Phish: Invalid Access to My Account

Here’s the e-mail:

Received: from WorldClient by blizzard.com (MDaemon PRO v10.1.1)
with ESMTP id pd50000000023.msg
for <***@gmail.com>; Thu, 04 Mar 2010 15:24:54 +0800
X-Spam-Processed: blizzard.com, Thu, 04 Mar 2010 15:24:54 +0800
(not processed: spam filter already applied to initial list submission)
X-Authenticated-Sender: WoWAccountAdmin@blizzard.com
X-Envelope-From: WoWAccountAdmin@blizzard.com
X-MDaemon-Deliver-To: ***@gmail.com
X-MDMailing-List: Account@blizzard.com
Precedence: bulk
Sender: Account@blizzard.com
Date: Thu, 04 Mar 2010 15:21:06 +0800
From: “WoWAccountAdmin” <WoWAccountAdmin@blizzard.com>
To: <***@gmail.com>
Subject: World of Warcraft Account Notice – Remote Login

English speaking customers: Please refer to the start of this mail
Para los clientes espa?oles: Por favor vayan hasta el fin de este coreo electrónico

An investigation of the World of Warcraft account has produced evidence that the account has been accessed by someone who is not allowed to use it. Now you can bind your mobilephone to your World of Warcraft account for free. This will protect your account from being stolen: http://www.worldofwarcraftaccountsecurity.com

Please be sure to review the information below to help prevent future security issues:
Account compromises are usually the result of the registered player of the account sharing his or her login information or playing on a computer that has a virus.
Please remember that it is your responsibility to keep your login information confidential. Any account that is registered to your name may not be shared with anyone except for one minor, of whom you are acting as a parent or guardian. You are also responsible for every use of your login information, whether authorized or not.
For your own protection, we encourage you to keep the following security tips in mind when using any computer on which you play World of Warcraft:
- Keep current with the latest operating system and other software updates.
- Make use of firewall protection if possible.
- Regularly scan for viruses, Trojan files, and key loggers.
- Be wary of “spoof” emails and websites and when downloading new software.

OK, lets see…

  • Header is a little freaky, by all account you can say this DID come from Blizzard, but tracing the original IP Back shows its from China (Don’t expect a lot of people to know how to go through that part) So, one point goes to the Hacker who managed to find a valid SMTP server that let him set his sender as something other than the domain it belongs to.
  • No greeting, let alone my name in the greeting.
  • English is pretty good, but still bad.
  • Link doesn’t go to Blizzard.

So, this hacker managed to get one thing right. He got the sender address as Blizzard. This happened because the SMTP server he used didn’t authorize the domain of the senders address, and it wasn’t on a global black list (It probably got added as a result of this e-mail though.)

SMTP servers have a community built up over the years, and they share blacklists of SMTP Servers that do not follow the unwritten rules. And with the blacklist they refuse to pass on e-mails from these servers.

This server apparently wasn’t on the blacklist. It’s possible a hacker gained access to a companies SMTP Server and was able to change the security setting to get this e-mail out.

Now, for the e-mail:

It was written fairly well, don’t know what that Spanish thing said, but was a nice touch to add that in.

“For English press 1…”

The first paragraph didn’t make any sense.

They detected, somehow, that my account was accessed incorrectly.
But, by MAGIC I can link my phone to my account which increases security. (I think they missed the ball on this one, they probably meant the mobile authenticator you can put on the iPhone or Blackberry.)
And somehow, this is suppose to take care of the issue with invalid access.

PFM!

Link this is going to: www.worldofwarcraftaccountsecurity.com
Nice domain though, almost makes you believe.

But, still not Blizzard.

I do love how they put the security tips in at the bottom, including the note about not falling for these e-mails…oh, the irony.

