Wednesday, September 16, 2009

The Anatomy of a WoW Phishing Site

Password stealing via a bogus phishing site is a common tactic for those wanting to break into your WoW account. Let's explore the workings of an illegal WoW phishing site and give you some tips on how to spot such fakes. Note that the phishing site discussed here is no longer online.

The Bait

You receive an in-game whisper or mail telling you that you are eligible to trial an all-new mount. All you have to do to claim this mount is to register on an "official" site and the mount will be sent to your account. The message contains the URL of a site to visit - in this case it is "". Eagerly, you race off to claim your special mount.

The Hook

You enter the URL to your browser and you get the following site:

You enter your account name and password, hit submit and are taken through to the following page:

They are now asking for my email address and they want to confirm my account's secret question and answer. You enter the required information and hit submit. You finish on the following success screen:

Application Successful! You just need to wait for your mount to arrive in my in-game mail - but it never does. However, next time you log in to the game you find that all of your characters have been stripped of their worldly possessions, you have no gold and your guild's bank has been raided.

You have been the unfortunate victim of a phishing attack!

Where did I go wrong?

How could you have prevented falling for such a trick?

Phishing is a form of social engineering - a tactic used by the bad guys to lure in unsuspecting victims to steal personal information - in this case your account login details.

The first part of this attack was to offer something that was highly desirable - in this case the promise of a new, special, in-game mount. Other attacks use the promise of special access to beta new expansion content or tell you your account has been locked as a result of a hack and you need to follow certain steps to unlock it. It can come as an in-game whisper, an in-game mail or a regular email.

Rule#1: Be highly suspicious of anything that is offered for free or anything email that claims your account has been compromised

Next, you were given the URL of something that turned out to be a phishing site. But how can you tell if it is official or not?

The two sites, one bogus and one legitimate:

Spot the difference? No?

It is extremely difficult to spot the difference. It is very easy for an attacker to copy the images, layout and text of the legitimate site - and do it perfectly.

However, there are key things to look for in the URLs. The official Blizzard site is a secured SSL site, with the URL prefixed with "https://". The site is also part of the domain (in this case

The bogus phishing site has no SSL, no "https://" and is not part of a, or domain:

In fact, looking up the domain ownership, it was found to be owned by an individual in Shanghai, China.

The real irony is that the official Blizzard warning is still shown on the bogus phishing site:

Rule#2: Do not type your game account username/password into any web site other than (, and

Rule#3: Check for a secured "https:" session on such sites when entering your username/password - while not a 100% guarantee of legitimacy, phishing sites generally don't bother with digital certificates and https.

Some other things that could tip a user off with this example were:

1. Nothing happened if you clicked on any of the language options on the first page - the bad guys were a bit lazy and could not be bothered writing the multi-language support for the site. They were obviously only targeting the english speaking community.

2. Many of the links on the subsequent pages were incomplete and broken.

3. Entering a dummy username and password still allowed you to progress to the subsequent "success" pages - there was obviously no way to check the username/password combination.

4. There was extremely poor grammar on many of the subsequent pages.

Final words

A word of warning regarding the URL - I recently saw a similar phishing attack that cleverly used the URL of "". At a glance it looks like a domain but it is not. The domain is and this domain is definitely not an official website.

Rule#4: Just because the letters or or appear somewhere in the URL does not make it an official site.

Official login sites should have the format:


Where [prefix] can be 'www' or 'US' or 'EU' or similar.

We have covered the main things to watch out for with regards to bogus phishing sites. There are other, more advanced phishing techniques including DNS hijacking and cross-site scripting that are beyond the scope of this article but are worthy reading topics for those that wish to know more.

If you ever have any doubt about a site that asks for your game username/password then contact - manually type the URL and don't follow links from the suspect site - and ask them if the suspect site is real.

Grab yourself a Blizzard authenticator (or phone application) and add another layer of protection to these kinds of attacks - if the bad guys get hold of your username and password then it is of little use to them without your hardware authenticator.

10-steps to better WoW acount security


  1. Just got phised by these guys... I'm a fool.
    Thanks for the explanation though - Cheers'

  2. This is why I never click on links sent to my email or given to me in the game. I know that Blizzard would contact me through my email if they were having a promotion or if my account was in danger of being suspended, but even if I do get an email that looks legit, I STILL type in the real blozzard website, the one I always use and I never click on the link in my email.