Phishing Attack or Bad Blizzard?
#1
So I wake up this morning to find a helpful email from Blizzard, reminding me to renew my account before The Burning Crusade. "That's odd," I think, "My account is active right now. Well, I'd better just check..."

[Image: phishmb9.jpg]

In my early morning stupor, I clicked the link, entered my account information, and realized that this is the model for a textbook phishing attack (in that order). I immediately changed my password and scrutinized the headers of the email and it looks legitimate to my untrained eyes.

Code:
Date:      Friday, January 05, 2007 01:28 am
Subject:        Are You Ready For The Burning Crusade?
Message-ID:&nbsp;&nbsp;&nbsp;&nbsp; <20070105052853.1C3D.7155-53@email.blizzard.com>
Return-Path:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<Newsletter@email.blizzard.com>
Delivered-To:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"monkey"
Received:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (qmail 12631 invoked from network); 5 Jan 2007 05:33:14 -0000
Received:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; from dsl093-061-106.pit1.dsl.speakeasy.net (HELO "friend's mail redirect") ([66.93.61.106]) (envelope-sender <Newsletter@email.blizzard.com>) by mail22.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for <"monkey">; 5 Jan 2007 05:33:14 -0000
Received:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;from email.blizzard.com (email.blizzard.com [12.129.200.219]) by "friend's mail redirect"(8.12.10/8.12.10) with SMTP id l055X1Q0004416 for <"monkey">; Fri, 5 Jan 2007 00:33:07 -0500 (EST) (envelope-from Newsletter@email.blizzard.com)
Content-Return:&nbsp;&nbsp;&nbsp;&nbsp; allowed
X-Mailer:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CME-V6.5.4.3; blizzard
MIME-Version:&nbsp;&nbsp;&nbsp;&nbsp; 1.0
Content-Type:&nbsp;&nbsp;&nbsp;&nbsp; multipart/alternative; boundary="----=_NextPart_16D8_728_9635A8BA.01C73078"

Which brings me to my point: Did anyone else receive this email? If it wasn't legitimate, well, I hope all other recipients were sharper than me. If it was legitimate, what was Blizzard thinking, sending an official mail that looks like a phishing attack?
Reply
#2
I did not receive any email like that. I also went to Blizzard's WoW main page and didn't see anything that would point to something like that. It definitely seems fake to me.
-TheDragoon
Reply
#3
I got one too. It looks legit, as the link for the "reactivate" button goes straight to https://www.worldofwarcraft.com/account/ (you can check it with whatever your mail reader's equivalent of "view message source" is).

I didn't go there, though, just logged in to the game normally, and my account hadn't been deactivated, so it looks like Blizzard just screwed up (the image filenames aren't keyed, either, so it doesn't look like they're trying some sort of underhanded address validation either).
Reply
#4
My suspicious mind makes me wonder, if it was a phishing scam, could they report to blizzard that their account had been stolen "see here's my old password"? Although they would fix that through the registered E mail I suppose. I think I'd contact them through your own channels about it just to be safe
Reply
#5
Blizzard is claiming to have sent mail with this text:
https://forums.worldofwarcraft.com/thread.h...=62318827&sid=1

Quote: Within the last 2 days, players may have been receiving an email from Blizzard titled: "Are you ready for the Burning Crusade?"

The letter is legitimate, and it's a reminder to inactive or trial account players who may have been looking to return to Azeroth with the Burning Crusade, that doing so in advance of the launch would offer more time to download and install patches, and any tech support or billing queries could be addressed prior to launch.

We're also looking into reports that subscribers who haven't cancelled their accounts are also getting the email. If this applies to you, please be aware that email addresses tied to trial accounts and multiple accounts where one account is inactive are also included in the mailing list.

For players for whom these parameters do not apply, we apologize for the confusion, and we are actively investigating the source of this incorrect distribution.

Although I'm pleased to discover it wasn't a phishing attack, I am disappointed in Blizzard. They should have smart internet-savvy people working there. If they're going to do something like this, they need to:
1. Not use big button-type links in emails. Doing so just helps followup phishing attacks appear legitimate.
2. Tell people to navigate via www.worldofwarcraft.com instead of directing them to the largely unmarked (and easily spoofed) account management page. Once again, the 'helpful' redirect just makes later phishing attacks appear legitimate.
3. Publicize the effort and note (for the nth time) that Blizzard will never ask for account or password information.
Reply
#6
Hi,

Quote:Within the last 2 days, players may have been receiving an email from Blizzard titled: "Are you ready for the Burning Crusade?"

