Phish: Automatic Recovery

Here’s the e-mail:

Return-Path: swalterbentley@hotmail.com
Received: from wowff.com ([98.126.10.159]) by BLU0-SMTP59.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 9 Aug 2010 18:27:52 -0700
Sender: swalterbentley@hotmail.com
From: “wowaccountadmin”
To: <jayras@gmail.com>
Subject: World of Warcraft Account Password verification

Greetings ,

We have determined that the World of Warcraft account MUZU been accessed/compromised by someone not authorized to do so by the World of Warcraft Terms of Use (http://www.worldofwarcraft.com/legal/termsofuse.html).

To protect your privacy and security, we have temporarily disabled this account. Any recurring subscriptions have been suspended to prevent further monetary charges. In order to regain access to the account, you must complete the steps below to secure the account and your computer.

Please keep this email for your reference until the account recovery process has been completed.

STEP 1: SECURE THE ACCOUNT, YOUR COMPUTER AND YOUR EMAIL ADDRESS
Account compromises most often occur when a player shares login information with an unauthorized third party or plays on a computer that has a virus, Trojan, or key-logger. We recommend following the http://us.battle.net/security/checklist.html on our Account Security site at http://us.battle.net/security/index.html.

STEP 2: RECOVER THE ACCOUNT
We now provide a secure website for you to verify that you have taken the appropriate steps to secure the account, your computer, and your email address. Please go to this site and follow the instructions:

http://us.battle.com/account/support/password-reset-confirm.htm?ticket=BC9E6EFC85206C409C5A42AE45F2373752E47BCA161020F76C40DC2D8C7

STEP 3: VERIFY YOUR SUBMISSION WAS RECEIVED
We will contact you with further instructions once we have received and processed your submission. If you do not receive a reply within 48 hours of submitting this form, please resend it from the address listed above.

Please be aware that if unauthorized access to this account continues after the recovery process is complete, it may lead to further action against the account.

Regards,

Neil G.
Game Master Bahrdrak
Customer Services
Blizzard Entertainment
www.blizzard.com/support

Let’s see here:

  • Header shows the e-mail is from Hotmail.
  • No Personalized Greeting
  • They list an account name of “MUZU” which is no longer possible.
  • Link goes to eu.btttle.net
  • Another link goes to: eu.battlp.com Double danger on this one…

OK, this e-mail is a trip.
First big mistake they made is actually specifying an account name in the body of the e-mail.

We have determined that the World of Warcraft account MUZU been accessed/compromised by someone not authorized

Since the Phisher really has no idea who you are, they have a one in 30 million chance of getting this right (Assuming they are actually specifying a valid account name.)
Problem here is: They aren’t specifying a valid account name. Long ago Blizzard decided to have all WOW accounts authenticate through Battle.net
Battle.net accounts use the e-mail address as the account name. Which means an account name of “MUZU” is no longer possible.

Ooops. Guess they missed that memo?

Step 2 is a new one. They are claiming Blizzard has locked your account, but they have a recovery website in order for you to “verify that you have taken the appropriate steps to secure the account.”
Which would they would have to find some way to scan your computer for viruses/malware/trojans, validate you have the appropriate patches (Not to mention they must have a list of the appropriate patches) and somehow verify you secured your e-mail with a new password. OR even created a new e-mail account.
If Blizzard DID have that ability, they could simply add that to the Launcher and there would be no more hacked accounts EVER!!
But since the vast majority of that currently requires human intervention they can’t do that.

But, then we have step 3:

We will contact you with further instructions once we have received and processed your submission.

Which would imply they can’t do that automatically and are asking you a bunch of questions to be evaluated at a later time.

Now, this next bit is my favorite part of the e-mail:

If you do not receive a reply within 48 hours of submitting this form, please resend it from the address listed above.

WOW, that is just BRILLIANT!
They are basically taking this verification process can take up to 2 days.
Which gives the phisher a free 2 day pass to strip your account down.
Then, to add insult to injury, they advise you to go through the same Phishing steps if you don’t hear back from them. Giving them more chances to ensure you gave them the proper information to get into your account for another 2 days!

So, if you fall for this one, you get a chance to fall for it twice!!

Oh ya…BTW…Not Blizzard.

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/