Phish: Hacker IPs – The corrected version.

Here’s the e-mail:

Return-Path: tx_rose_71@hotmail.com
Received: from xeo ([59.175.118.208]) by BLU0-SMTP16.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 13 Jun 2010 18:52:58 -0700
From: “wowaccountadmin@blizzard.com” <wowaccountadmin@blizzard.com>
To: <jayras@gmail.com>
Subject: Login IP Blacklisted

Greetings,

This is an automated notification sent from our account security system. You logined your account successfully at 17:40 on June 12th form the 203.57.127.* IP range. According to the report of many players, we found that the account published spam information in the game which harassed other users seriously. This action has violated the EULA.

As too many customers’ complaints, the IP range above has been blacklisted. We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you check your account status here as soon as possible. If you have any questions, please visit http://us.battle.net.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
1pvhhvbsyehowbyl5jlrtbzbk6hocts0f
Regards,
0t2blcs4xehrgtpnskamhjdgfhnqzp7zh
Blizzard Account System
Blizzard Entertainment

So, let’s see here…

  • Header shows e-mail is from Hotmail.
  • Bad English and misspellings.
  • Link goes to: www.blizzard-status-info.com

Well, well ,well…

You can teach a hacker new tricks…

This is almost word for word of the “Hacker IP” Phish, but they fixed it so it doesn’t look like they are COMPLETE Morons.

Of course, they still can’t speak English so it’s not hard to say this is a Phish and not real…

You logined your account successfully

That is kind of like a double negative…a double positive?

As too many customers’ complaints

That made no sense in the first e-mail…and still doesn’t make any sense…

In order to guarantee the legitimacy of your account, we need you check your account status here as soon as possible.

You just banned my IP so I can’t…oh wait…you’re trying to trick me into thinking that my account was logged into another computer in a different IP Range.

Very tricksy you are…

This works because more people don’t know what their IP address is…I know I don’t….as far as I’m concerned my IP address is 10.71.63.23…

But I haven’t bothered to look at what my REAL IP Address is…I just don’t care.

I do love how they put the link to the REAL website in case I have any questions…which is where I would send anyone to verify anything they get in e-mail (Not to the link of course, but to the real website.)

So, ya…Not Blizzard.

Update:

  • Received again:

Return-Path: guntherfrastaun@hotmail.com

Received: from abhclkayq ([219.140.29.132]) by BLU0-SMTP74.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);

Fri, 11 Jun 2010 19:52:53 -0700

From: “wowaccountadmin@blizzard.com” <wowaccountadmin@blizzard.com>

To: <jayras@gmail.com>

Subject: Battle.net Final Warning

  • Received again:

Return-Path: sammisin@hotmail.com
Received: from mqc ([222.69.176.184]) by BLU0-SMTP46.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 23 Jun 2010 18:31:43 -0700
Received: from servera07.tk2adsmtp4.msn.com ([207.46.222.236]) by snt0-mc3-f8.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 15 Jun 2010 18:13:20 -0700
Received: from by2gbipcme01.phx.gbl ([10.2.94.20]) by servera07.tk2adsmtp4.msn.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 15 Jun 2010 18:13:18 -0700
X-AUTH-Result: PASS
X-Originating-Email: [WoWAccountAdmin@blizzard.com]
X-Mailer: CME-V6.5.4.3; MSN
From: “Blizzard Entertainment” <WoWAccountAdmin@blizzard.com>
To: <jayras@gmail.com>
Subject: World of Warcraft Warning – Notice NO.507430

Dear customer,

This is an automated notification sent from our account security system. You logined your account successfully at 4:27 on June 20th from the 125.94.112.* range, but our system shows the 125.94.112.* IP range exists a large number of hackers. As too many customer complains, the 125.94.112.* IP range has been blacklisted. We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you check your account status as soon as possible. You should login to the Account Management Websit with the following link: http://us.battle.net/login.xml?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,

Blizzard Account System
Blizzard Entertainment

This one looks to be a new variant on the Corrected Hacker IP Phish, it uses the 3 IP Ranges, but at least this time the 3 IP ranges are all the same.

It’s the domain it links too that makes it stand out. It’s SNEAKY!!

The link displays in the e-mail as:

http://us.battle.net/login.xml?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam

But the actual link is (Remember folks, don’t go to these addresses, they are purposely not set a links you can click!)

http://us.battle.net-https3asfdffaa2f3f5g-worldofwarcraft.com/

Now, if you remember from earlier lessens, work backwards to see who is the owner of the domain, based on periods (.)