The letter is legitimate, and it's a reminder to inactive or trial account players who may have been looking to return to Azeroth with the Burning Crusade, that doing so in advance of the launch would offer more time to download and install patches, and any tech support or billing queries could be addressed prior to launch.

Given the high volume of returning subscribers we expect when The Burning Crusade expansion goes live, if you are planning a return to Azeroth, we recommend reactivating your account as soon as possible in order to avoid the expected rush of launch-day activation.

I'm currently Inactive for 3 months and I did not receive this email. :(

I am ready for The Burning Crusade. I was going to take advantage of the 30 days Free sub that comes with the expansion...however I would like to have ALL patches in place...I thought that the game would be shipped with all the Patches :)



Happy New Year :wub:
________________
Have a Great Quest,
Jim...aka King Jim

He can do more for Others, Who has done most with Himself.
Reply
#7
Quote:Hi,
I'm currently Inactive for 3 months and I did not receive this email. :(

I am ready for The Burning Crusade. I was going to take advantage of the 30 days Free sub that comes with the expansion...however I would like to have ALL patches in place...I thought that the game would be shipped with all the Patches :)
Happy New Year :wub:
Actually, nothing to stop you download the patches all ready. Just fire up WoW then quit the program without logging in, Blizzard's background Downloader should then kick in and start downloading what you need.

... And then you can quit Background Downloader, open up your WoW directory, look for a .torrent file in the \cache folder and dropping that into a decent Torrent client that'll allow you to download the patches at a much faster rate than the 10kbs cap the BD enforces:)

But as far as patching is considered, you can do that without even logging into your account.
When in mortal danger,
When beset by doubt,
Run in little circles,
Wave your arms and shout.

BattleTag: Schrau#2386
Reply
#8
Hi.

I signed up & DL everything needed, Thanks :D

I remember so little about the Game after 3 months of inactive duty, I guess the best way to go will be to start a new Hunter character & die alot, or play with my lv 15 Drawf Hunter for a bit till I get my reflexes back. :o
________________
Have a Great Quest,
Jim...aka King Jim

He can do more for Others, Who has done most with Himself.
Reply
#9
I got one. WTF? I'm good till next July!
[Image: Sabra%20gold%20copy.jpg]

I blame Tal.

Sabramage Authenticated!
Reply
#10
Quote:I got one. WTF? I'm good till next July!
But from something you told me, I know why. ;)
Reply
#11
(01-05-2007, 12:29 PM)Monkey Wrote: So I wake up this morning to find a helpful email from Blizzard, reminding me to renew my account before The Burning Crusade. "That's odd," I think, "My account is active right now. Well, I'd better just check..."
in my early morning stupor, I clicked the link, entered my account information, and realized that this is the model for a textbook phishing attack (in that order). I immediately changed my password and scrutinized the headers of the email and it looks legitimate to my untrained eyes.

Hi,

I seldom click on email links even if they look safe, I go direct to the web site and check the email info.

My WOW account got hacked Angry I was not subscribed when this happened my last dated paid Feb 28 2011, so I got hacked between Feb 28th & May 10th when I tried to log on and couldn't.

I lost all aprox 40,000 gold...but this is the kicker the hacker played my account for at least 2 months, and changed my Professions from leather/skinning [max] to Herbs & Minning he used my lv 78 hunter to Gather. Huh

Blizzard after a week said they could do nothing for me "Live with it" Angry

For the past month I've had increased email phishing for my WOW account. I sent them ALL to Hack@blizzard.com

Quote:Greetings,

Thank you for contacting the World of Warcraft Game Master Department.

Your petition has been forwarded to our character specialists for further investigation and troubleshooting. Please keep in mind that, due to the nature and complexity of these types of petitions, it may take several days for us to contact you with the conclusion of our investigation. We apologize for the delay and thank you for your patience and understanding in this time.

Please remember that the security of the account you are using is crucial. we recommend following the http://us.battle.net/security/checklist on our Account Security site at http://us.battle.net/security/

Also note that restoration of any kind is not guaranteed. While we make every effort to verify your loss there are times where restoration is not possible. We sincerely apologize for any inconvenience you may have been caused.

