Top WoW Phishing Scams for March 2011

I have established a WoW phishing honeypot and I see a lot of active phishing scams.  I thought I would take the time to cover off the top two WoW phishing scams for March :

#1 Titled "Too Many Attempts Warning No.x" - 37% of WoW scams

The most common phishing scam for March comes in the form of a straight text email that warns you that your account has been locked due to too many login attempts. It provides a link to restore your account, but naturally points to a fake battle.net site, where your account details are captured.

-----------------------------------------------------------------------------

Dear customer, 

Due to suspicious activity, your Battle.net account has been locked. You tried to login your account too many times (403). We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you follow these steps:

Step 1: Secure Your ComputerIn the event that your computer has been infected with malicious software such as a keylogger or trojan, simply changing your password may not deter future attacks without first ensuring that your computer is free from these programs. Please visit our Account Security website to learn how to secure your computer from unauthorized access.

Step 2: Secure Your E-mail AccountAfter you have secured your computer, check your e-mail filters and rules and look for any e-mail forwarding rules that you did not create. For more information on securing your e-mail account, visit our Support page.

Step 3: Restore access to Your accountWe now provide a secure link for you to verify whether you have taken the appropriate steps to secure the account, your computer, and your email address. Please follow this site to restore the access to your account: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

If you still have questions or concerns after following the steps above, feel free to contact Customer Support at xxxxxxxxxxxxxxxxxxx.

Sincerely, 

The Battle.net Account Team 

Online Privacy Policy
-----------------------------------------------------------------------------

#2 Titled "Account Change" - 26% of WoW scams

This scam attempts to scare you into thinking that your contact information has been illegally modified and entices you to log in to a fake site to verify your account information.

-----------------------------------------------------------------------------

Hello,
This is an automated notification regarding your Battle.net account. Some or all of your contact information was recently modified through the Account Management website.

*** If you made recent account changes, please disregard this automatic notification.
*** If you did NOT make any changes to your account, we recommend you log in to xxxxxxxxxxxxxxxxxxxx review your account settings.

If you cannot sign into Account Management using the link above, or if unauthorized changes continue to happen, please contact Blizzard Billing & Account Services for further assistance.

Billing & Account Services can be reached at 1-800-59-BLIZZARD (1-800-592-5499 Mon-Fri, 8AM-8PM Pacific Time) or at billing@blizzard.com.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,
The Battle.net Support Team 

Blizzard Entertainment

www.blizzard.com/support 

Online Privacy Policy

-----------------------------------------------------------------------------

Other active scams including a "7 days free access offer", "investigations on the sale/trade of your game account" and various "compensation" emails.  I have also started to see scams for LOTRO and RIFT.  You know that you have made it as an MMO when you see active phishing scams - sad, but true.

Learn more about the mechanics of these scams.

Phishers Ramp Up Their WoW Assault

Phishers have begun targeting the remote auction house and cataclysm betas in the latest wave of WoW account phishing spam.

In the first example, unsuspecting users receive an email promoting the features and benefits of the remote auction house and invite them to participate in the beta by clicking on a download now link. The link takes them to a fake battle.net login site where their game details are captured.

A sample email is shown below:

A second type of phishing email is targeting the Cataclysm beta opt-in. Users are sent an email reminding them to update their system specifications to be eligible for a beta invite by logging into battle.net. Naturally, the battle.net link is a fake site designed to collect your account credentials:

Be wary of any email that pretends to come from Blizzard and check the URL of any linked site before entering your account credentials. Visit our anatomy of a phishing site post for information on how to spot phishing emails and better protect your game account.

Let us know if you have received emails scams like these.

Beware 2010 Arena Tournament scams

Scammers are increasing their efforts with the recent announcement of the 2010 Arena Tournament. I am starting to see phishing emails that tell you all about the new arena tournament and provides you with a convenient "Register Now" link. This link takes you to a fake login page and steals any details that you enter.

The fake login page will capture your username and password. The site then redirects you to the genuine US battle.net login page and tournament registration. Like an ATM skimming device attack, the user rarely detects that a scam has taken place until their account is stripped.

An example of these emails:

Want to learn more about how to spot phishing scams? Check out our post covering the anatomy of a WoW phishing site.

Authenticator hack - is your account still safe?

The big security news of the weekend is that Blizzard has confirmed a man-in-the-middle attack that is being used to hack accounts that are using an authenticator.

Let me state up front that this is not a reason to throw your authenticator away nor should it be an excuse for not getting one. The authenticator is a very sound device - but it is, and will always be, just one of many security mechanisms that you should use to help secure your account. It is what us IT security guys call "layered security" - more on this in a moment.

