Worldofwarcraft Account login – Phishing Example

World of Warcraft is so successful that it has spawned its own economy. So it’s no surprise that WoW accounts are a phishable commodity. And, since some gamers take this very seriously (just look up “wow addiction”), stealing a WoW account is identity theft at its most heinous.

As phishing campaigns go, this one’s pretty good. The fake website is a decent replica of the battle.net login page and it has a pretty tricky URL.

On the other hand they kind of blew it by not spoofing the “From:” address:

Subject: Worldofwarcraft Account login

From: Blizzard Entertainment <justybw@gmail.com>

Unless Blizzard Entertainment has started sending official emails from justybw@gmail.com you can bet this isn’t from them.

However, assuming you just saw “Blizzard Entertainment” and opened the message anyway, this is what you’d see:

Hello,

This is an automated notification regarding your World of Warcraft account. Your account options was recently modified through the Account Management website.

*** If you did NOT make any changes to your account or subscription, we recommend you login to Account Management at the following link to review your account settings:
http://www.worldofwarcraft.com/account/billing/

If you cannot sign into Account Management using the link above, or if unauthorized changes continue to happen, please contact Blizzard Billing & Account Services for advanced assistance.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,

The World of Warcraft Support Team
Blizzard Entertainment
http://www.blizzard.com/support/wowindex/

In the original email both of the URLs above are clickable. (We removed the links because we’re trying to cut down on linking to known phishing sites.) However, only the second one actually links to the URL that’s displayed. The first one links to:

http://www.battle.net-wow-suppor-admin.com/login/en/login.asp?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Fbeta-profile.xml&app=bam

Warning: Make sure you have good anti-virus and anti-malware software before cutting and pasting the URL above into your address bar (if you’re that curious).

If you’re observant, you’ll notice that the domain that this points to is:

net-wow-suppor-admin.com

But if you’re just skimming it it’s kind of hard to see. It’s pretty easy to be fooled by the www.battle.net at the left end of the URL:

www.battle.net-wow-suppor-admin.com

Always make sure you check the link and understand the URL before clicking on links. Especially links that pretend to display the URL they link to.

On the plus side, between the time we noticed this email and started writing this post FireFox started tagging the site as a “Reported Web Forgery”. If you see this warning don’t ignore it.

Updated 10/12/2010

Here’s another:

Subject: Battle.net Account – Password Change Notice

From: Blizzard Entertainment <Blizzard Entertainment>

Hello,
This is an automatic notification regarding the recent change (s) to your Battle.net account
Your password has been modified through the Account Management web site recently.
*** If you change this password, please ignore this notice.
However, if you do not make any changes to your password, we recommend that you keep in touch, as much as possible to help protect your account billing and account services, Blizzard.
Verify account, retrieve your password, click http://us.bctt1c.net/login/en/battle/faccaont/login.htmluser_action.html to answer frequently asked questions, or contact the Blizzard billing and account services team.
Account security is entirely the responsibility of the account holder. Please note that in a restricted account, Blizzard representatives typically must lock the account. In this case, the account management team will need to fax before the material issue of identity in order to play your account earnings.
Sincerely,
Battle.net account team
Online Privacy Policy
Note: Blizzard employees will never ask for your WoW account password.

This one has a really interesting trick URL. The blue, underlined text above (we removed the link) actually links to the same URL as is presented in the text. If you look closely you’ll see that it doesn’t link to Blizzard’s gaming hub battle.net it actually goes to bctt1c.net. That’s B-C-T-T-ONE-C.net which kind of looks like battle.net, if you’re not paying attention.

If we dig a little further we can be fairly certain bctt1c.net doesn’t belong to Blizzard Entertainment because they register their domains with Network Solutions (we did a whois lookup on both blizzard.com and battle.net) but bctt1c.net is registered with Internet Names Worldwide in Australia.

It just goes to show that you really need to look at URLs and domain names in particular when they’re asking you for private account information.

Updated 11/11/2010

Here we go again:

Subject: Battle.net Account – Password Change Notice

From: Blizzard Entertainment <Blizzard Entertainment>

Battle.net Account – Password Change Notice
Hello,
This is an automatic notification regarding the recent change (s) to your Battle.net account
Your password has been modified through the Account Management web site recently.
*** If you change this password, please ignore this notice.
However, if you do not make any changes to your password, we recommend that you keep in touch, as much as possible to help protect your account billing and account services, Blizzard.
Verify account, retrieve your password, click http://us.bottlo.net/account/support/password/reset/confirm/E317698849A079D2820CB241A7AC8E8ED562AC117A2EF3B2122A0C8812314A8E.html to answer frequently asked questions, or contact the Blizzard billing and account services team.
Account security is entirely the responsibility of the account holder. Please note that in a restricted account, Blizzard representatives typically must lock the account. In this case, the account management team will need to fax before the material issue of identity in order to play your account earnings.
Sincerely,
Battle.net account team
Online Privacy Policy
Note: Blizzard employees will never ask for your WoW account password.

