Phish: Password Change

Seen 25 Times.

  • Password: 2
  • Contact Information: 5
  • Account Options: 7
  • Shipping Address: 1
  • Reset Authenticator: 3

Here is the e-mail:

Return-Path: theodor_1992@hotmail.com
Received: from qmsg ([119.114.97.189]) by BLU0-SMTP35.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Sun, 21 Feb 2010 23:56:11 -0800
From: “” <wowaccountadmin@blizzard.com>
To: <***@gmail.com>
Subject: World Of Warcraft-Account Instructions
Date: Mon, 22 Feb 2010 15:55:59 +0800

Greetings!
This is an automated notification regarding the recent change(s)
made to your World of Warcraft account. Your password has recently been modified through the Password Recovery website.
*** If you made this password change, please disregard this notification. However, if you did NOT make changes to your password
we recommend you Login verify your password:

http://www.worldofwarcraft.com

If you are unable to successfully verify your password .
using the automated system, please contact Billing & Account Services at 1-800-59-BLIZZARD (1-800-592-5499) Mon-Fri, 8am-8pm Pacific Time or at billing@blizzard.com. Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
Regards,
The World of Warcraft Support Team Blizzard Entertainment

This Phish is one of the most dangerous Phishes I’ve ever seen.

With a couple of exceptions (and they are BIG exceptions) this is exactly the same message you get when you change your password.

So, what makes this a Phish?

  • Header shows it is from Hotmail and not Blizzard
  • Greeting doesn’t have my name in it.
  • An actual E-Mail would have your account listed after “recent change(s) made to your Wold of Warcraft account” <– Right here they add your account name.
  • If you did not make this change, they don’t recommend you verify your login, they recommend you contact support.

Common sense moment:

You get a notification that your password has changed.
If you haven’t changed it how in the hell are going to be able to login to verify your information? I mean, the password is changed, you didn’t do it…how do you know what the password is then?
It would be VERY easy to get fooled by this Phish. The wording is a direct copy of the e-mail you get from an actual password change with a couple of changes.
Google is being protective of me, and doesn’t show the link so I don’t know where this link is sending you.

Let me give a special shout out to the e-mail address:

theoder_1992

I don’t know what exactly happened in 1992 for this person, but apparently it sure did STINK! (Get it?  theoder….the oder?…ok ok ok…I know its spelled odor…but COME ONE, that was funny!)

UPDATE:

  • Received again:
  • Information “Changed”: Password

Return-Path: vivaladaniel_1993@hotmail.com
Received: from sgnd ([119.114.103.103]) by BLU0-SMTP46.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 8 Mar 2010 16:50:17 -0800
From: “” <wowaccountadmin@blizzard.com>
To: <***@gmail.com>
Subject: World Of Warcraft-Account Instructions

Linking to: www.worldofwarcnaft-manage.com

I love how the domain is misspelt. Probably the correct spelling was already used.

  • Received again:
  • Information “Changed”: Password
Return-Path: spoox86@hotmail.com
Received: from cpkyshx ([116.217.114.89]) by BLU0-SMTP7.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 16 Mar 2010 07:53:13 -0700
From: “wowaccountadmin@blizzard.com” <jayras@gmail.com>
To: <jayras@gmail.com>
Subject: World of Warcraft Account Notification
  • Received again:
  • Information “Changed”: Password

Return-Path: ejlemos@hotmail.com
Received: from iix ([116.217.113.141]) by BLU0-SMTP84.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 18 Mar 2010 06:39:39 -0700
From: “wowaccountadmin@blizzard.com” <jayras@gmail.com>
To: <jayras@gmail.com>
Subject: World Of Warcraft Account Notification

  • Received again:
  • Information “Changed”: Password

Return-Path: carodelp1@hotmail.com
Received: from soap ([119.114.103.116]) by BLU0-SMTP8.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 24 Mar 2010 06:13:43 -0700
From: “” <wowaccountadmin@blizzard.com>
To: <***@gmail.com>
Subject: World Of Warcraft-Account Instructions

www.wor1dofwarcroft-manage.com

Well, there’s a hacker “L337″ domain…wor 1 d or warcroft

OK, so it probably wasn’t a leet domain, but yet another trick they use to throw you off the track. In certain fonts 1 looks like l…in other fonts its still really similiar.

