Select Page

New vector for malicious links – WoW whisper message leads to keylogger

Our friend Douglas received a whisper (chat message) from someone using the handle “BlizzaICOL” while he  was playing WoW telling him that the beta is available for the new Cataclysm expansion for the WoW map. The expansion will make everything appear as though it’s on fire, being burned by a dragon. The “whisperer” also passed along a URL which led to Cataclysmtest.net (don’t go there) which APPEARED to be the WoW login screen.

WoW_Phish
(click to enlarge)

To see where this went, we entered a fictitious username and password and the site accepted it, meaning that it’s probably snatching login information. It’s a known phishing site (Firefox alert box below.)

Wow_2
(click to enlarge)

Another authentic-looking page (also tagged as a malicious site by Firefox) with a “download” button awaited at worldofwarcrayt.com (which as you can notice is one letter off from “worldofwarcraft.com.”

WoW_Phish_4
(click to enlarge)

Nice reproduction of the real thing:

WoW_authentic

Clicking on the “Download for PC” (don’t try this at home) we downloaded this – which turned out to be a Trojan that installs a key logger intended to steal passwords.

WoW_Phish_6

The Cataclysmtest.net domain was registered earlier in the month and whoever registered it either has a really obscene name or is faking it. The “,cm” country domain – Cameroon – is well known for malicious code, because it’s only one mistyped URL from the “.com” top-level domain. Operators there have set up a wild-card DNS record which will respond to any URL with a .cm domain. (More info here: http://en.wikipedia.org/wiki/Wildcard_DNS_record )

WoW_whois_2

It appears the worldofwarcrayt.com domain was registered (in April) by the same person who used “ukukukuk”  in place of “usususus.”

WoW_whois_1

Thanks Douglas and Wendy.

Tom Kelchner