Deconstructing a nasty Chinese World of Warcraft phishing scheme

Deconstructing a nasty Chinese World of Warcraft phishing scheme

Summary: I've seen a lot of phishing attempts and this smelled just like phish.

SHARE:

Phishing is the art of attempting to extract personal information from a victim through the art of misdirection and misrepresentation. The victim thinks he's on a Web site or getting an email from a trusted party, when he's actually accessing a cleverly constructed simulacrum of the original site.

Today, I got a nasty phishing email from what purported to be Blizzard, makers of World of Warcraft. I've been an avid WoW player on and off since its original beta in 2005. I've had my account on hold for the last six months or so, because I've been so very busy.

Even though I've been on Horde hiatus, when I got an email offer from "Blizzard Entertainment [Newsletter@email.blizzard.com]" with the subject "World of Warcraft Mount: Winged Guardian", I was curious. I like flying mounts.

But when I opened the email, I noticed that the image at the top of the message was missing. It had a nice graphic celebrating Blizzard's 20 year anniversary, and even more interesting, it had text implying that if I filled out a survey, I'd get the mount.

Like I said, I like in-game mounts. But as a cyber-security adviser, I've seen a lot of phishing attempts and this smelled just like phish. First, the top image was missing. Second, although it was relatively well written, there were a few missing words and a few extra line breaks.

I decided to take a few simple steps to see what I could find out. These are steps you can take as well whenever you're suspicious. First, I right clicked on the message and chose Message Options in Outlook. This is how you get the message header in Outlook. Other clients will show you the header in other ways.

I looked through the header and -- on the surface -- it all looked good:

Received: from email.blizzard.com ([81.12.212.190]) by
exprod7mx233.postini.com ([64.18.6.14]) with SMTP;
Postini (one of the layers in my anti-spam protection stack) received the message from a domain it thought was email.blizzard.com and passed it on to my inbox. But where, exactly, is 81.12.212.190? One of the fastest ways to find the owner of an IP address (about 60% of the time) is running a tracert. As it turns out, 81.12.212.190 resolves to syscom18.info. Now, that doesn't seem like Blizzard!

I did a quick Google search on syscom18.info and found references to "Indonezia" and Romania, and a lot of non-English text:

It's becoming clear this message was extremely unlikely to have originated from Blizzard.

Then I decided to look inside the source of the email message. From Outlook, I went up to Other Actions on the ribbon, and selected View Source. Your email client will likely give you another way to view the source.

Once I had the source open in an editor, I did a search on HREF. The key to phishing is to get you to click on a link, so HREF will show you the domains to look for. Here, I found a reference to the domain account-log1n.net. Notice how, even here, they're trying to make the domain seem real with the battle.net subdomains and even the naming of account-log1n seeming like "account-login":

A quick GoDaddy Whois search turned up registry information for an account located in Liaoning, a province in the northeast of China:

Final thoughts

I've regularly talked about the risks we face with China. We know that China operates the Great Firewall of China, and so I have a very hard time believing that these phishing activities take place without at least some approval of the Chinese government.

This infuriates me and is one of the reasons I've put so much time and effort into advising our government leaders and national security professionals about the risks of cyberattack, cyberwarfare, and cyberterrorism.

The Internet is a wonderful thing, but there are nasty actors out there. Hopefully, I've shown you a few simple ways you can deconstruct suspicious phishing attacks.

It's a shame that we have to be as paranoid as we do, but as my recent conversation with Dr. Jon Warner of Argonne National Labs reinforced, just because you're paranoid doesn't mean they're not out to get you.

See also: The scary truth about voting machine hacking risk (exclusive video)

To make matters worse, about four hours later, I got an email that I verified to actually be from Blizzard saying, "David -- Return to World of Warcraft With 14 Days of Game Time". Sigh.

As the late, great Sergeant Phil Esterhaus used to say, "Hey, let's be careful out there."

See also:

Ah, well, that's it for today. So long, and thanks for all the phish. Share your phish stories in the TalkBacks below.

Topics: Security, Collaboration, China

About

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

    I have gotten these so many times. Done exactly as you have and even sent email back in chinese to the source email which is usually from hotmail accounts and ip's originating in china.
    Nate_K
    • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

      @Nate_K - Love it! i Do the same thing then forward it to my brother who works for the FBI in their white collar crime unit something or other.
      ItsTheBottomLine
    • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

      @Nate_K I had my account inactive for a couple years and got an email telling me my password was reset and asking me to click on something if I didn't originate the reset request. It looked and sounded very convincing. Revealing the actual link destination showed something just like this. A long, period separated link that sounded like Bizzard but obviously wasn't.

      I'm guessing if they manage to trick someone they sell all their items and gold on an auction site.
      Admin71
  • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

    Oh and thank god for the battle.net authenticators...
    Nate_K
  • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

    I had my Rift account hacked about a week ago. Funny because I had done nothing with the game in months. I have since canceled my subscription since I don't play anymore and I am eagerly awaiting SW:TOR.
    Bates_
  • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

    Awesome post, and one everyone should read if they're worried about having their WoW account hacked! I wrote about my own experience on my blog Life of Warcraft, albeit more simplified as I'm not as technically minded! I'd love it if you could have a look and tell me what you think: http://lifeofwarcraft.wordpress.com/2011/06/09/warcraft-spam-emails-identify-avoid-deal/

    Thanks!
    L00ty
  • Excellent article Dave

    It made the save and print file.

    p.s.

