Wednesday, April 21, 2010

WoW Phishing Domain Compendium

World of Warcraft phishing scams are becoming commonplace these days. I wrote an article last year which covered the anatomy of a WoW phishing site.

To give you some idea on how widespread the issue is, I have put together a collection of the known illegal phishing domains seen so far this year. This list is largely based on a WoW spam honeypot that I have established and further supplemented by tips from players.

Warning - do not visit these sites! They are included here to help educate gamers on what to look for with regards to phishing URL's. Some are still active and may feature malware/keyloggers. I have purposely mangled the URL so that you don't accidently click on the sites. If you feel tempted then stop reading now - you have been warned.

WoW Phishing Domain List

http_://www.accountmanagement-worldofwarcraft.net

http_://www.wor1dcfwarcraft.com
http_://www.worldrofwarcraft.net
http_://www.wor1dofwancreft.com
http_://www.wor1dofwancrvft.com
http_://www.wor1dofwororaft.com
http_://www.worldofwarcrarrft.com
http_://we-io8.worldofwarcraftftc.com
http_://www.worldofwacacraft.com

http_://www.worldofwarcraft-accountadmin-battle.net
http_://www.worldofwarcraft-account-athonticate-account-authonticate.com
http_://www.worldofwarcraftaccount-billing.com
http_://www.worldofwarcraft-account-checkwarning.com
http_://www.worldofwarcraftaccountsecurity.com
http_://www.worldofwarcraft-instruction-account.com
http_://www.worldofwarcraft-certification-account.com
http_://www.worldofwarcraft-supports-account.com
http_://www.worldofwarcraft-subscription-security.com
http_://www.worldofwarcraft-account-investigate.com
http_://www.worldofwarcraft-account-authorization.com
http_://www.worldofwarcraft-account-authontisate.com
http_://www.worldofwarcraft-account-inspect.com
http_://www.worldofwarcraft-account.com
http_://www.worldofwarcrauft-account.com
http_://www.worldofwxarcraft-test.com
http_://www.worldofwarcrcft-test.com
http_://www.worldofwarcruaft-account.com
http_://www.worldofwariraft-manage.com
http_://www.worldofwarcranft-login.com
http_://www.worldofwarcraft-battles-account.com
http_://www.worldofwarcraft-login-admin.com
http_://www.worldofwarcraft-security-billing.com
http_://www.worldofwarcraft-account.info
http_://www.worldofwarcraft-battle-admin.net
http://www.worldofwarcraft-account-authoriration.com/

http_://www.wowaccountmobilephone.com

http_://www.management-adminis-blizzard.com

http_://www.battlenetaccount.com
http_://battle.arena-award-management.com

http_://www.blizzard-feedback.net
http_://www.blizzard-forums.com
http_://www.blizzardaccount-management.com
http_://www.blizzard-account-login-management.com
http_://www.blizzardaccount-billreview.com
http_://www.blizzardaccount-support.com
http_://www.blizzardbattle-management.net
http_://www.blizzardbattle-bill.net
http_://www.blizzardhosting.net

http://www.us-battle-blizzard.net/
http://www.info-battle.net/
http://www.security-accounts-blizzard.com/
http://battle.tournament-administration.com/
http://www.management-ccount-blizzard.com/

These domains are constantly changing - as one is shut down or blocked, another appears. As you can see, there are a lot of variations.

These URL's are usually associated with a spam email telling you that your WoW account has been suspended. The email asks you to click on a link (which may be disguised as a valid game site URL) which takes you to these malicious URL's to phish for your game details. The link could also arrive as an in-game mail or whisper.

As always, don't click on links in emails that appear to come from Blizzard and don't believe the random in-game whispers that tell you that you have won a rare spectral tiger or that your account has been suspended and that you immediately need to log in in to unlock it.

For more information on how to look out for phishing attempts visit the official Battle.net security site and our top 10 security steps article.

If you see any other fake WoW phishing domains then report them to polar at guildox dot com

6 comments:

  1. great list, thanks. Helped me identify a malicious URL.

    ReplyDelete
  2. http://www.worldofwarcraftsecurity.net I believe is another one that I just a typical /w from a player named BLIZZARD on Thunderhorn Alliance side. Not how any message from Blizzard should actually come through, imo. Nor would I think WoW/Blizz to use a .net domain.

    ReplyDelete
  3. http://www.worldofwarcraft-admin-battle.com/ stole my account while back but when i got a fishy email from them again about the beta opt in i freaked but then i wonderd why it was in spam so i looked up emails from the same sander and the email that led me to that website a while back came up now i know its a scam, thank god for this site saved my account again!

    ReplyDelete
  4. Here is a very clever attempt:

    http://us.battle.net.adminbatle.com/login.asp?ref=https://www.worldofwarcraft.com/account/&app=wam

    So, even if you look at the redirect, if you aren't careful, it still looks valid.

    ReplyDelete
  5. I got a mail that someone had changed me login info and a link to visit if it was not me who changed this... the link I got was http://us.worldofwarcraft.information-admin.net/accountlogin.html

    And that site was blocked due to scam. But what troubles me is that the mail was from blizzard.com

    ReplyDelete
  6. Yes this one is definitely a scam - but it is not from Blizzard - it just looks as though it comes from Blizzard. It is very easy to make it look like this and it is how most of these phishing emails are constructed.

    ReplyDelete