New Phishes and I’m moving!

Aug 13 2010 Published by jayras under Posts

Well, looks like the level of Phish activity wasn’t as frantic as it was last week, but I still did get a fair number of Phishes.

Including 2 new phishes!!

Suspicious Activity is a lovely little Phish where they are saying your payment has been canceled due to suspicious activity and you have to login to verify…wait…locked…logged in…AAAAHH!!

Automatic Recovery a really neat Phish.  This one claims they have a new website for recovering hacked accounts, which requires you to visit a site and wait for 2 days while they investigate.  And then…and this is the best part…if you don’t hear from them in 2 days, do it all over again!

Here are the counts of last weeks activity:

5 Beta

1 Account Change Confusion

1 Controversial Account Transaction

3 Selling Account

3 Account Invasion

On another note:  I feel I’ve reached the limits of patience with trying to do a Phish Library in WordPress.  It’s a great blogging tool, and I’ll still use WordPress for my blog.  But trying to keep a library of pages just doesn’t fit in WordPress’ feature set.

So, it inspired me to get a real domain!!!

Yes, that’s right

I’ve got an official domain for this wonderful site now:

Welcome to PhishWorld.com!

The world of Phishes, all for you at a low LOW price of just $19.95

…ok, maybe not

But ya, http://phishworld.com is up (Although not a lot is there…just my fish tank.) and the blog should be up in short order over at:

http://blog.phishworld.com

So, get ready to update your bookmarks and when I get the blog running I’ll post a notice.

For now, everything will stay the way it is and all content will still be in WordPress until I get the library all up and running the way I like, it’ll just be all on blog.phishworld.com

YEAH ME!!!

Comments are off for this post

Lots of Phishes and new twists

Jul 02 2010 Published by jayras under Posts

Over the past couple of days I’ve gotten 7 phishes.

Mainly the usual stuff with Account Changes, Beta sign ups, banned IP’s

But then there’s a new one.  Well, not really new…its very similar to “In view of recent…” but with a “Good Times” twist:

New Phish

My favorite part of the new one:

your account occurred in the number of illegal transactions in a very long period of time.

Ooooh…sends chills up your spine.  The legal speak of it is just flawless and is so ominous you just HAVE to act now and click the link.

OK, so I jest…its Engrish in its finest form and I don’t know WTF they are talking about.

————————————————————————————————————

New fashion in the Phishing word:  Incident or Case Numbers.

Lately, I’m getting a lot of “Issue #” or “Case #” or “Indicdent #” on the end of the subjects of the phishes.

I’m guessing this is an attempt to make them sound much more official.  Cause after all there is a number I can no reference if I need to talk to somebody about the issue.

And I’m sure when I call Blizzard and give them this number it’ll make sense to them…or NOT.

Domains being used by these Phishers are getting more creative:

  • batltle.net
  • www.worldefwaroraft.com
  • www.wow-identification.com

Then there’s this idiot:

www.worldofwarcraft-logins-blizzardaccounts.com:8088

Well, create a nice domain that could conceivably make someone think its legit.

Then hook up the website on port 8088

So, if you are behind any firewall or proxy at all there is a 94.325% chance you can’t even get to the website.

(For those of you that aren’t as geeky as I am…Web Traffic goes on port 80, and pretty much anything over 900 is blocked automatically by firewalls.  There used to be a convention used by some webmasters to put in dev websites up on port 8080, but port 8088 would be foreign to anyone.)

Oh well, one more chance someone mistakenly clicks a link won’t get hacked.

————————————————————————————————————–

Speaking of which, let me digress for a few minutes.

Apparently users (or maybe its the tech support) of  “My Space” seem to have the complete wrong definition of “getting phished”

Do a search on Twitter for “Phished” and you get a ton of posts by My Space users who have gotten hacked and people taking over their accounts but they always post something like “sheesh…I got phished again”

Either that, or they are getting phished and are just to light headed to stop clicking links in e-mails?

Comments are off for this post

They’re getting sneakier!

Jun 28 2010 Published by jayras under Posts

So, for those that asked (and care) my back is doing much better.

I managed to last 3 days+ of not sneezing, but then managed to sneeze 5 times on Saturday…all “normal” sneezes that just had a twinge on my already damaged back and nothing catastrophic again.

Over the past week I’ve received 10 phish e-mails. 4 Bad Beta Barrages, 2 Account Change crack ups. 1 Facebook funkiness Phish.

And then 3 strange ones…

First…

This one looks to be a new variant on the Corrected Hacker IP Phish, it uses the 3 IP Ranges, but at least this time the 3 IP ranges are all the same.

It’s the domain it links too that makes it stand out. It’s SNEAKY!!

The link displays in the e-mail as:

http://us.battle.net/login.xml?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam

But the actual link is (Remember folks, don’t go to these addresses, they are purposely not set a links you can click!)

http://us.battle.net-https3asfdffaa2f3f5g-worldofwarcraft.com/

Now, if you remember from earlier lessens, work backwards to see who is the owner of the domain, based on periods (.)

So…break this one apart (working backwards) you get:

  • com – Standard, almost everything is a COM…we’re good so far.
  • net-https3asfdffaa2f3f5g-worldofwarcraft

Here is where it starts…

After the net is NOT a period, it’s a dash, so that’s not a domain separator so that’s not the end of the domain segment. its net-https3….which is basically some well crafted face rolling.

We’ve all seen links crop up, that are a lot like the displayed link…with %3A’s and %2F’s and the like.

These are called “escape codes” that are done to prevent invalidating a URL, %3A is actually a colon ( : ), %2F is actually a slash ( / )

But in the domain above they left out the %’s (Which aren’t allowed in domain names) and put in some gobbledy gook that’s similiar to trick you into thinking the net was the end of the domain and the rest is just part of the URL that we see everywhere.

Then the rest:

  • battle
  • us

So by lessons earlier…the domain is a COM domain (originally for commercial use, but turned into the “default” domain)

And the domain name is : net-https3asfdffaa2f3f5g-worldofwarcraft

Which looks like worldofwarcraft, but isn’t.

Like I said, SNEAKY!

Oh…and not Blizzard.

And then there’s more sneakiness…

I got 2 e-mails that made it look like my account and characters are being restored from a hack.

Not have been hacked, I know this is obviously a Phish. My guess is the phishers are attempting to blast out these e-mails to hit someone who is already hacked (Which doesn’t make ANY Sense at all…as the account is already hacked, or the user is hopefully a lot more skeptical on these things by now…)

Or they are trying to invoke the “Panic response” from people. The ones that aren’t currently logged in…catching up on their e-mails. See this e-mail and PANIC and scream “OMG what happened??!!!??” and click the link to find out and then BOON…GOT YA…Hook, line and sinker…

Content of the e-mail is fairly coherent, and I can believe its a copy from an actual e-mail one would receive when getting restored. (Can’t validate it 100% though.)

The e-mail has 3 links, 2 of them are “safe”, but one is not.

It’s fairly obvious too. The displayed link and where the link takes you are the same: wowarmybattle.com

So ya, not Blizzard.

The second e-mail is a list of items restored. All real items, but nothing any of my characters would be caught dead wearing (Diabolic Skiver and Scholomance Gear??)

Just one link in this one going to: blizzard-game-info-admin.com

Which is not Blizzard.

Comments are off for this post

Recycling Phises and a drugged up Yoda Phish.

Jun 22 2010 Published by jayras under Posts

Well, since my last post I got 5 phishes.  So I guess they are still out there to get me.

I got a new Phish…about Aion…which I have never played.

Here it is.

The first sentence of this Phish makes it sound like its Yoda, on Acid, that was hit by a 2X4 in the back of the head.

Then…

I got 2 more Beta invites for the Cataclysm Beta.  Content is nothing special, just a copy paste from the Cataclysm page.

One of them, however, forgot to change the subject.  It was “Account Administration”

Sloppy…sloppy…sloppy…

I got two Phishes that I haven’t seen in a very long time.  One was the one that stated my payment method has violated 3rd parties.

I’m still trying to figure out what that could possibly mean.  Are they talking about a stolen credit card?  Or is a Mastercard, from Key Bank, in Dogspatch, CA offending to the sensibilities of the billing system?

Other one was a “You’re selling your account” Phish…blah.

If that wasn’t all….

On the bus ride to work this morning I sneezed.

No big deal right?

Well, when I sneezed I got this sharp, BURNING, pain in my lower back/side

It hurt like a bugger!

Then 20 minutes later I sneezed again, and it hurt WORSE.

So I went to the doctor, they said it was probably nothing more than straining a muscle, or worse case I ripped a muscle or tendon.  They shot me up with Dilaudid, which made me really loopy, but like Vicodin made my nose itch like a son of a bitch.

Have to add that to a list of drugs to avoid.

They gave me a prescription of Oxycodone, which doesn’t make my nose itch.  Theoretically I can go to work tomorrow, if I can stand walking…we’ll see.

YEAH ME!

Comments are off for this post

I now understand…

Jun 04 2010 Published by jayras under Posts

I ran across this Picture < http://failblog.org/2010/06/01/epic-fail-photos-purchase-fail/ >

And I’m still in shock.

But, then again, it’s now dawned on me how these Phishes can work.  I now understand that there are people out there in this world that will fall for ANYTHING.

If a couple can be duped into…

paying $500 for a paper copy of a real license plate…

and stick it on their car with band aids…

from a house…

with an old couch on the porch…

and think that’s perfectly valid and legal…

then I can believe that there are people this world that think this < Phish: The problem of account invasion is getting worse and worse >

Is a valid e-mail…

from the actual company…

talking about a real product…

that can be delivered by e-mail…

and the links should be completely trusted.

Its baffling and a little sad  but I now get it.

Hopefully my view on things, and my humorous slant on these e-mail will help educate more people.

If I can just stop one person on clicking the link, then maybe I can regain some hope.

Yesterday I only managed to get one Phish e-mail, and it was the old Account Change phish, but a new variant has shown up.

This time I was told my Authenticator was reset.

Confusingly enough, if I did this on purpose I’m told to disregard the e-mail, but then I’m told that resetting your authenticator will prevent you from being able to login to my account.

Come on guys…which one is it?  Do I disregard or do I have to do something?

…oh ya…its not Blizzard, so nevermind.

Comments are off for this post

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/