Tag Archive | World of Warcraft

Battle.net Account Verification Email Spam Continues, More Users Compromised

More spam is lighting up for Battle.net account users, Diablo, and World of Warcraft members. The latest spam update is below, where once again, the spammers are using a fake email account (diablo@email.com) as the sender, and stating that you are trying to sell your Battle.net account and need to verify it so it will not be suspended.

However, the link it gives looks real, however, it is fake.

Greetings!   It has come to our attention that you are trying to sell your personal World of Warcraft account(s). As you may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled. It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership.   You can confirm that you are the original owner of the account to this secure website with:   hxxps://www.battle.net/account/support/password-verify.html  If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.   Regards,   Account Administration Team World of Warcraft , Blizzard Entertainment 2012

Here are the technical details:

Return-path (email address the email actually came from): ab[at]vlrpc.com

IP address: 112.65.228.185 belonging to an unknown/private user (WHOIS states the IP master’s name: yanling ruanof) China Unicom, a telecommunications company governed by The People’s Republic of China. They seem to either ignore abuse reports, or do not know much about their users’ activities. We know a private user sent this spam, because the message header clearly states the application used to send the email: Microsoft Outlook Express 6.00.2900.5512.

Known blacklisting: Spamhaus.org (listed as “Illegal 3rd party exploits, including proxies, worms and trojan exploits”), abuseat.org, barracudacentral.org, uceprotect.net

Now, it’s believed that the recent spam outbreak (like the one above, for example) is a result of the latest Blizzard lawsuit. However, spam like this has happened before (also look in the comments for a user who posted about Diablo 3 spam).

The only thing to best protect against spam is having an anti-spam program. Please visit the vendor below for more information.

Caretaker Antispam download link

Blizzard & WoW Spam Returns with IP Warnings

The latest Blizzard spam returns with some IP warnings involved:

Click to Enlarge

Here is the full text (links removed):

Dear customer,
This is an automated notification sent from our account security system. You logined your account successfully at 4:27  on July 11th form the 125.87.108.* range, but our system shows the 125.10.151.* IP range exists a large number of hackers. As too many customer complaints, the 125.98.104.* IP range has been blacklisted.
We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, visit click:
hxxps://www.battle.net/account/support/password-verify.html
website fill out some information to facilitate our investigation.
Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
Sincerely,
Blizzard account system
Blizzard Entertainment
As you can see, I changed the HTTPS to HXXPS, so the link doesn’t resolve (did it below, too). Anyway, that password verify link actually points to this address once clicked (please do not visit): hxxp://eu.battle.net.login.security.inspection.worldofwarcraft.xml.zh-ted.in/login.html?app=wam&ref=hxxps://www.worldofwarcraft.com/account/&eor=0&app=bam/
This is obviously a phishing attempt to try to get World of Warcraft logon information. With the email, it makes false claims and grammatical errors. The false claims are to attempt to persuade you into believing it is the real Blizzard Entertainment.
However, here is what to look for in a fake Blizzard email, that Blizzard would never ask for in the first place:
  • Any displaying of an IP address is immediate red flag. Blizzard would never post an IP address to an email.
  • Displaying of any password in an email, unless it is a confirmation email sent from Blizzard IMMEDIATELY after you register.
  • Displaying of birthdates, server locations, etc. would not be a commonality in Blizzard emails.

If you receive an email that seems to reveal information that should not be revealed, delete it! It is probably spam. After all, if Blizzard really wants to get through to you, they would ask you to contact customer service…not verify your password online.

The sender of the email had an IP address of 220.67.90.23 – which can be blacklisted.

Seeing that it isn’t on most blacklists (thanks to WhatIsMyIPAddress.com:

Control spam now with SurfRight Antispam, makers of HitMan Pro secondary opinion malware scanner.

%d bloggers like this: