WoW account login phishing blitz, that’s what!
An avid World of Warcraft player we know has been the target of a phishing attack that’s turned into a blitz krieg – 28 phishing emails in two days. All of them trying to appear as though they were from “The World of Warcraft Support Team Blizzard Entertainment”
(click to enlarge)
Links in the emails (which are different than the URL’s displayed in the text) lead to a site obviously intended to steal passwords (see our earlier blog piece “Battle Net password troll campaign (in Engrish)”)
(click to enlarge)
The 20 URLs we checked:
— were set up between June 6 through August 12
— appeared to have been set up by as many as 14 people (similar types of contact and address data)
— were registered in China (16), India (2), none given (1) and Pompano Beach, Fla.
All ending with “soooooo whats up dude?”
WoW players should be aware there is a serious campaign on to steal their login information and should be especially aware of the URLs in emails that appear to be from Blizzard Entertainment. Hold the mouse cursor over any URLs in an e-mail and check the REAL URL in the status bar at the bottom of the screen. To further check, do a who-is check (http://whois.domaintools.com/) of the domain name (see list below for some phony ones.)
AUTHENTIC Blizzard Entertainment URLs:
battle.net
us.battle.net
worldofwarcraft.com
worldofwarcraft.worldofwarcraft.com
us.blizzard.com
Registrant: Blizzard Entertainment
PO Box 18979
Irvine, CA 92623-8979
US
Phony look-alike URLs we’ve seen include:
blizzard-wowaccount-battle.net
battle-blizzard-battle.net
blizzard-wowadmin-battle.net
wowbattle-review.com
eu.blizzard.restoreaccess.us
us.blizzard.accountsecurity.us
battrlie.net
us.braittle.net
wowaccount-survey.com
us-battlewowaccounte.net
batt1e.org
battle-wow-battle.net
us.support.blizzard.accountsecurity.eu
wowbattle-automatic-detection.com
wowbattle-group.com
wow-world.battle-account.info
blizzard-wowlogin-battle.net
beta-cataclysmbeta-blizzard.net
wow-battle-cataclysmbeta.com
wow-battle-cataclysmbeta.net
Example of look-alike URL: batt1e.org (note the number one is used for an “L”)
Domain Name:BATT1E.ORG
Created On:11-Jul-2010 15:26:50 UTC
Last Updated On:05-Aug-2010 07:15:07 UTC
Expiration Date:11-Jul-2011 15:26:50 UTC
Sponsoring Registrar:Jiangsu Bangning Science and technology Co. Ltd. (R1829-LROR)
Status:CLIENT HOLD
Status:TRANSFER PROHIBITED
Registrant ID:a73d9472-d793-4
Registrant Name:meilixu
Registrant Organization:xumeili
Registrant Street1:heilongjiang
Registrant Street2:
Registrant Street3:
Registrant City:heilongjiang
Registrant State/Province:heilongjiang
Registrant Postal Code:161000
Registrant Country:CN
Thanks Wendy, Thanks Douglas.
Tom Kelchner