…

make improper business.

…and then hits bottom.

OMG teh players are make improper business!

I’ve seen that phrase in 3 separate phishes now.  This has to be a bable fish thing trying to translate some Chinese phrase into “Fraud” or “Illegal transaction” and missing the boat entirely.

This is our fault, we are already investigating the matter.

Not bad…not professional, a company would more likely put this like:  “We realize the exploit is due to a fault in the application and we are investigating the matter.”  Or something a little more professionally worded…but not that.

And will ASAP to all players a satisfactory answer.

And again they screw up and make one sentence 2 and make no sense.

In this process, we need your cooperation.

Here comes the hook…

You need to log www.worldofwarcarft.com And verify your account login, account information has been to ensure authenticity.

OMG, the hook has been bent in 18 different directions and looks more like a bird feeder.

WTF is that saying?

account information has been to ensure authenticity.

Wow…just….wow.

NOTE: Look at the domain…World Of Warcarft

That would be a brilliant domain if that is actually where it linked too, but it doesn’t link to it.

So, not only are they hiding their link behind another domain, they can’t even get that spelling right.

Comedy Gold.

But I digress…

So apparently there is a bug in the system that allows the players to gain something without the required effort.  We’ve seen this in the past with WOW and other games.  Some wierd bug which allows you to do some simple action (like kill a beetle) and then get an enormous, unbalincing reward from it.  We’ve seen thinks like killing a level 8 beetle somewhere in one location that spit out 1,000 gold each kill or 1,000,000 experience points (or both?)

These are typically found, FAST and if anyone in between the introduction of the bug and the removal of the bug was exploiting said bug (beyond the “Hey, I tried it once and OMG”) would be, at least, temporarily banned for punishment.  In addition to removing the gains from the account.

I can’t think of one possible bug that could be exploited in any fashion that would put the account in any kind of state where the company running the account couldn’t figure out if the account was valid based on your e-mail.

So, again…asking for “Validating your account” has proven that only phishers need it.

Sincerely, Blizzard Customer Service

So, ya…Not Blizzard.

Here’s the roundup of the last 2 weeks of activity I’ve seen:

IP Range – 1

Selling account – 3

Account Change Confusion – 1

Occurred in the number of illegal transactions – 1

Aion Phish (Haven’t seen this one in a month) – 1

And in the past two weeks…whoa….a TON of Beta Phishes….10 of them.

So like my last update, I would like to take this moment and say:  Just don’t click the links.

None of them.  Just be safe and don’t click anything.  Even if it IS a legitimate e-mail, just don’t click the links.

Better to be safe than sorry, and some of the phishing e-mails are nothing more than a copy of the “official” email and they just changed the link.

For the Beta, there is no reason to click the links.  If you have been selected for the beta, just login to your account on battle.net and it will be Obvious you have access to Cataclysm.

If you aren’t selected for the Beta it will be obvious you aren’t.  There no slim chance you are missing something by not clicking the link.  It’s a box, with the cataclysm artwork, its about 3″ -5″ (Depending on your resolution) high, and its sitting next to your Lich King Box.

If you don’t see a box with Cataclysm on it next to your Lich King box, then you haven’t been selected for the Beta…and the link in the e-mail will not help you.  It will only hurt, cause my friend, you are getting fished.

Sorry folks, I just logged into my account and I see they did a little facelift.

It now looks like this:

Still its really stinking obvious whether or not you are in the beta…if you see that box you are in, if you don’t see the box you are not in.  And if the box isn’t there then no link ever provided to you will ever change that.

Period.

The Phishers are getting REALLY Sneaky with these emails.

The domains they are going to are getting REALLY Close to the real thing.  And in at least 2 attempts I’ve seen them use open SMTP Servers to change the SEND address to a blizzard Address.

These combined into one means these e-mails are REALLY dangerous.

Just

Don’t

Click.

Period.

I’ve engaged Google and asked them why an e-mail from an un-authorized SMTP server is allowed to get to my account with no flags:

http://www.google.com/support/forum/p/gmail/thread?tid=59c97b9827a11b41&hl=en

So far they haven’t replied…but I hope I can persuade them.

Comments are off for this post

Busy Phishing Week: Cataclysm Beta is Live.

Jul 09 2010 Published by jayras under Posts

What a week.  Early this week the inital beta program for the Cataclysm expansion went live and the first wave of invites was sent out to the lucky players!

Of course that means we got a MASSIVE wave of Beta Phishing e-mails.

Fortunatly for the player the Phishers aren’t all that original…and the e-mails that went out are the same we’ve all seen telling us to make sure our opt in’s are up to date.

But some did mention downloading the client.

So…for all of you that are eagerly awaiting your chance to get into the Beta here is the lowdown on how the beta works and some safety tips.

