Blizzard & WoW Spam Returns with IP Warnings

The latest Blizzard spam returns with some IP warnings involved:

Click to Enlarge

Here is the full text (links removed):

Dear customer,
This is an automated notification sent from our account security system. You logined your account successfully at 4:27  on July 11th form the 125.87.108.* range, but our system shows the 125.10.151.* IP range exists a large number of hackers. As too many customer complaints, the 125.98.104.* IP range has been blacklisted.
We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, visit click:
hxxps://www.battle.net/account/support/password-verify.html
website fill out some information to facilitate our investigation.
Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
Sincerely,
Blizzard account system
Blizzard Entertainment
As you can see, I changed the HTTPS to HXXPS, so the link doesn’t resolve (did it below, too). Anyway, that password verify link actually points to this address once clicked (please do not visit): hxxp://eu.battle.net.login.security.inspection.worldofwarcraft.xml.zh-ted.in/login.html?app=wam&ref=hxxps://www.worldofwarcraft.com/account/&eor=0&app=bam/
This is obviously a phishing attempt to try to get World of Warcraft logon information. With the email, it makes false claims and grammatical errors. The false claims are to attempt to persuade you into believing it is the real Blizzard Entertainment.
However, here is what to look for in a fake Blizzard email, that Blizzard would never ask for in the first place:
  • Any displaying of an IP address is immediate red flag. Blizzard would never post an IP address to an email.
  • Displaying of any password in an email, unless it is a confirmation email sent from Blizzard IMMEDIATELY after you register.
  • Displaying of birthdates, server locations, etc. would not be a commonality in Blizzard emails.

If you receive an email that seems to reveal information that should not be revealed, delete it! It is probably spam. After all, if Blizzard really wants to get through to you, they would ask you to contact customer service…not verify your password online.

The sender of the email had an IP address of 220.67.90.23 – which can be blacklisted.

Seeing that it isn’t on most blacklists (thanks to WhatIsMyIPAddress.com:

Control spam now with SurfRight Antispam, makers of HitMan Pro secondary opinion malware scanner.

Advertisements

Tags: , , , , , , ,

About Jay Pfoutz

Marketer

3 responses to “Blizzard & WoW Spam Returns with IP Warnings”

  1. diablo 3 says :

    Wow, fantastic weblog layout! How long have you been blogging for?
    you made running a blog glance easy. The overall look of your site is
    magnificent, as smartly as the content material!

  2. Matt says :

    Here’s the header info for one of them.

    What REALLTY makes this suspicious is that I don’t have a D3 account set up 😛 They’ve also been trying to hack my non-existant WoW account as well.

    Anyways, IP the email is sent from originates in Korea, and the “bad” ip’s are from Japan.

    x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J
    Authentication-Results: hotmail.com; sender-id=none (sender IP is 211.232.4.21) header.from=diablo@email.com; dkim=none header.d=email.com; x-hmca=none
    X-SID-PRA: diablo@email.com
    X-SID-Result: None
    X-DKIM-Result: None
    X-AUTH-Result: NONE
    X-Message-Status: n:n
    X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
    X-Message-Info: 11chDOWqoTmjqhOzvWWho/vK8oL2x1FIoEm0Tn+r3D4Vy8IHo2wUnqbL8AYf70xK7xQ/i0dq/DNmu22V01+rul1CP/Zvu8+Xf13SxFbtWx9rJBofxrv8hC0S4Of41nnimYZt806lvSM=
    Received: from email.com ([211.232.4.21]) by BAY0-MC1-F34.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
    Tue, 2 Oct 2012 05:27:54 -0700
    From: “Diablo III”
    Subject: Diablo III Account-IP-Notice
    To: My Address (sorry, I’m sanitizing this one) @hotmail.com
    Content-Type: text/html;charset=”GB2312″
    Content-Transfer-Encoding: 8bit
    Date: Tue, 2 Oct 2012 20:27:55 +0800
    X-Priority: 3
    X-Mailer: Foxmail 4.1 [cn]
    Return-Path: diablo@email.com
    Message-ID:
    X-OriginalArrivalTime: 02 Oct 2012 12:27:54.0703 (UTC) FILETIME=[58FD05F0:01CDA099]

    Dear customer,
     
    This is an automated notification sent from our account security system. You login your account successfully at 4:27  on October 1th form the 125.87.108.* range, but our system shows the 125.10.151.* IP range exists a large number of hackers. As too many customer complaints, the 125.98.104.* IP range has been blacklisted.
     
    We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, visit click: https://www.battle.net/account/support/password-verify.html (hidden link: worldofwarcraft.com/account/&eor=0&app=bam/)
     
    website fill out some information to facilitate our investigation.
     
    Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
     
    Sincerely,Blizzard account systemBlizzard Entertainment

%d bloggers like this: