Deconstructing a nasty Chinese World of Warcraft phishing scheme

I've seen a lot of phishing attempts and this smelled just like phish.
Written by David Gewirtz, Senior Contributing Editor

Phishing is the art of attempting to extract personal information from a victim through the art of misdirection and misrepresentation. The victim thinks he's on a Web site or getting an email from a trusted party, when he's actually accessing a cleverly constructed simulacrum of the original site.

Today, I got a nasty phishing email from what purported to be Blizzard, makers of World of Warcraft. I've been an avid WoW player on and off since its original beta in 2005. I've had my account on hold for the last six months or so, because I've been so very busy.

Even though I've been on Horde hiatus, when I got an email offer from "Blizzard Entertainment [Newsletter@email.blizzard.com]" with the subject "World of Warcraft Mount: Winged Guardian", I was curious. I like flying mounts.

But when I opened the email, I noticed that the image at the top of the message was missing. It had a nice graphic celebrating Blizzard's 20 year anniversary, and even more interesting, it had text implying that if I filled out a survey, I'd get the mount.

Like I said, I like in-game mounts. But as a cyber-security adviser, I've seen a lot of phishing attempts and this smelled just like phish. First, the top image was missing. Second, although it was relatively well written, there were a few missing words and a few extra line breaks.

I decided to take a few simple steps to see what I could find out. These are steps you can take as well whenever you're suspicious. First, I right clicked on the message and chose Message Options in Outlook. This is how you get the message header in Outlook. Other clients will show you the header in other ways.

I looked through the header and -- on the surface -- it all looked good:

Received: from email.blizzard.com ([]) by
exprod7mx233.postini.com ([]) with SMTP;
Postini (one of the layers in my anti-spam protection stack) received the message from a domain it thought was email.blizzard.com and passed it on to my inbox. But where, exactly, is One of the fastest ways to find the owner of an IP address (about 60% of the time) is running a tracert. As it turns out, resolves to syscom18.info. Now, that doesn't seem like Blizzard!

I did a quick Google search on syscom18.info and found references to "Indonezia" and Romania, and a lot of non-English text:

It's becoming clear this message was extremely unlikely to have originated from Blizzard.

Then I decided to look inside the source of the email message. From Outlook, I went up to Other Actions on the ribbon, and selected View Source. Your email client will likely give you another way to view the source.

Once I had the source open in an editor, I did a search on HREF. The key to phishing is to get you to click on a link, so HREF will show you the domains to look for. Here, I found a reference to the domain account-log1n.net. Notice how, even here, they're trying to make the domain seem real with the battle.net subdomains and even the naming of account-log1n seeming like "account-login":

A quick GoDaddy Whois search turned up registry information for an account located in Liaoning, a province in the northeast of China:

Final thoughts

I've regularly talked about the risks we face with China. We know that China operates the Great Firewall of China, and so I have a very hard time believing that these phishing activities take place without at least some approval of the Chinese government.

This infuriates me and is one of the reasons I've put so much time and effort into advising our government leaders and national security professionals about the risks of cyberattack, cyberwarfare, and cyberterrorism.

The Internet is a wonderful thing, but there are nasty actors out there. Hopefully, I've shown you a few simple ways you can deconstruct suspicious phishing attacks.

It's a shame that we have to be as paranoid as we do, but as my recent conversation with Dr. Jon Warner of Argonne National Labs reinforced, just because you're paranoid doesn't mean they're not out to get you.

See also: The scary truth about voting machine hacking risk (exclusive video)

To make matters worse, about four hours later, I got an email that I verified to actually be from Blizzard saying, "David -- Return to World of Warcraft With 14 Days of Game Time". Sigh.

As the late, great Sergeant Phil Esterhaus used to say, "Hey, let's be careful out there."

See also:

Ah, well, that's it for today. So long, and thanks for all the phish. Share your phish stories in the TalkBacks below.

Editorial standards