  • Yes, you do have to opt-in for the beta.  If you didn’t opt in then you won’t get invited.  Login to your account and make sure you have your beta profile up to date. (Don’t click any links in any e-mails…just login to your battle net account and update your profile.)
  • There isn’t some special, fancy-shmancy domain for the Beta, you get all the information and the link to the downloader from your Battle net account.  Not from any other website.
  • If (and when) you are selected to participate in the Beta you will receive a notification.  It will probably look a lot like the phishes.  So, just don’t trust any of them.   Just login to your battle net account (NOT using any links) and if you are indeed accepted in the beta you will see the box graphic for Cataclysm alongside the box graphic you have now for WOW.

  • There is no other location to download the Cataclysm installer.
  • If you think you have a secondary, legitimate location to download the installer, you don’t.  Only get it by clicking the link from your battle net account.
  • There is not Beta Keys…with the battle net account system the need for Beta keys went the way of the Dodo.
  • There is no other form you need to fill out.
  • There is no other reason to type in another bit of information to get into the beta. (Provided you have your beta profile updated.)

So, there it is.

I’ve said it before and I’m going to say it again:

YOU are the prime target for these phishers.

They’re getting sneaky.

If you have ANY doubt, just don’t click any links at all.

There is no necessary reason to click the links.

Everything you need can be gotten by logging into your battle net account.

Here’s the rundown of the Phishes I got this past week:

  • 11 Beta
  • 3 Selling Account
  • 1 3rd party
  • 1 corrected IP
  • 2 In view of Recent…  (Haven’t seen this on in MONTHS and I get two right in a row…)
  • 1 Account Change Confusion

Comments are off for this post

Lots of Phishes and new twists

Jul 02 2010 Published by jayras under Posts

Over the past couple of days I’ve gotten 7 phishes.

Mainly the usual stuff with Account Changes, Beta sign ups, banned IP’s

But then there’s a new one.  Well, not really new…its very similar to “In view of recent…” but with a “Good Times” twist:

New Phish

My favorite part of the new one:

your account occurred in the number of illegal transactions in a very long period of time.

Ooooh…sends chills up your spine.  The legal speak of it is just flawless and is so ominous you just HAVE to act now and click the link.

OK, so I jest…its Engrish in its finest form and I don’t know WTF they are talking about.

————————————————————————————————————

New fashion in the Phishing word:  Incident or Case Numbers.

Lately, I’m getting a lot of “Issue #” or “Case #” or “Indicdent #” on the end of the subjects of the phishes.

I’m guessing this is an attempt to make them sound much more official.  Cause after all there is a number I can no reference if I need to talk to somebody about the issue.

And I’m sure when I call Blizzard and give them this number it’ll make sense to them…or NOT.

Domains being used by these Phishers are getting more creative:

  • batltle.net
  • www.worldefwaroraft.com
  • www.wow-identification.com

Then there’s this idiot:

www.worldofwarcraft-logins-blizzardaccounts.com:8088

Well, create a nice domain that could conceivably make someone think its legit.

Then hook up the website on port 8088

So, if you are behind any firewall or proxy at all there is a 94.325% chance you can’t even get to the website.

(For those of you that aren’t as geeky as I am…Web Traffic goes on port 80, and pretty much anything over 900 is blocked automatically by firewalls.  There used to be a convention used by some webmasters to put in dev websites up on port 8080, but port 8088 would be foreign to anyone.)

Oh well, one more chance someone mistakenly clicks a link won’t get hacked.

————————————————————————————————————–

Speaking of which, let me digress for a few minutes.

Apparently users (or maybe its the tech support) of  “My Space” seem to have the complete wrong definition of “getting phished”

Do a search on Twitter for “Phished” and you get a ton of posts by My Space users who have gotten hacked and people taking over their accounts but they always post something like “sheesh…I got phished again”

Either that, or they are getting phished and are just to light headed to stop clicking links in e-mails?

Comments are off for this post

They’re getting sneakier!

Jun 28 2010 Published by jayras under Posts

So, for those that asked (and care) my back is doing much better.

I managed to last 3 days+ of not sneezing, but then managed to sneeze 5 times on Saturday…all “normal” sneezes that just had a twinge on my already damaged back and nothing catastrophic again.

Over the past week I’ve received 10 phish e-mails. 4 Bad Beta Barrages, 2 Account Change crack ups. 1 Facebook funkiness Phish.

And then 3 strange ones…

First…

This one looks to be a new variant on the Corrected Hacker IP Phish, it uses the 3 IP Ranges, but at least this time the 3 IP ranges are all the same.

It’s the domain it links too that makes it stand out. It’s SNEAKY!!

The link displays in the e-mail as:

http://us.battle.net/login.xml?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam

But the actual link is (Remember folks, don’t go to these addresses, they are purposely not set a links you can click!)

http://us.battle.net-https3asfdffaa2f3f5g-worldofwarcraft.com/

Now, if you remember from earlier lessens, work backwards to see who is the owner of the domain, based on periods (.)