Update:

  • Recieved again:

Return-Path: starcrat@starcratf-2.com
Received: from server.anonymous-hosting-service.com (server.anonymous-hosting-service.com [85.17.90.204])
by mx.google.com with ESMTP id 11si9967830yxe.44.2010.04.01.13.25.06;
Thu, 01 Apr 2010 13:25:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of starcrat@starcratf-2.com designates 85.17.90.204 as permitted sender) client-ip=85.17.90.204;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of starcrat@starcratf-2.com designates 85.17.90.204 as permitted sender) smtp.mail=starcrat@starcratf-2.com
Received: from apache by server.anonymous-hosting-service.com with local (Exim 4.67)
(envelope-from starcrat@starcratf-2.com)
id 1NxRC6-0006xr-IR
for ***@gmail.com; Thu, 01 Apr 2010 22:40:50 +0200
To: ***@gmail.com
Subject: Account Security Issue

Greetings,

An investigation of your World of Warcraft account has produced evidence that the account has been accessed by someone who is not allowed to use it in the past and that key details such as the secret question associated with the account have been compromised. Further access of this account by unauthorized parties may result in the account being disabled and recurring subscriptions to be canceled.

Please be sure to follow the steps below to help prevent future security issues:

1. SECURING THIS ACCOUNT

Account compromises are usually the result of the registered player of the account playing on a computer that has a virus or sharing his or her login information.

Please remember that it is your responsibility to keep your login information confidential. Any account that is registered to your name may not be shared with anyone except for one minor, of whom you are acting as a parent or guardian. You are also responsible for every use of your login information, whether authorized or not.

For your own protection, we encourage you to keep the following security tips in mind when using any computer on which you play World of Warcraft:

- Keep current with the latest operating system and other software updates.
- Make use of firewall protection if possible.
- Regularly scan for viruses, Trojan files, and key loggers.
- Be wary of “spoof” emails and websites and when downloading new software.

For additional security tips and information, please visit the following sites:

- Computer Security: http://us.blizzard.com/support/article/21118
- Account Security: http://us.blizzard.com/support/article/20572
- Unauthorized Access Policy: http://us.blizzard.com/support/article/20460

2. CHANGING THE SECRET QUESTION

Once you have taken the appropriate steps to secure your computer, please log into Battle.net at your earliest convenience in order to change the secret question of the account. This can be done using the “Change Security Options” menu.

Should you have any additional questions please do not hesitate to contact us at billing@blizzard.com It is important to note that we are unable to assist any player in retrieving access to an account not created in his or her own name. Please be sure to send this request from the email address that is currently registered to this account.

3. VERIFYING YOUR SUBMISSION WAS RECEIVED

We will contact you once your change is received and processed.

Only the Account Administration team can address disputes or questions you may have about the account retrieval process. To learn more about how we are able to assist you, please visit us at http://us.blizzard.com/support/article/21505.

Sincerely,

Bashigin
Account Administration
Blizzard Entertainment

This one is a VERY Dangerous variant of the original e-mail.

The bulk of this e-mail is a copy/past from the Custom Service forum (Where Bashigin works….) And is the post he puts up to help assist people who have been hacked by e-mails like this (WOW…circular reference!)

What makes this e-mail so particularly scary is the fact MOST of the links go to the correct places, but there is ONE link that doesn’t

That one link goes to: batltle.net

At first glance that can look like battle.net (With one extra l) This is what makes it so dangerous. All other links are “legit” the information presented is correct, and formatted/spelled correctly.

The fact that voodoo black magic has occured to determine invalid use is past some peoples perception. Although it is possible Blizzard can employ some logic to detect possible access oddities. (Like subsequent requests from different countries in a short period of time.)

But if Blizzard did have evidence of this, the would take action and suspend the account and not send out an e-mail like this, which could easily go to the wrong party instead of the actual account holder (What is stopping them from changing the e-mail address?)

Not to mention that if the “secure quetsion” was compomised, you would get notification of account changes, which is NOT this e-mail.

This is just a reminder to all of us, be extra extra careful about links we click.

And to add to the Irony, I got this on April 1…APRIL FOOLS!!!

NOT!!

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/