The attack itself requires a keylogger/trojan. The keylogger, once installed on your system, logs your game user name, password AND authenticator code. It proceeds to post this information off to a rogue server so that the attacker can use this information in near real-time to access your game account. In the meantime, it sends an incorrect code to the battle.net authentication server from your machine - resulting in an "incorrect login" type message from the game. It does this so that you don't consume the one-time-use code that the authenticator provides.

Now it was only a matter of time before we saw this kind of attack. More and more people have been using authenticators. In a survey of over 90 gamers at securingwow.blogspot.com, 84% of them claim to have an authenticator attached to their game account. This tells us that more and more people are now running with an authenticator - reducing the pool size of "easy" victims.

The bad guys are now being forced to step up the sophistication of their attacks and have started targeting those with authenticators. We are bound to see many more keyloggers with this capability in the near future. Additionally, phishing attacks will also begin to operate in the same fashion - asking you to type in your authentication code, along with your other game account details, posting the info off to the attacker - who uses them in real time - leaving you with a "system unavailable" message and a soon-to-be-stripped game account. If we don't have these mechanisms in WoW phishing sites already then I can assure you that they are not far away.

So how do you prevent it from happening? It all comes down to minimizing the chance of being infected with a keylogger in the first place. One of the many tenets of IT Security is that "no sercurity system is 100% effective". Anyone that tells you otherwise does not know what they are preaching or they are trying to sell you some snake-oil. In this case, we can't rely on authenticators to be the only defense mechansim - here are ten simple steps you can do to reduce the chance of your game account being compromised:

1. Don't share your game password with anyone and pick a password that is not easily guessed
   
2. Don't use the same password for subscribing to fan sites
   
3. Keep your operating system, browser and other software (especially Adobe Flash) fully patched - start with Windows Update
   
4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
   
5. Don't click on email attachments, especially when you don't know the sender
6. Don't download and run executable files from web pages
7. Don't enter your game password into any web site other than the official game sites
8. Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised
9. Be very suspicious if an addon requires some form of install package to be run
   
10. Invest in a Blizzard authenticator or install the Battlenet authenticator application on your phone

Try to follow all of these recommendations - not just one or two points.

In this specific case, the keylogger was reportedly delivered via a fake site for the Wowmatrix addon manager. The site was created to look and feel like wowmatrix.com but, instead of downloading and installing the addon manager, the keylogger was installed instead. Our recommendations #6 and #9 talk about being "very suspicious" of add-ons that require an installer to run and avoid running executable files from web sites.

The bottom line is that keyloggers and phishing sites are here to stay. Don't rely on your authenticator to protect you 100% of the time - but don't throw it out either. It still forms a very strong part of your layered defense against the bad guys.

Post a comment - we would like to hear from you if you have fallen victim to this attack.

The Armory Phishing Scam

The new and improved wowarmory has brought with it opportunity for scammers seeking to trick you into disclosing your wow game passwords. Check out the full coverage at wow.com on this latest scam:

http://www.wow.com/2010/01/15/beware-of-wow-armory-phishing-scams/

As always, never enter your game username/password into a site that is not "blizzard.com" or "worldofwarcraft.com" and get yourself an authenticator today!

If you have had a close encounter with a wow phishing scam then post and comment and let us know about it.

Beware of Cataclysm Phishing Scams

With the recent announcement of the Catalysm alpha, users are warned not to fall victim to phishing scams.

Be aware that if you receive an email inviting you to join the Cataclysm testing cycle then it will most likely be a scam. Cataclysm open beta does not exist as yet.

Do not enter your game username and password into any sites that may link from any email claiming to be an official Blizzard invite to Cataclysm.

If you see a Cataclysm phishing scam then feel free to share your comments on it.

Latest phishing scam

The latest phishing scam is an email titled "Battle.net Account – Password Change Notice" telling you that your password has been changed and if you did not make the change then you should visit the blizzard FAQ at a URL of:

http_://www.worldofwarcrarrft.net/

Spot the scam? I hope so (emphasis added).

This is a traditional wow phishing scam.

New phishing scam

You receive an in-game whisper promising a new mount by visiting:

http://www.blizzus-wow.com/

This is a scam phishing site designed to steal your account information. In fact, it appears to be the very same set of pages that are discussed in my previous blog about how to identify WoW phishing sites.

The Anatomy of a WoW Phishing Site

Password stealing via a bogus phishing site is a common tactic for those wanting to break into your WoW account. Let's explore the workings of an illegal WoW phishing site and give you some tips on how to spot such fakes. Note that the phishing site discussed here is no longer online.

The Bait

You receive an in-game whisper or mail telling you that you are eligible to trial an all-new mount. All you have to do to claim this mount is to register on an "official" site and the mount will be sent to your account. The message contains the URL of a site to visit - in this case it is "http://www.blizzard-forums.com". Eagerly, you race off to claim your special mount.

