Latest phishing scam

The latest phishing scam is an email titled "Battle.net Account – Password Change Notice" telling you that your password has been changed and if you did not make the change then you should visit the blizzard FAQ at a URL of:

http_://www.worldofwarcrarrft.net/

Spot the scam? I hope so (emphasis added).

This is a traditional wow phishing scam.

New phishing scam

You receive an in-game whisper promising a new mount by visiting:

http://www.blizzus-wow.com/

This is a scam phishing site designed to steal your account information. In fact, it appears to be the very same set of pages that are discussed in my previous blog about how to identify WoW phishing sites.

The Anatomy of a WoW Phishing Site

Password stealing via a bogus phishing site is a common tactic for those wanting to break into your WoW account. Let's explore the workings of an illegal WoW phishing site and give you some tips on how to spot such fakes. Note that the phishing site discussed here is no longer online.

The Bait

You receive an in-game whisper or mail telling you that you are eligible to trial an all-new mount. All you have to do to claim this mount is to register on an "official" site and the mount will be sent to your account. The message contains the URL of a site to visit - in this case it is "http://www.blizzard-forums.com". Eagerly, you race off to claim your special mount.

The Hook

You enter the URL to your browser and you get the following site:



You enter your account name and password, hit submit and are taken through to the following page:



They are now asking for my email address and they want to confirm my account's secret question and answer. You enter the required information and hit submit. You finish on the following success screen:



Application Successful! You just need to wait for your mount to arrive in my in-game mail - but it never does. However, next time you log in to the game you find that all of your characters have been stripped of their worldly possessions, you have no gold and your guild's bank has been raided.

You have been the unfortunate victim of a phishing attack!

Where did I go wrong?

How could you have prevented falling for such a trick?

Phishing is a form of social engineering - a tactic used by the bad guys to lure in unsuspecting victims to steal personal information - in this case your account login details.

The first part of this attack was to offer something that was highly desirable - in this case the promise of a new, special, in-game mount. Other attacks use the promise of special access to beta new expansion content or tell you your account has been locked as a result of a hack and you need to follow certain steps to unlock it. It can come as an in-game whisper, an in-game mail or a regular email.

Rule#1: Be highly suspicious of anything that is offered for free or anything email that claims your account has been compromised

Next, you were given the URL of something that turned out to be a phishing site. But how can you tell if it is official or not?

The two sites, one bogus and one legitimate:



Spot the difference? No?

It is extremely difficult to spot the difference. It is very easy for an attacker to copy the images, layout and text of the legitimate site - and do it perfectly.

However, there are key things to look for in the URLs. The official Blizzard site is a secured SSL site, with the URL prefixed with "https://". The site is also part of the battle.net domain (in this case us.battle.net):



The bogus phishing site has no SSL, no "https://" and is not part of a battle.net, worldofwarcraft.com or blizzard.com domain:



In fact, looking up the blizzard-forums.com domain ownership, it was found to be owned by an individual in Shanghai, China.

The real irony is that the official Blizzard warning is still shown on the bogus phishing site:



Rule#2: Do not type your game account username/password into any web site other than worldofwarcraft.com (wow-europe.com), blizzard.com and battle.net.

Rule#3: Check for a secured "https:" session on such sites when entering your username/password - while not a 100% guarantee of legitimacy, phishing sites generally don't bother with digital certificates and https.

Some other things that could tip a user off with this example were:

1. Nothing happened if you clicked on any of the language options on the first page - the bad guys were a bit lazy and could not be bothered writing the multi-language support for the site. They were obviously only targeting the english speaking community.

2. Many of the links on the subsequent pages were incomplete and broken.

3. Entering a dummy username and password still allowed you to progress to the subsequent "success" pages - there was obviously no way to check the username/password combination.

4. There was extremely poor grammar on many of the subsequent pages.

Final words

A word of warning regarding the URL - I recently saw a similar phishing attack that cleverly used the URL of "www.promotion-battle.net". At a glance it looks like a battle.net domain but it is not. The domain is promotion-battle.net and this domain is definitely not an official website.

Rule#4: Just because the letters battle.net or worldofwarcraft.com or blizzard.com appear somewhere in the URL does not make it an official site.

Official login sites should have the format:

https://[prefix].battle.net/...
or
https://[prefix].worldofwarcraft.com/...
or
https://[prefix].wow-europe.com/...
or
https://[prefix].blizzard.com/...

Where [prefix] can be 'www' or 'US' or 'EU' or similar.

We have covered the main things to watch out for with regards to bogus phishing sites. There are other, more advanced phishing techniques including DNS hijacking and cross-site scripting that are beyond the scope of this article but are worthy reading topics for those that wish to know more.

If you ever have any doubt about a site that asks for your game username/password then contact http://blizzard.com - manually type the URL and don't follow links from the suspect site - and ask them if the suspect site is real.

Grab yourself a Blizzard authenticator (or phone application) and add another layer of protection to these kinds of attacks - if the bad guys get hold of your username and password then it is of little use to them without your hardware authenticator.

10-steps to better WoW acount security

Protecting Your WoW Account: Ten Easy Steps

You invest a lot of time leveling your characters so don't leave yourself exposed to the disappointment and frustration of account compromise.