So…break this one apart (working backwards) you get:

  • com – Standard, almost everything is a COM…we’re good so far.
  • net-https3asfdffaa2f3f5g-worldofwarcraft

Here is where it starts…

After the net is NOT a period, it’s a dash, so that’s not a domain separator so that’s not the end of the domain segment. its net-https3….which is basically some well crafted face rolling.

We’ve all seen links crop up, that are a lot like the displayed link…with %3A’s and %2F’s and the like.

These are called “escape codes” that are done to prevent invalidating a URL, %3A is actually a colon ( : ), %2F is actually a slash ( / )

But in the domain above they left out the %’s (Which aren’t allowed in domain names) and put in some gobbledy gook that’s similiar to trick you into thinking the net was the end of the domain and the rest is just part of the URL that we see everywhere.

Then the rest:

  • battle
  • us

So by lessons earlier…the domain is a COM domain (originally for commercial use, but turned into the “default” domain)

And the domain name is : net-https3asfdffaa2f3f5g-worldofwarcraft

Which looks like worldofwarcraft, but isn’t.

Like I said, SNEAKY!

Oh…and not Blizzard.

And then there’s more sneakiness…

I got 2 e-mails that made it look like my account and characters are being restored from a hack.

Not have been hacked, I know this is obviously a Phish. My guess is the phishers are attempting to blast out these e-mails to hit someone who is already hacked (Which doesn’t make ANY Sense at all…as the account is already hacked, or the user is hopefully a lot more skeptical on these things by now…)

Or they are trying to invoke the “Panic response” from people. The ones that aren’t currently logged in…catching up on their e-mails. See this e-mail and PANIC and scream “OMG what happened??!!!??” and click the link to find out and then BOON…GOT YA…Hook, line and sinker…

Content of the e-mail is fairly coherent, and I can believe its a copy from an actual e-mail one would receive when getting restored. (Can’t validate it 100% though.)

The e-mail has 3 links, 2 of them are “safe”, but one is not.

It’s fairly obvious too. The displayed link and where the link takes you are the same: wowarmybattle.com

So ya, not Blizzard.

The second e-mail is a list of items restored. All real items, but nothing any of my characters would be caught dead wearing (Diabolic Skiver and Scholomance Gear??)

Just one link in this one going to: blizzard-game-info-admin.com

Which is not Blizzard.

Comments are off for this post

Beta Phish with the finest Engrish

Jun 10 2010 Published by jayras under Posts

Got one of them whoppers in e-mail this morning, a Phish about the Cataclysm Beta with the best English I have ever seen.

OK, I lie…its HORRID…but, it can be fun…right?

(Full e-mail will be appended to the page here Phish: Cataclysm Beta )

World of Warcraft in order to inform all the players,

Wow, right off the bat…

Obviously this was done using Bablefish or some other online, FREE, translation tool.

I’m assuming they meant: In order to inform all World of Warcraft Players.

But even then, why would you start off an official e-mail that way.  You end up sounding like you are apologizing for intruding on their inbox to give them good news….whatever.

the system will send this notice to each player is bound mailbox.

Each player is bound…how kinky!

Wait…you are saying that if I get this I’m bound to my mailbox?  I don’t even HAVE a mailbox!!

Unless you mean that little PO Box thingy I have in our apartment complex?  Wow, that is Kinky!

World of Warcraft is about to open 85, open beta soon.

STAND BACK!!! They’re about to open 85!!!

You remember what happened when they opened 84, poor snuffles…the fur never did grow back right.

And if that wasn’t enough, open beta soon!

To prevent data errors, please activate the player to the address below.

Ha!! To prevent data errors…right, active player here…right….thank you for proving the point that you AREN’T BLIZZARD.

Thank you players with.

With WHAT?  With kinky mailbox bondage fantasies?  Is that what you are trying to say but the censors stopped you?

To verify your identity please visit the following webpage:

[Link that is not Blizzard]

Excuse me, let me interrupt you with a little LOGIC CHECK!!

Didn’t you pretty much just verify my identity by looking me up in the system and sending me this e-mail?

What’s that you say?  Oh…you don’t know who I am?

Then I wouldn’t be VERIFYING MY IDENTITY, I would be handing over my identity to some punk in an Asian country that doesn’t even have the common decency to learn how to ask me properly!

And that’s it…everything below they copied from someone else…someone that COULD speak english.

One final note, below you see they are asking you to wait for 2 days so Blizzard can verify who you are and not to change you account cause that would just confuse them.

Ya, right…Like a verification system would take more than 2 microseconds…what do you think this is?  the ’70s?

Blizzard staff will verify your account information submitted in two days, please do not modify your account information during this time . It will not affect your game uptime.If you are unable to successfully verify your password .using the automated system, please contact Billing & Account Services at 1-800-59-BLIZZARD (1-800-592-5499) Mon-Fri, 8am-8pm Pacific Time or at billing@blizzard.com. Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,

The World of Warcraft Support Team Blizzard Entertainment

…and in case you couldn’t tell…this didn’t come from Blizzard.

Comments are off for this post

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/