Phish: Lord of the Rings (Turbine)

Here’s the e-mail:

Received: from pzw ([]) by over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 7 Jun 2010 23:04:44 -0700
From: “” <>
To: <***>
Subject: Turbine Account Status Warning


This is an automated notification regarding the recent change(s) made to your the Lord of the Rings Online. Your password has recently been modified through the Password Recovery website.

*** If you made this password change, please disregard this notification.
However, if you did NOT make changes to your password, we recommend you Login to verify your password:

[Link to NOT Turbine]

If you are unable to successfully verify your password, using the automated system, please contact Billing & Account Services at 1-960-67-TURBINE (1-960-595-4588) Mon-Fri, 8am-8pm Pacific Time or at security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account,

Turbine representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.


The Lord of the Rings Online Support Team Turbine Entertainment

Links to:

Let’s see here:

  • Header shows it’s from Hotmail.
  • The “reply to” is Codemasters.  I’m not really all that familiar with Lord of the Rings or Turbine, but as far as I can tell, Codemasters is actually Turbine’s competition.

Well, here is a twist.

Now, I admit, I have never played Lord of the Rings online, and I never have signed up on Turbine.

The link says “cabemasters”…the “reply to” says Codemasters.

Looking at Codemaster’s site there is no reference to Turbine or to Lord of the Rings Online.

So, I’m guessing the hacker, in this case, has really f’ed up this entire phish.

Not to mention the e-mail is the same e-mail you get when you change your password.  Wording is fairly “blah” so I can see Turbine (or Codemasters) having almost the same working.

But right down to the “*** If you made this password change” is the same…

So, in this case, I’d say the hacker is clueless and doesn’t know what he’s doing and is attempting to broaden his Net out bast Blizzard accounts and royally screwed up.

I don’t anticipate I’ll be seeing this one again.  Although I can bet I’ll see the same e-mail again for a different game (as this moron tries again.)

Oh…and Not Blizzard…or not Turbine…or not Codemasters…

Oh hell, Not anyone Legitimate.

  • Received again:

Received: from ilfwrag ([]) by over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 2 Aug 2010 18:53:47 -0700
From: “” <>
To: <>
Subject: Turbine Account Status Warning

Links to:

Ͼ Ͼֳ ewinֳ Ŷij ˰ټ Ŷij bet ȫѶ 188 bet 365 Ͼ Ͼij ˹˶ij Ͼij ƶij Ŷij淨 ȫѶ ˹ά˹ij ζij ŶijЩ ij ˹˶ij Ͼij ĥij ijϷ ĥƽij ĥij Űټ ټϷ ˰ټ Ŷij ˰ټ ټ Ŷij ֳ Ŷij bet Ŷij ټ ˹ Ͼ ټ Ŷij ewinֳ bet ټ Ŷij Ŷij Ŷij Ŷij Ŷij ewinֳ ewinֳ ewinֳ ewinֳ ewinֳ ټ bet ˹