    I prefer Sony's Everquest II. But they have about the same amount of malicious attacks as Blizzard's WoW.
    Dr_Zinj
  • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

    David.... do you think you were specifically targeted by this particular phishing attempt - because of your job, or do you believe that this was part of a large net and you received the email by random? If you think you were "special" (smile) and targeted specifically, then an interesting follow up post for you would be a discussion of what kind of things we know about you and your family just by reading your public blogs.

    Imagine someone from a foreign intelligence agency was tasked to read everything you have ever written available on the internet. What kind of campaigns could be mounted against you specifically? Scary stuff...
    snberk341
    • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

      @snberk341 No, this was random. It's possible my email was on a list of WoW players the attacker got from some source, but it was clearly broadly targeted.

      I have gotten directed attacks, but those aren't appropriate to discuss in a public venue. I work closely with LE and three-letter personnel in those (thankfully few) cases, and they never end well for the initiator.
      David Gewirtz
      • A success and righteous conduct by a 3 letter???

        @David Gewirtz Seems to me that those agencies would be anxious to have you advertise, err, explain the good things they've done with our tax payer's money.
        Dr_Zinj
      • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

        @David Gewirtz No, it was random as in no list. I do not play WoW at all and got this email.
        smashandgrab
      • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

        @David Gewirtz
        Chill with the China paranoia,... do you really think the Chinese government is stealing your WarCraft ID?? Its the internet, and scamers are everywhere, protect yourself, and stop spreading ignorance. Just stop it!!!
        drayphly
        • Chill with the China paranoia? Wake up!

          I play World of Warcraft fairly regularly, and I, too, have gotten both email and in-game mail phishing attempts. I trace them back as far as I can, and almost all of the attempts traced to China. In addition, the "gold spammers" almost exclusively trace back to China.

          Outside the game, I get PayPal and eBay scams. which after tracing, have shown domain names from--you guessed it--China.

          I occasionally go through my junk mail filtered folders and check out what is being sent--remember the Nigerian scam letters of ten years ago? Apparently, they were successful enough that there are new letters coming out and traceable to .cn domains.

          The above incidents may number in the hundreds over the past 5 years. I haven't kept count, but it's been a lot.

          Here is a clear-cut example from last year's scam list:

          "Your WoW account is violation. Please click link to verify your account information.
          www.wow-accounts.violations.battle.net.cn" But China doesn't want WoW IDs LOL.

          Must be all coincidence...
          Iman Oldgeek
    • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

      @snberk341 It had to be random... I got the exact same email "offer" 3 times in a 1 week period. I never used to get phishing emails pertaining to my blizz account, but ever since they decided to move us to battle.net, I get about a dozen varying phishing emails in my junk box a week, most of which are of the "we see activity that you're account is being tampered with" and "we have evidence you are trying to sell your account" blah blah blah
      waterhzrd
    • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

      @snberk341

      "David.... do you think you were specifically targeted by this particular phishing attempt - because of your job, or do you believe that this was part of a large net and you received the email by random?"

      I agree with David - it was very likely a broad attack. I dug through my spam and found the same message.
      CobraA1
  • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

    This sort of phishing goes on for a lot of video games. I???ve gotten phishes from Liaoning and South Korea.

    Back in the Fidonet Days, you could just block Zone 6 and be done with this sort of crap. ;-)
    huygens1962
  • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

    I'm surprised this is the first you got. I get from about 3 to 10 or more A DAY that are phishing scams just for WoW (that's only on my junk email account... something I think everyone should do if they sign up for stuff online etc.).

    For me, the solution is simple, I don't play WoW and don't have an account. Except for a couple recently, they all have been showing up in junk, so I just empty junk.

    For the ones that recently showed up in my inbox, I reported them as phishing. The particular address you showed has been used for this scam for quite a while... like in years. I'm honestly surprised the address hasn't been killed by now. another one that is commonly used is b1izzard.com and other variations where they replace an i or l with a 1 OR misspell one word of the address.

    I don't use Outpost, but with my webmail I always have show source on so I can see where emails are really coming from. When I used to use Thunderbird, I used it's extended header to read where an email originated from as well.

    online tools like http://ip-lookup.net are a bit quicker and easier for looking up ip info.
    Drakaran
  • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

    Excellent article. As usual, well written.
    I do have an issue with, "I???ve regularly talked about the risks we face with China. We know that China operates the Great Firewall of China, and so I have a very hard time believing that these phishing activities take place without at least some approval of the Chinese government."

    Ummmmm... no. It's easy for a regular Chinese citizen to create something like this. Any "kid" at a netbar can create somthing like this. Doesn't have to be "approved" by the govt. Having lived and worked there for several years, it's restrictive, but not as restrictive as you're making it out to be.
    dwcfastrice
  • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

    I got that exact same email and immediately knew it was fake for one reason. It was sent to an email address which is not the one currently associated with my WoW account. It was to the one that used to be associated before the account got hacked two years ago. I sometimes get them sent to addresses that have never been associated with WoW and how they got those I have no idea. I have always inspected the headers with Outlook Express on XP and now with Windows Live Mail and with what is my main email program on Win 7, Windows Mail. Yes, it is possible to get the Windows Mail program that replaced Outlook Express in Vista working in Win 7. It's actually included in Win 7 but deactivated. You have to edit the registry and paste in a .dll from a Vista version of the program but after doing that, it works perfectly.
    dch48
  • RE: Deconstructing a nasty Chinese World of Warcraft phishing scheme

    Good article, but since you are on a Windows machine, why did you do trace route (tracert) instead of "nslookup" on the IP? Your stack is still running a gethostbyip call.
    puterami@...