Phish: Bug Exploit

Here’s the e-mail:

Return-Path: a_erika_a@hotmail.com
Received: from gfci ([116.217.116.2]) by BLU0-SMTP99.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 16 Jul 2010 08:42:15 -0700
From: “wowaccountadmin@blizzard.com” <donotrelpy@blizzard.com>
To: <jayras@gmail.com>
Subject: Account disable Notification

Dear players, As World of Warcraft’s development and operations service providers – Blizzard, we have been hard work for efforts to provide better and more just for the players of the game more balanced environment.
Just recently we found that some players to utilize a bug in World of Warcraft make improper business.
This is our fault, we are already investigating the matter.
And will ASAP to all players a satisfactory answer.
In this process, we need your cooperation. You need to log www.worldofwarcarft.com And verify your account login, account information has been to ensure authenticity.
Sincerely, Blizzard Customer Service

Let’s see here:

  • Header is from Hotmail, not Blizzard.
  • Link goes to: www.wow-bm.com  — Interesting domain, but not Blizzard
  • Spelling and English are HORRIBLE.
  • As an extra bonus, the Link text (With the “valid” domain name) is misspelled!

This email is an interesting topic.

Basically they are stating that there is a bug in World of Warcraft that apparently allows players to exploit to their advantage, whatever that is…but they implied they disabled your account accordingly.

Unfortunately for the Phisher (fortunately for us…) the e-mail is BAD, format bad, english bad, spelling bad…just bad BAD:

Dear players, As World of Warcraft’s development and operations service providers – Blizzard

Missing a return key there…so, there’s the first flag that something ain’t right.

And I love this line….

So, they’re Blizzard, World of Warcraft’s development and operations service providers….ya…umm..

WTF?  No, they are Blizzard Entertainment, a Game Software development company that also runs World of Warcraft…

“Operations service providers” they are not…they have an Operations Team/Department that runs World of Warcraft…a service provider they are not.

we have been hard work

forgot an “at” there?

for efforts

ummm…that doesn’t work….”hard at work” and “efforts” are pretty much the same thing…but them both together like that and your English teachers you had in high school will collectively scream and beat you with a ruler…it just don’t make no sense no how (Yes, that was on purpose!)

to provide better and more just

We all need more and better just.  You just can’t have enough just.  And the better the just is the justier it is…or…ya..WHAT?

for the players of the game more balanced environment.

But no Just for the player of the game in less balanced environment.

Just recently we found that some players

Starts off so well…

to utilize a bug in World of Warcraft

…and goes right to shit…

make improper business.

…and then hits bottom.

OMG teh players are make improper business!

I’ve seen that phrase in 3 separate phishes now.  This has to be a bable fish thing trying to translate some Chinese phrase into “Fraud” or “Illegal transaction” and missing the boat entirely.

This is our fault, we are already investigating the matter.

Not bad…not professional, a company would more likely put this like:  “We realize the exploit is due to a fault in the application and we are investigating the matter.”  Or something a little more professionally worded…but not that.

And will ASAP to all players a satisfactory answer.

And again they screw up and make one sentence 2 and make no sense.

In this process, we need your cooperation.

Here comes the hook…

You need to log www.worldofwarcarft.com And verify your account login, account information has been to ensure authenticity.

OMG, the hook has been bent in 18 different directions and looks more like a bird feeder.

WTF is that saying?

account information has been to ensure authenticity.

Wow…just….wow.

NOTE: Look at the domain…World Of Warcarft

That would be a brilliant domain if that is actually where it linked too, but it doesn’t link to it.

So, not only are they hiding their link behind another domain, they can’t even get that spelling right.

Comedy Gold.

But I digress…

So apparently there is a bug in the system that allows the players to gain something without the required effort.  We’ve seen this in the past with WOW and other games.  Some wierd bug which allows you to do some simple action (like kill a beetle) and then get an enormous, unbalincing reward from it.  We’ve seen thinks like killing a level 8 beetle somewhere in one location that spit out 1,000 gold each kill or 1,000,000 experience points (or both?)

These are typically found, FAST and if anyone in between the introduction of the bug and the removal of the bug was exploiting said bug (beyond the “Hey, I tried it once and OMG”) would be, at least, temporarily banned for punishment.  In addition to removing the gains from the account.

I can’t think of one possible bug that could be exploited in any fashion that would put the account in any kind of state where the company running the account couldn’t figure out if the account was valid based on your e-mail.

So, again…asking for “Validating your account” has proven that only phishers need it.

Sincerely, Blizzard Customer Service

So, ya…Not Blizzard.

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/