For further information please check our Restoration Policy located at (http://us.blizzard.com/support/article.x...leId=20457)

Again, your time is greatly appreciated.



Regards,
Game Master Hahnric
Customer Services
Blizzard Entertainment
www.blizzard.com/support

-----Original Message-----
From: jimhorvath8@cox.net jim horvath
To: wowgm@blizzard.com
Sent: 5/14/2011 8:09:25 PM
Subject: HACKED

Hi,

My account was Hacked after 02/28/2011 on Malygos

Nankor's Profession was changed he did Leather & Skinning Max Can this be corrected???

I am missing all my Gold about 40,000g

I'm missing 1 character Nankipoo Horde

The Hacker's character Monsodas has been deleted by Blizzard.

Please advise if my Malygos account be rolled back to the last day I played.

Reagrds, Jim Horvath

Quote:SAMPLE PHISH:

Greetings!

It has come to our attention that you are trying to sell your personal World of Warcraft account(s).
As you may not be aware of, this conflicts with the EULA and Terms of Agreement.
If this proves to be true, your account can and will be disabled.
It will be ongoing for further investigation by Blizzard Entertainment's employees.
If you wish to not get your account suspended you should immediately verify your account ownership.

You can confirm that you are the original owner of the account to this secure website with:
https://xxxxx/login/en/login.xml [xxxxx in place of battle.net]

Login to your account, In accordance following template to verify your account.

* E-mail Address
* E-mail password
* Secret Question and Answer
Show * Please enter the correct information

If you ignore this mail your a ccount can and will be closed permanently.

Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.

Regards,

Account Administration Team
Blizzard Entertainment
World of Warcraft , Blizzard Entertainment 2011
________________
Have a Great Quest,
Jim...aka King Jim

He can do more for Others, Who has done most with Himself.
Reply
#12
Try contacting a game master in-game instead of sending e-mails. I have heard of much better service through the in-game petition system than out-of-game e-mails.
Earthen Ring-EU:
Taelas -- 60 Human Protection Warrior; Shaleen -- 52 Human Retribution Paladin; Raethal -- 51 Worgen Guardian Druid; Szar -- 50 Human Fire Mage; Caethan -- 60 Human Blood Death Knight; Danee -- 41 Human Outlaw Rogue; Ainsleigh -- 52 Dark Iron Dwarf Fury Warrior; Mihena -- 44 Void Elf Affliction Warlock; Chiyan -- 41 Pandaren Brewmaster Monk; Threkk -- 40 Orc Fury Warrior; Alliera -- 41 Night Elf Havoc Demon Hunter;
Darkmoon Faire-EU:
Sieon -- 45 Blood Elf Retribution Paladin; Kuaryo -- 51 Pandaren Brewmaster Monk
Reply
#13
(05-19-2011, 07:06 PM)Taelas Wrote: Try contacting a game master in-game instead of sending e-mails. I have heard of much better service through the in-game petition system than out-of-game e-mails.

Hi,

I did try the ingame GM 3 times they said there is nothing they can do.

I'm still waiting for this to be resolved. This is my 4th & last GM who contacted me by email. It seems since I deleted all my characters it got their attention.

The hack happened in March & April 2011 not a year ago!
Quote:Subject: Blizzard Entertainment - World of Warcraft
Sent: Wednesday, May 18, 2011 11:50 AM

Hello Jim,

This is Specialist Game Master Aylendia, I have been looking into the matter of your account compromise.

I have reviewed your account and found that it does appear to have been compromised some time ago. I see that you have deleted your characters within the past few days as well, with the intent not to play anymore. If you would like for me to restore the characters I would be happy to do so.

While this occurred to long ago for me to be able to recover the losses, I could also look into setting your characters up with a gold compensation package to help you get started playing again.

I have sent this reply from my personal email, so if you would like for me to look into restoring your character's in any way please respond directly to this email, and I will look into the matter personally.

I look forward to hearing from you and do hope you have a good rest of the day aside from these issues.


Aylendia
Game Master
Blizzard Entertainment
www.worldofwarcraft.com
________________
Have a Great Quest,
Jim...aka King Jim

He can do more for Others, Who has done most with Himself.
Reply


Forum Jump:


Users browsing this thread: 7 Guest(s)