This one goes to bottlo.net which is still not battle.net.

Updated 1/18/2011

And  another . . .

Subject: World of Warcraft
From: “noreply@blizzard.com” <noreply@blizzard.com>

World of Warcraft – Account Management‏

An investigation of your World of Warcraft account has found strong evidence that the account in question is being sold or traded.

As you may not be aware of, this conflicts with Blizzard’s EULA under section 4 Paragraph B which can be found here: WoW -> Legal -> End User License Agreement and Section 8 of the Terms of Use found here: WoW -> Legal -> Terms of Use The investigation will be continued by Blizzard administration to determine the action to be taken against your account.

If your account is found violating the EULA and Terms of Use, your account can,and will be suspended/closed/or terminated. In order to keep this from occurring, you should immediately verify that you are the account.  To verify your identity please visit the following webpage: http://www.worldofwaroreft.com

Only Account Administration will be able to assist with account retrieval issues. Thank you for your time and attention to this matter, and your continued interest in World of Warcraft.
Blizzard Entertainment Inc Account Administration Team
P.O. Box 18979, Irvine, CA 92623
Blizzard Entertainment

Anybody know of a game named “World of War or Eft” because that’s what this phishing email links to.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , , , ,

2 Responses to “Worldofwarcraft Account login – Phishing Example”

  1. Kusanagi says:

    Well, but that`s not all, my friend getting 2 mail per day like one year in back but he don`t play WoW at least 3 years !!! Now how hackers have his mail? When he created one only for WoW and nothing else.
    Another thing, I start receiving same mail like him before few weeks, that happen when i activated Authenticator on their official site of course, exactly next day. (mail like above one)
    Another thing, very strange one: in World of Warcraft Client Patch 3.3.0a (2009-Dec-14) minor changes !!! What minor changes? let`s go to http://forums.wow-europe.com/board.html?forumId=10001&sid=1 to see minor changes. and guess, there is no such a post !! Because there is no minor changes. Changes are in LVL 1 character, because since that day lvl 1 character humans, dwarfs and gnomes have 45 HP not 65 HP
    Why? Guess what? In that time “hackers” starting to write letters with dead body in main cities and in Ironforge when character fly in air (cheat) and drop down he didn`t DIED but he left with 15 HP than he need to JUMP one more to DIE but if someone in Ironforge healed him he didn`t died after second jump. than script was FCKED and we seen missing dead body on ground. Than we have that OVERNIGHT Patch and problem was fixed ! How, easy, they die now from first jump.
    And one more thing, 12.Dec.2009 is MONDAY. When you see patch in monday last time?
    Another thing: When you see a some chinese BOT on map last time?
    I didn`t see them for YEARS (since lvl 60) and they selling GOLD like hundreds of thousand of them on every realm. From where are that all gold comming?

    One more thing.
    My friend didn`t play wow like more than 6 months, his account was frozen not canceled. than this year in august someone login on his account and we /w him but no answer. than i call him and ask, lol you are back to wow, he say wtf i`m not. Than he go in Account management on blizz site, log in and guess what? Account FROZEN and someone play WOW.
    we call blizz support and they don`t know anything abut that and how is that possible, than they CHANGED his PASS and that player was gone offline. HA HA HA….. strange aaa?

    Some tips:
    If you OWN Blizzard, and you want to profit more, you will find ppl who will sell gold to players but not directly, so, you arrange all, make soem small company who is not in EU or US transfer them some money and give them GAME HACKS so thay can use that to FLY in city above ground, draw crap leters and players go buy their gold. So if someone catch them, they will never tell that they have any connection with Blizzard. And they usually can pay to police investigators to STF and leave them alone to do a JOB. That`s why that can be some poor country etc.
    Now when they sell gold and ppl pay them some % of money stay and rest go to Blizz (but again not DIRECT to Blizz, always there is 2-3 companies between, so if they getting caught they will never lead to Blizz) and they are fine even with very small amount of money. There are a LOT of ppl who will do that in poor countries, believe me.

    That`s how some system work and maybe this one work like this.

  2. NotAWowplayer says:

    I have 18 of these emails, received over the last 5 weeks. I do not even own a wow account, and have never played it.