Still no excuse for warcroft

  • Received again:
  • Information “Changed”: Contact Information

Return-Path: ridikcar@hotmail.com
Received: from jsalbc.com ([120.6.167.16])
by mx.google.com with ESMTP id c28si24102066fka.44.2010.04.04.06.31.34;
Sun, 04 Apr 2010 06:31:36 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning ridikcar@hotmail.com does not designate 120.6.167.16 as permitted sender) client-ip=120.6.167.16;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning ridikcar@hotmail.com does not designate 120.6.167.16 as permitted sender) smtp.mail=ridikcar@hotmail.com
Message-ID: 051B81CDCA62D2A4DADE22D437184F22@jsalbc.com
From: “noreply@blizzard.com” noreply@blizzard.com
To: ***@gmail.com
Subject: World of Warcraft – Account Change Notice

Greetings!

This is an automated notification regarding your World of Warcraft account. Some or all of your contact information was recently modified through the Account Management website.

*** If you made recent account changes, please disregard this automatic notification.

You can login to Account Management at the following link to review your account settings:

http://www.worldofwarcraft.com/account

*** If you did NOT make any changes to your account, we recommend you change your password and make appropriate corrections as soon as possible to ensure account security.

If you cannot sign into Account Management using the link above, or if unauthorized changes continue to happen, please contact Blizzard Billing & Account Services for further assistance.

Billing & Account Services can be reached at 1-800-59-BLIZZARD (1-800-592-5499 Mon-Fri, 8Am-8PM Pacific Time) or at billing@blizzard.com.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,
The World of Warcraft Support Team
Blizzard Entertainment

http://www.blizzard.com/support/wowindex/

Slight modification from the Original, this one states your Conact Information was changed.

Still same old story though…Header is not from Blizzard, no personalized greeting.

One odd thing is the header shows the Sender as Hotmail, but the SMTP Server belonging to jsalbc.com.

Google is protecting me from seeing the link, but I’m betting it was to this jsalbc.com

  • Received again:
  • Information “Changed”: Contact Information

Return-Path:
Received: from wjd.org ([120.6.173.174])
by mx.google.com with ESMTP id 5si1775870pzk.2.2010.04.04.21.21.47;
Sun, 04 Apr 2010 21:21:49 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning lais_licariao@hotmail.com does not designate 120.6.173.174 as permitted sender) client-ip=120.6.173.174;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning lais_licariao@hotmail.com does not designate 120.6.173.174 as permitted sender) smtp.mail=lais_licariao@hotmail.com
Message-ID:
From: “noreply@blizzard.com”
To:
Subject: World of Warcraft – Account Change Notice

This is like the other one. Sender is Hotmail, but SMTP shows a different Domain.

  • Received again:
  • Information “Changed”: Account Options

Return-Path: blane01@hotmail.com
Received: from rlueld ([220.188.5.95]) by BLU0-SMTP40.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sat, 24 Apr 2010 02:39:56 -0700
From: “billing@blizzard.com” billing@blizzard.com
To: ***@gmail.com
Subject: World of Warcraft Account – Subscription Change Notice

Hello,

This is an automated notification regarding your World of Warcraft account. Your account options was recently modified through the Account Management website.

If you made this change to your subscription type, please disregard this automatic notification.

*** If you did NOT make any changes to your account or subscription, we recommend you login to Account Management at the following link to review your account settings:

http://www.worldofwarcraft.com/account/

If you cannot sign into Account Management using the link above, or if unauthorized changes continue to happen, please contact Blizzard Billing & Account Services for advanced assistance.

Billing & Account Services can be reached at 1-800-59-BLIZZARD (1-800-592-5499 Mon-Fri, 8Am-8PM Pacific Time) or at billing@blizzard.com.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,

The World of Warcraft Support Team
Blizzard Entertainment

http://www.blizzard.com/support/wowindex/

Another Variation stating your account options were changed.

  • Received again:
  • Information Changed: Account Options

Return-Path: joswildemeersch@hotmail.com
Received: from dr ([220.188.95.174]) by BLU0-SMTP97.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 29 Apr 2010 00:42:53 -0700
From: “billing@blizzard.com” <billing@blizzard.com>
To: <***@gmail.com>
Subject: World of Warcraft Account – Subscription Change Notice

  • Received again:
  • Information “Changed”: Account Options

Return-Path:
Received: from acwxmcjy.com ([219.253.91.178])
by mx.google.com with ESMTP id 3si1526655ywh.125.2010.05.12.15.13.45;
Wed, 12 May 2010 15:13:50 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning minha_paz_@hotmail.com does not designate 219.253.91.178 as permitted sender) client-ip=219.253.91.178;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning minha_paz_@hotmail.com does not designate 219.253.91.178 as permitted sender) smtp.mail=minha_paz_@hotmail.com
Message-ID: <5D46702D9287A1EBD0183DA990C239EA@acwxmcjy.com>
From: “billing@blizzard.com”
To:
Subject: World of Warcraft Account – Subscription Change Notice

Another one with another domain’s SMTP being used (But still apparently coming from a Hotmail address.)

  • Received again:
  • Information “Changed”: Shipping Address

Return-Path: ivalaviano@hotmail.com
Received: from lmjojc ([222.69.163.33]) by BLU0-SMTP15.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 18 May 2010 19:07:48 -0700
From: “noreply@blizzard.com” noreply@blizzard.com
To: ***@gmail.com
Subject: Protect Your Account

Greetings,

This is an automated notification regarding your Battle.net account. Your account shipping address was recently modified through the Account Management website.

If you made this change to your account, please disregard this automatic notification.

*** If you did NOT make any changes to your account, we recommend you login to Account Management at the following link to review your account settings:

http://www.worldofwarcraft.com/account/billing/

If you cannot sign into Account Management using the link above, or if unauthorized changes continue to happen, please contact Blizzard Billing & Account Services for advanced assistance.

Regards,

The World of Warcraft Support Team
Blizzard Entertainment

www.wor1dofwarcroft-manage.com

Another variation, this time its Shipping Address (Like they ever ship anything to you.)

This one is flawed as the subject is all wrong and doesn’t correspond to the e-mail. But oh well, gives us extra skepticism that this ain’t Blizzard (Cause it aint)

Domain has been seen in other phishing e-mails too.

Some hacker out there is using other peoples work! For shame!!

  • Received again:
  • Information “Changed”: Password

Return-Path: serveurgohor@hotmail.com
Received: from qtyb ([211.36.20.3]) by BLU0-SMTP59.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 27 May 2010 02:57:59 -0700
From: “wowaccountadmin”
To: ***@gmail.com
Subject: =?utf-8?B?V29ybGQgb2YgV2FyY3JhZnQgQWM=?=
=?utf-8?B?Y291bnQh4oCP4oCP?=
subject: World of Warcraft Account!??

I love them UTF-8 Subjects….

  • Received again:
  • Information “Changed”: Contact Information

Return-Path: joao_svp@hotmail.com
Received: from ttoff ([59.175.117.17]) by BLU0-SMTP63.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 3 Jun 2010 10:41:24 -0700
From: “BLIZZARD” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: Contact Info Change Notification

Links to: www.blizzard-admin-security.com

  • Received Again:
  • Information “Changed”:  Reset Authenticator

Return-Path: stratsoloer29@hotmail.com
Received: from ptzbvary ([222.69.161.60]) by BLU0-SMTP18.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 3 Jun 2010 10:53:53 -0700
From: “” <noreply@blizzard.com>
To: <***@gmail.com>
Subject: Authenticator Reset Notification

Greetings!  jcynql1hgut0yqtkcohnrqmi8kqebmja0j

This is an automated notification regarding your Battle.net account. You have reset your authenticator with this account. Resetting this authenticator will lock you out of any Battle.net account still associated with it.

If you made this change to your account, please disregard this automatic notification.

*** If you did NOT make any changes to your account, we recommend you go to the Account Management website(http://us.battle.net/account) and remove this authenticator from your Battle.net account, you can also find them here.

If you cannot sign into Account Management, or if unauthorized changes continue to happen, please contact Blizzard Billing & Account Services for advanced assistance.

Regards,

Account Support Team
Blizzard Entertainment

Links to: www.blizzard-security-admin.com

I swear I saw this before…but oh well.  New Variant, telling me that my Authenticator was reset and if I did it, then oh..nevermind.

But if not (or if I’m still reading) it goes on to say that resetting your authenticator will lock you out.  So no matter what you need to take action.

Interesting thing about this e-mail.  It tells you to go the account management website, and even links to the correct address.  But then says “you can also find them here.” and the HERE links to the bad website.

Interesting tact to take…show the correct link and then off the cuff link to a different way to get to account mangement…but this time…no Blizzard.