Let's explore the common hacking methods of the bad guys and introduce some simple and easy steps on how to help prevent character loss and down time.

How do WoW accounts get hacked?

The keylogger

Keyloggers or keystroke loggers are covert pieces of software that sit in memory, logging your keystrokes when you enter the game or when you enter the Blizzard account or forum web sites. The keylogger then sends this information out to the bad guys. Many people wrongly believe that keyloggers only look for your password when you enter the game, but more commonly than not, they intercept it when you enter the Blizzard forums or account pages on the official web site.

Keyloggers are often included in the functionality of malware called "Trojans". Trojans are pieces of software that are designed to look like legitimate software but have backdoors for malicious functions.

Reputable antivirus software will detect keyloggers as soon as they attempt to install themselves and will often identify them as trojans. There are plenty of good, free antivirus products out there but if you sometimes get what you pay for. In fact, there are many scam products out there that appear to be antivirus products which are actually keyloggers themselves. I recommend sticking with the major commercial antivirus vendors such as Symantec, McAfee, Trend Micro, Sophos, AVG and Kaspersky. If you think you might have a keylogger then most of these vendors have a free online scan that you can use to check your system - in fact, it is best to try a couple of these free scans to be sure.

Also note that some newly developed keyloggers may not be detected by antivirus software so don't rely on it 100%.

But how did you get the keylogger in the first place? There are several ways that you can pick one of these up:

1. You opened an email attachment that launched this software on your machine.
2. You downloaded and launched the software thinking it was something else. For example, you may have been browsing a web site that prompted you to download a "codec" to watch a video. You excitedly clicked on the download and then the "run" button, only to find that the video still did not play. In the background, you just installed a keylogger.
3. Your browser or some browser application such as Flash was not patched for a certain vulnerability and you browsed a page that automatically launched and installed the keylogger.
4. You downloaded what you thought was an addon, that strangely asked you to run some installation package.
   

The common theme here is that to install a keylogger you generally have to be tricked into running some form of installation process.

Don't think you are perfectly safe if you have a Mac either. While the Microsoft operating systems have traditionally been the target of most malware, Macs are beginning to increase in popularity for malware writers.

The Blizzard authentication token is a great way to protect against a keylogger. The authenticator helps provide two-factor authentication. Two-factor authentication is far more effective since it requires two pieces of information from two different sources - in this case, something that you know (your regular account password) and something that you have (the authenticator generated password). The added security comes from the fact that the authenticator changes its password every 60 seconds - so even if the keylogger captures the authenticator password it is only valid for a very short time.

If you have a iPhone then you can pick up the free Blizzard Battlenet Authenticator application from the iStore.

The phishing site

Phishing is the process of using deceptive methods to acquire sensitive information, in this case your game account details.

For example, you saw a notice in trade chat or received a whisper saying that you have won a competition to win a spectral tiger mount. All you have to do is visit a web site and type in a special redemption code. You go to the site, it looks legitimate, you enter the code and it then asks you for your account name and password so that the tiger mount can be mailed to your character. STOP! This is a phishing site with one aim - to get you to type in your username and password so they can log in to your game account.

A similar ploy is the email that reads "Official email from Blizzard. Your account has been suspended. Click here to confirm your details and unlock your account". Again, you click on the link in the email and it looks like a legitimate Blizzard site... but it is nothing but a scam.

It often takes a trained eye to spot a fake web site. Be extra cautious when any site asks you for your account details. I know of only three sites that should ever require your game password - worldofwarcraft.com, blizzard.com and battle.net. If the URL is anything other than these then it is highly likely to be a phishing site that you are visiting.

Again, the Blizzard authenticator provides great protection here since phished authenticator passwords are only valid for a very, very short time.

The insider

You have shared your account password with a friend or a leveling service. You never changed your password and now your friend is no longer a friend or the leveling service had other intentions. The solution here is - don't share your username/password with anyone. Choose a password that can't be easily guessed by your friends and enemies.

The fan site

Be sure to use a different login/password combination when you subscribe to any Blizzard fan sites. There are hundreds of fan sites and not all are reputable. Even reputable fan sites with username/password databases are a gold mine for successful hackers.

The Ten Steps - Don't become a statistic

Here are ten simple steps you can do to reduce the chance of your account being compromised:

1. Don't share your game password with anyone and pick a password that is not easily guessed
   
2. Don't use the same password for subscribing to fan sites
   
3. Keep your operating system, browser and other software fully patched - start with Windows Update
   
4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption
   
5. Don't click on email attachments, especially when you don't know the sender
6. Don't download and run executable files from random web pages
7. Don't enter your game password into any web site other than the official game sites
8. Don't enter your game password into a legitimate Blizzard web site from a PC that may be compromised
9. Be very suspicious if an addon requires some form of install package to be run
   
10. Invest in a Blizzard authenticator or install the Battlenet Authenticator application on your iPhone
    

Remember, security is never 100% guaranteed and there will always be opportunities for your account to be compromised. I have touched on the more common methods in this post. The important message here is to make it as difficult as possible for the bad guys. Out of all the advice, the hardware authenticator is one of the simplest, inexpensive and most effective steps you can take to avoid becoming a hack statistic. Pick one up from the Blizzard store today.

Update: You can also purchase this as an application for many mobile phones at mobile.blizzard.com.