Sunday, April 25, 2010

Beware 2010 Arena Tournament scams

Scammers are increasing their efforts with the recent announcement of the 2010 Arena Tournament. I am starting to see phishing emails that tell you all about the new arena tournament and provides you with a convenient "Register Now" link. This link takes you to a fake login page and steals any details that you enter.

The fake login page will capture your username and password. The site then redirects you to the genuine US battle.net login page and tournament registration. Like an ATM skimming device attack, the user rarely detects that a scam has taken place until their account is stripped.

An example of these emails:

























Want to learn more about how to spot phishing scams? Check out our post covering the anatomy of a WoW phishing site.

Wednesday, April 21, 2010

WoW Phishing Domain Compendium

World of Warcraft phishing scams are becoming commonplace these days. I wrote an article last year which covered the anatomy of a WoW phishing site.

To give you some idea on how widespread the issue is, I have put together a collection of the known illegal phishing domains seen so far this year. This list is largely based on a WoW spam honeypot that I have established and further supplemented by tips from players.

Warning - do not visit these sites! They are included here to help educate gamers on what to look for with regards to phishing URL's. Some are still active and may feature malware/keyloggers. I have purposely mangled the URL so that you don't accidently click on the sites. If you feel tempted then stop reading now - you have been warned.

WoW Phishing Domain List

http_://www.accountmanagement-worldofwarcraft.net

http_://www.wor1dcfwarcraft.com
http_://www.worldrofwarcraft.net
http_://www.wor1dofwancreft.com
http_://www.wor1dofwancrvft.com
http_://www.wor1dofwororaft.com
http_://www.worldofwarcrarrft.com
http_://we-io8.worldofwarcraftftc.com
http_://www.worldofwacacraft.com

http_://www.worldofwarcraft-accountadmin-battle.net
http_://www.worldofwarcraft-account-athonticate-account-authonticate.com
http_://www.worldofwarcraftaccount-billing.com
http_://www.worldofwarcraft-account-checkwarning.com
http_://www.worldofwarcraftaccountsecurity.com
http_://www.worldofwarcraft-instruction-account.com
http_://www.worldofwarcraft-certification-account.com
http_://www.worldofwarcraft-supports-account.com
http_://www.worldofwarcraft-subscription-security.com
http_://www.worldofwarcraft-account-investigate.com
http_://www.worldofwarcraft-account-authorization.com
http_://www.worldofwarcraft-account-authontisate.com
http_://www.worldofwarcraft-account-inspect.com
http_://www.worldofwarcraft-account.com
http_://www.worldofwarcrauft-account.com
http_://www.worldofwxarcraft-test.com
http_://www.worldofwarcrcft-test.com
http_://www.worldofwarcruaft-account.com
http_://www.worldofwariraft-manage.com
http_://www.worldofwarcranft-login.com
http_://www.worldofwarcraft-battles-account.com
http_://www.worldofwarcraft-login-admin.com
http_://www.worldofwarcraft-security-billing.com
http_://www.worldofwarcraft-account.info
http_://www.worldofwarcraft-battle-admin.net
http://www.worldofwarcraft-account-authoriration.com/

http_://www.wowaccountmobilephone.com

http_://www.management-adminis-blizzard.com

http_://www.battlenetaccount.com
http_://battle.arena-award-management.com

http_://www.blizzard-feedback.net
http_://www.blizzard-forums.com
http_://www.blizzardaccount-management.com
http_://www.blizzard-account-login-management.com
http_://www.blizzardaccount-billreview.com
http_://www.blizzardaccount-support.com
http_://www.blizzardbattle-management.net
http_://www.blizzardbattle-bill.net
http_://www.blizzardhosting.net

http://www.us-battle-blizzard.net/
http://www.info-battle.net/
http://www.security-accounts-blizzard.com/
http://battle.tournament-administration.com/
http://www.management-ccount-blizzard.com/

These domains are constantly changing - as one is shut down or blocked, another appears. As you can see, there are a lot of variations.

These URL's are usually associated with a spam email telling you that your WoW account has been suspended. The email asks you to click on a link (which may be disguised as a valid game site URL) which takes you to these malicious URL's to phish for your game details. The link could also arrive as an in-game mail or whisper.

As always, don't click on links in emails that appear to come from Blizzard and don't believe the random in-game whispers that tell you that you have won a rare spectral tiger or that your account has been suspended and that you immediately need to log in in to unlock it.

For more information on how to look out for phishing attempts visit the official Battle.net security site and our top 10 security steps article.

If you see any other fake WoW phishing domains then report them to polar at guildox dot com