The Hook

You enter the URL to your browser and you get the following site:



You enter your account name and password, hit submit and are taken through to the following page:



They are now asking for my email address and they want to confirm my account's secret question and answer. You enter the required information and hit submit. You finish on the following success screen:



Application Successful! You just need to wait for your mount to arrive in my in-game mail - but it never does. However, next time you log in to the game you find that all of your characters have been stripped of their worldly possessions, you have no gold and your guild's bank has been raided.

You have been the unfortunate victim of a phishing attack!

Where did I go wrong?

How could you have prevented falling for such a trick?

Phishing is a form of social engineering - a tactic used by the bad guys to lure in unsuspecting victims to steal personal information - in this case your account login details.

The first part of this attack was to offer something that was highly desirable - in this case the promise of a new, special, in-game mount. Other attacks use the promise of special access to beta new expansion content or tell you your account has been locked as a result of a hack and you need to follow certain steps to unlock it. It can come as an in-game whisper, an in-game mail or a regular email.

Rule#1: Be highly suspicious of anything that is offered for free or anything email that claims your account has been compromised

Next, you were given the URL of something that turned out to be a phishing site. But how can you tell if it is official or not?

The two sites, one bogus and one legitimate:



Spot the difference? No?

It is extremely difficult to spot the difference. It is very easy for an attacker to copy the images, layout and text of the legitimate site - and do it perfectly.

However, there are key things to look for in the URLs. The official Blizzard site is a secured SSL site, with the URL prefixed with "https://". The site is also part of the battle.net domain (in this case us.battle.net):



The bogus phishing site has no SSL, no "https://" and is not part of a battle.net, worldofwarcraft.com or blizzard.com domain:



In fact, looking up the blizzard-forums.com domain ownership, it was found to be owned by an individual in Shanghai, China.

The real irony is that the official Blizzard warning is still shown on the bogus phishing site:



Rule#2: Do not type your game account username/password into any web site other than worldofwarcraft.com (wow-europe.com), blizzard.com and battle.net.

Rule#3: Check for a secured "https:" session on such sites when entering your username/password - while not a 100% guarantee of legitimacy, phishing sites generally don't bother with digital certificates and https.

Some other things that could tip a user off with this example were:

1. Nothing happened if you clicked on any of the language options on the first page - the bad guys were a bit lazy and could not be bothered writing the multi-language support for the site. They were obviously only targeting the english speaking community.

2. Many of the links on the subsequent pages were incomplete and broken.

3. Entering a dummy username and password still allowed you to progress to the subsequent "success" pages - there was obviously no way to check the username/password combination.

4. There was extremely poor grammar on many of the subsequent pages.

Final words

A word of warning regarding the URL - I recently saw a similar phishing attack that cleverly used the URL of "www.promotion-battle.net". At a glance it looks like a battle.net domain but it is not. The domain is promotion-battle.net and this domain is definitely not an official website.

Rule#4: Just because the letters battle.net or worldofwarcraft.com or blizzard.com appear somewhere in the URL does not make it an official site.

Official login sites should have the format:

https://[prefix].battle.net/...
or
https://[prefix].worldofwarcraft.com/...
or
https://[prefix].wow-europe.com/...
or
https://[prefix].blizzard.com/...

Where [prefix] can be 'www' or 'US' or 'EU' or similar.

We have covered the main things to watch out for with regards to bogus phishing sites. There are other, more advanced phishing techniques including DNS hijacking and cross-site scripting that are beyond the scope of this article but are worthy reading topics for those that wish to know more.

If you ever have any doubt about a site that asks for your game username/password then contact http://blizzard.com - manually type the URL and don't follow links from the suspect site - and ask them if the suspect site is real.

Grab yourself a Blizzard authenticator (or phone application) and add another layer of protection to these kinds of attacks - if the bad guys get hold of your username and password then it is of little use to them without your hardware authenticator.

10-steps to better WoW acount security

Protecting Your WoW Account: Ten Easy Steps

You invest a lot of time leveling your characters so don't leave yourself exposed to the disappointment and frustration of account compromise.

Let's explore the common hacking methods of the bad guys and introduce some simple and easy steps on how to help prevent character loss and down time.

How do WoW accounts get hacked?

The keylogger

Keyloggers or keystroke loggers are covert pieces of software that sit in memory, logging your keystrokes when you enter the game or when you enter the Blizzard account or forum web sites. The keylogger then sends this information out to the bad guys. Many people wrongly believe that keyloggers only look for your password when you enter the game, but more commonly than not, they intercept it when you enter the Blizzard forums or account pages on the official web site.