So…break this one apart (working backwards) you get:

  • com – Standard, almost everything is a COM…we’re good so far.
  • net-https3asfdffaa2f3f5g-worldofwarcraft

Here is where it starts…

After the net is NOT a period, it’s a dash, so that’s not a domain separator so that’s not the end of the domain segment. its net-https3….which is basically some well crafted face rolling.

We’ve all seen links crop up, that are a lot like the displayed link…with %3A’s and %2F’s and the like.

These are called “escape codes” that are done to prevent invalidating a URL, %3A is actually a colon ( : ), %2F is actually a slash ( / )

But in the domain above they left out the %’s (Which aren’t allowed in domain names) and put in some gobbledy gook that’s similiar to trick you into thinking the net was the end of the domain and the rest is just part of the URL that we see everywhere.

Then the rest:

  • battle
  • us

So by lessons earlier…the domain is a COM domain (originally for commercial use, but turned into the “default” domain)

And the domain name is : net-https3asfdffaa2f3f5g-worldofwarcraft

Which looks like worldofwarcraft, but isn’t.

Like I said, SNEAKY!

Oh…and not Blizzard.

  • Received again…new variant:

Return-Path: <zigurat_js@hotmail.com>
Received: from blu0-omc3-s24.blu0.hotmail.com (blu0-omc3-s24.blu0.hotmail.com [65.55.116.99])
by mx.google.com with ESMTP id g4si684343wbg.47.2010.07.01.22.35.18;
Thu, 01 Jul 2010 22:35:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of zigurat_js@hotmail.com designates 65.55.116.99 as permitted sender) client-ip=65.55.116.99;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of zigurat_js@hotmail.com designates 65.55.116.99 as permitted sender) smtp.mail=zigurat_js@hotmail.com
Received: from BLU0-SMTP19 ([65.55.116.73]) by blu0-omc3-s24.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 1 Jul 2010 22:34:09 -0700
X-Originating-IP: [180.210.206.52]
X-Originating-Email: [zigurat_js@hotmail.com]
Message-ID: <BLU0-SMTP19B9264109A5E67FFAACA5EFCE0@phx.gbl>
Return-Path: zigurat_js@hotmail.com
Received: from afqrmaf ([180.210.206.52]) by BLU0-SMTP19.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 1 Jul 2010 22:33:48 -0700
From: “wowaccountadmin@blizzard.com” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: WOW Issue-NO.0030846

Greetings,

This is an automated notification sent from our account security system. You logined your account successfully at 3:14 on Jun. 29th form the 203.29.211.* IP range. According to the report of many players, we found that the account published spam information in the game which harassed other users seriously. This action has violated the EULA.

As too many customers’ complaints, the IP range above has been blacklisted. We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you check your account status  as soon as possible.

To do so, simply click here:

https://www.battle.net/account/support/login-support.xml

Blizzard staff will verify your account information submitted in two days, please do not modify your account information and password during this time . It will not affect your game uptime.

For more information, click here for answers to Frequently Asked Questions or to contact the Blizzard Billing & Account Services team.

Regards,

Account Administration
Blizzard Entertainment
Online Privacy Policy

Links to: www.wow-identification.com

This one is new.  They cleaned up the English and added a new twist.

According to the report of many players, we found that the account published spam information in the game which harassed other users seriously.

OK, so the English isn’t perfect…but still a far cry from “Engrish”

But, they at least gave a coherent excuse to ban IP Addresses instead of the vague explainations normally given.

But still…not blizzard.

  • Received again:

Return-Path: superdarkritual@hotmail.com
Received: from lfmwsihe ([222.69.162.61]) by BLU0-SMTP55.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 4 Jul 2010 23:37:30 -0700
Date: Mon, 5 Jul 2010 14:35:04 +0800
From: “wowaccountadmin@blizzard.com” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: WOW Issue-NO.0068052

www.wow-verify-m5aqr3gfdblolp0hx3fajlm.com

  • Received Again

Return-Path: dimata@hotmail.de
Received: from gcvfapu ([98.126.10.160]) by BLU0-SMTP63.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sat, 10 Jul 2010 01:53:15 -0700
From: “wowaccountadmin@blizzard.com” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: WOW Account Issue-NO.0028894

Links to: www.secure-battle.net

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/