McAfee Labs

And Yet Even More World of Warcraft Account Phishing

1
By on Oct 19, 2010

Today I received yet another World of Warcraft account phish. I have been getting these in an increased volume lately and have seen some fakes that are quite good. This one came to my hotmail account and looked very bland:

Bland but convincing enough. It essentially says that an account name change has been requested and would I kindly confirm the change by logging into the provided link:

Had I actually logged into this page my account details would have been stolen but how can a typical user know this? In truth they cannot (which is why your basic cybercriminal does it of course) unless they are using the right technologies to protect themselves and know what to look for. I did some digging and found VERY quickly that this site was not what it seemed. First of all the actual address is incorrect (BattleNet’s real address is battle.net) and it is marked Green by our SiteAdvisor technology:

Also the IP address itself has an established suspicious history:

Reputation technologies like this make up the cornerstone of our Global Threat Intelligence initiatives and help us proactively protect users in a number of ways and applications. When an address, website or sender has an established history of doing questionable things online it allows us to make some very concrete decisions and keep users away from potentially malicious sites and make better decisions. It is also a good idea for all World of Warcraft players to utilize Blizzard’s authentication features as well – add that login token for 2 factor authentication!!

Clearly gamers are still actively targeted online. As people tend to reuse usernames and passwords across multiple sites we can certainly expect this vector of attack to stay with us. Make sure you take the time to read emails closely. Use safe browsing technologies like SiteAdvisor and watch what you click. The identity data you protect will be you own.

One Comment on “And Yet Even More World of Warcraft Account Phishing

  • Erik Lund

    I have received quite a few of these too, lately. And though I have disabled phishing filters in the browser (they are simply slowing down the access too much in my experience) I do try manually to check out on suspicious links like those in that kind of mail. So why have you blottet out the link adresses on the screenshots above? Would have been nice to know what they were…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>