Keyloggers are often included in the functionality of malware called "Trojans". Trojans are pieces of software that are designed to look like legitimate software but have backdoors for malicious functions.

Reputable antivirus software will detect keyloggers as soon as they attempt to install themselves and will often identify them as trojans. There are plenty of good, free antivirus products out there but if you sometimes get what you pay for. In fact, there are many scam products out there that appear to be antivirus products which are actually keyloggers themselves. I recommend sticking with the major commercial antivirus vendors such as Symantec, McAfee, Trend Micro, Sophos, AVG and Kaspersky. If you think you might have a keylogger then most of these vendors have a free online scan that you can use to check your system - in fact, it is best to try a couple of these free scans to be sure.

Also note that some newly developed keyloggers may not be detected by antivirus software so don't rely on it 100%.

But how did you get the keylogger in the first place? There are several ways that you can pick one of these up:

1. You opened an email attachment that launched this software on your machine.
2. You downloaded and launched the software thinking it was something else. For example, you may have been browsing a web site that prompted you to download a "codec" to watch a video. You excitedly clicked on the download and then the "run" button, only to find that the video still did not play. In the background, you just installed a keylogger.
3. Your browser or some browser application such as Flash was not patched for a certain vulnerability and you browsed a page that automatically launched and installed the keylogger.
4. You downloaded what you thought was an addon, that strangely asked you to run some installation package.
   

The common theme here is that to install a keylogger you generally have to be tricked into running some form of installation process.

Don't think you are perfectly safe if you have a Mac either. While the Microsoft operating systems have traditionally been the target of most malware, Macs are beginning to increase in popularity for malware writers.

The Blizzard authentication token is a great way to protect against a keylogger. The authenticator helps provide two-factor authentication. Two-factor authentication is far more effective since it requires two pieces of information from two different sources - in this case, something that you know (your regular account password) and something that you have (the authenticator generated password). The added security comes from the fact that the authenticator changes its password every 60 seconds - so even if the keylogger captures the authenticator password it is only valid for a very short time.

If you have a iPhone then you can pick up the free Blizzard Battlenet Authenticator application from the iStore.

The phishing site

Phishing is the process of using deceptive methods to acquire sensitive information, in this case your game account details.

For example, you saw a notice in trade chat or received a whisper saying that you have won a competition to win a spectral tiger mount. All you have to do is visit a web site and type in a special redemption code. You go to the site, it looks legitimate, you enter the code and it then asks you for your account name and password so that the tiger mount can be mailed to your character. STOP! This is a phishing site with one aim - to get you to type in your username and password so they can log in to your game account.

A similar ploy is the email that reads "Official email from Blizzard. Your account has been suspended. Click here to confirm your details and unlock your account". Again, you click on the link in the email and it looks like a legitimate Blizzard site... but it is nothing but a scam.

It often takes a trained eye to spot a fake web site. Be extra cautious when any site asks you for your account details. I know of only three sites that should ever require your game password - worldofwarcraft.com, blizzard.com and battle.net. If the URL is anything other than these then it is highly likely to be a phishing site that you are visiting.

Again, the Blizzard authenticator provides great protection here since phished authenticator passwords are only valid for a very, very short time.

The insider

You have shared your account password with a friend or a leveling service. You never changed your password and now your friend is no longer a friend or the leveling service had other intentions. The solution here is - don't share your username/password with anyone. Choose a password that can't be easily guessed by your friends and enemies.

The fan site

Be sure to use a different login/password combination when you subscribe to any Blizzard fan sites. There are hundreds of fan sites and not all are reputable. Even reputable fan sites with username/password databases are a gold mine for successful hackers.

The Ten Steps - Don't become a statistic

Here are ten simple steps you can do to reduce the chance of your account being compromised:

1. Don't share your game password with anyone and pick a password that is not easily guessed
   
2. Don't use the same password for subscribing to fan sites
   
3. Keep your operating system, browser and other software fully patched - start with Windows Update
   
4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
   
5. Don't click on email attachments, especially when you don't know the sender
6. Don't download and run executable files from random web pages
7. Don't enter your game password into any web site other than the official game sites
8. Don't enter your game password into a legitimate Blizzard web site from a PC that may be compromised
9. Be very suspicious if an addon requires some form of install package to be run
   
10. Invest in a Blizzard authenticator or install the Battlenet Authenticator application on your iPhone
    

Remember, security is never 100% guaranteed and there will always be opportunities for your account to be compromised. I have touched on the more common methods in this post. The important message here is to make it as difficult as possible for the bad guys. Out of all the advice, the hardware authenticator is one of the simplest, inexpensive and most effective steps you can take to avoid becoming a hack statistic. Pick one up from the Blizzard store today.

Update: You can also purchase this as an application for many mobile phones at mobile.blizzard.com.