  • Received Again:
  • Information “Changed”:  Reset Authenticator

Return-Path: larsen45@hotmail.com
Received: from dwy ([222.69.162.77]) by BLU0-SMTP87.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 8 Jun 2010 12:02:25 -0700
From: “Accountadmin@email.blizzard.com” <Accountadmin@email.blizzard.com>
To: <jayras@gmail.com>
Subject: Blizzard – Security Notification

  • Received Again:
  • Information “Changed”: Password

Return-Path: brian_sum41_luvr9@hotmail.com

Received: from nriyhlrj ([116.217.112.154]) by BLU0-SMTP7.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);

Mon, 14 Jun 2010 06:46:08 -0700

From: “” <wowaccountadmin@blizzard.com>

To: <jayras@gmail.com>

Subject: =?utf-8?B?V29ybGQgb2YgV2FyY3JhZnQgQWM=?=

=?utf-8?B?Y291bnQgUGFzc3dvcmQgVmVyaWY=?=

=?utf-8?B?aWNhdGlvbuKAj+KAjw==?=

  • Received Again:
  • Information “Changed”: Contact Info

Return-Path: necdetbilmen@hotmail.com

Received: from swselpoe ([222.69.182.106]) by BLU0-SMTP51.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);

Mon, 14 Jun 2010 21:10:31 -0700

From: “Accountadmin@email.blizzard.com” <Accountadmin@email.blizzard.com>

To: <jayras@gmail.com>

Subject: Blizzard – New Account Info Notice

  • Received Again:
  • Information “Changed”: Reset Authenticator

Return-Path: lakeva1112@hotmail.com
Received: from iqw ([222.69.177.198]) by BLU0-SMTP80.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 22 Jun 2010 20:21:43 -0700
Received: from blu0-omc4-s21.blu0.hotmail.com ([65.55.111.160]) by bay0-hmmc2-f4.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 22 Jun 2010 07:08:27 -0700
Received: from BLU0-SMTP43 ([65.55.111.137]) by blu0-omc4-s21.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 22 Jun 2010 07:08:15 -0700
X-AUTH-Result: PASS
X-Originating-Email: [wowaccountadmin@blizzard.com]
Received: from blu0-omc4-s6.blu0.hotmail.com ([65.55.111.145]) by bay0-hmmc2-f18.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 15 Jun 2010 11:31:53 -0700
Received: from blu0-omc3-s25.blu0.hotmail.com ([65.55.116.100]) by bay0-hmmc2-f22.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 15 Jun 2010 11:30:21 -0700
Received: from blu0-omc2-s11.blu0.hotmail.com ([65.55.111.86]) by BAY0-HMMC2-F19.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 21 Jun 2010 22:44:30 -0700
Received: from BLU0-SMTP9 ([65.55.111.73]) by blu0-omc2-s11.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 21 Jun 2010 22:44:12 -0700
From: “WoWAccountAdmin@blizzard.com” <wowaccountadmin@blizzard.com>
To: <jayras@gmail.com>
Subject: Account Transactions – Issue NO.656800

This one was included a “Issue NO” in the Subject.  As if Blizzard created a Issue number with every change made to every account.  And if they did, it would be much more than 656,800 issues so far.

  • Received Again:
  • Information “Changed”: Contact Information

Return-Path: trenthsv@hotmail.com
Received: from ixm ([118.114.86.94]) by BLU0-SMTP70.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 29 Jun 2010 17:32:21 -0700
Reply-To: <noreply@blizzard.com>
From: “noreply@blizzard.com ” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: WOW Account Identification

  • Received again:
  • Information “Changed”: Password

Return-Path: nayyan06@hotmail.com
Received: from lfdp ([124.229.7.119]) by BLU0-SMTP51.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 3 Aug 2010 22:28:56 -0700
Reply-To: <noreply@blizzard.com>
From: “Blizzard Entertainment” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: Blizzard Entertainment Cataclysm beta

Links to: www.wowbattle-group.com

  • Received again:
  • Information “Changed”: Password

Return-Path: metayer1@hotmail.fr
Received: from hzerus ([124.229.7.119]) by BLU0-SMTP49.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 4 Aug 2010 03:46:28 -0700
Reply-To: <noreply@blizzard.com>
Sender: metayer1@hotmail.fr
From: “noreply@blizzard.com” <noreply@blizzard.com>
To: <jayras@gmail.com>
Subject: Blizzard Entertainment Cataclysm beta

Links to: www.wowblizzard-login.com

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/