Just found another WOW (World of Warcraft) phish e-mail in my junk folder today that I had failed to see before. Oh, what do you know, they can supposedly detect my account logging in from another range to spam BUT dont have my real name, e-mail or other details at hand to address me personally and correctly according to information which is recorded on my account at Blizzard. Makes the phish easy to identify based on the poor qaulity of the content and lack of any real info which, I must add, Bkizzard do use when they contact their customers.
Greetings,
This is an automated notification sent from our account security system. You logined your account successfully at 6:38 on June 13th form the 203.44.180.* IP range. According to the report of many players, we found that the account published spam information in the game which harassed other users seriously. This action has violated the EULA.
As too many customers’ complaints, the IP range above has been blacklisted. We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you check your account status here as soon as possible. If you have any questions, please visit hxxp,//us,battle,net.
Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
<garbage letters were here>
Regards,
<garbage letters were here>
Blizzard Account System
Blizzard Entertainment
As previously posted the sender is nothing more than a fake.
X-Originating-IP: [222.69.168.174]
X-Originating-Email: [kyle.vincent@hotmail.com]
As before, details have been recorded with hphosts and WOT. Delete any e-mail you receive of this nature. DO NOT open or respond to it or your account will be hijacked. If in doubt, use the actual battle net account management link from within your game login screen to check your account status or contact Blizzard directly.
In the last few days IOBit has once again popped up in the forums and blogs regarding new allegations of theft. I would have thought they learnt their lesson over the data theft issue with MalwareBytes’ but obviously not. This time TuneUp Utilities are in the firing line and a few people have noticed the similarities between IOBits new software called ‘IOBit Toolbox’ and ‘TuneUp Utilities’ where they appear virtually exact copies.
Lets look at screenshots of these programs:
As you can see, there is a uncanny likeness in design and functionality between them. This leaves me to wonder, based on the previous scandal between MalwareBytes’ and IObit, whether the similarities go deeper to include internal code.
This issue was pointed out by roger m on Wilders Security Forums, has coverage at Calandar of Updates (COU) and responses to this allegation within the IOBit Forum where they try to defend the product:
Originally Posted by roger_mI am posting here to point out that the design and functionality of the a number of the tools within in IObit Toolbox, is copied from TuneUp UtilitiesIf you look at the below link you will see:
http://www.wilderssecurity.com/showthread.php?p=1706627I don’t agree what you said. There are always many utilities tools in our product, when we released Advanced SystemCare Version 2 in 2006, they were there.
Copy the design and functionality? We do learn some good user-friendly design from other product, but they learn from us as well. Look at GlaryUtilites, they learned our “1- Click Maintenance”, “Auto Care”, “Auto Sweep” feature from us, and TuneUp learn our design as well.
Well, acroding to your logic, Symantec has anti virus, anti spyware and internet protection features in their product, so other company cannot have the same feature in their product, right? And all the functionality is copied from Symantec?Second, we just want to make some good and free product to our user, so they don’t need to pay 49$ for the same functionality tools, are we doing something wrong?
__________________
IObit Development Team
‘we do learn some good user design form other products’ as Tim Xue puts it is all well and good providing it is not a replica of another product showing different names. Isn’t that what rogue security authors do in order to deceive users into a false sense of security? Other program designers may learn from you BUT they implemented this in their own way and did not release a vittually exact copy, or anything close, of your software, without your consent. Lastly, and this tickled me, was the reference to Symantec and AntiVirus programs. Tim Xue appears to be trying to use the same argument IObit had with MalwareBytes’ regarding the use of data, which failed miserably. He obviously fails to realise that this is not about denial of rights to design, produce and market a tool to help clean user systems, it is about copying and marketing another persons product which has been changed to show you as the brains behind the idea which earns you money at the loss of the other party.
Another excuse from Tim Xue – Administration at IOBit which is laughable was:
Originally Posted by roger_msolbjerg, I am posting here since the other thread in which I was posting was closed for absolutely no good reason.If you do decide to ban me, just bear in mind that I will be contacting IObit directly, and will not let this matter rest until it has been dealt with by IObit, no matter how long it takes – I will not let IObit or any mods here hide the truth…
Hello, Roger. Solbjerg is our volunteer and forum manager, what he does is not hide the truth, he is a user who likes our product, and he has different opinion about what you posted, that’s all.
As the private message I sent to you, no one here wants to hide the truth. I found some word in the program is similar or same with TuneUP’s tools, and I double checked it with our staffs. The truth is that some developers are not familiar with English, so they just used some word and sentence from Tuneup, and our project manager didn’t notice that. That’s the truth, people from non-English speaking country could not speak local English. That’s the mistake we have, and we will try to fix it. It’s also my fault that I didn’t check it carefully as it’s just the first Beta version. We spend too many time and effect on the coding, implementing all the function and feature, but we didn’t notice the issue of the word in the program.
As I said, we can have our developers modify the word and setence in our program within one hour, but we have spent over 5 months to coding all the programs. That’s the point. I hope you can understand the mistake we did in the first beta version of our product, and look at the harding working we did mostly.
Thanks.
__________________
IObit Development Team
Hmmm, these developers etc, who are very skilled with computers, have a poor command of the English language yet lack the initiative to use an online language translator! Indeed these may not be highly accurate but they do bridge the language barrier. Ignorance is no excuse from a developed company or its management staff. Again, they are to be passing the blame onto others to cover up for their poor development and management skills. IOBit says they do not wish to hide the truth but at no time have they (in either case) openly admitted any wrong doings! Perhaps, under Chinese law, there is no case to answer to BUT the world has different ethics and standards to which IOBit will be held accountable and judged, after all China is regarded as the home of fake/replica goods production and sale.
Donna COU (Calandar of Updates) Rounds this off nicely with:
Such developers of software stealing or ripping other software is not to use or support at all.
Whilst going through registrations in the last 48 hours, on one of the forums I moderate (which uses the VBulletin software), to remove any spam and malicious links I quickly noticed a new trend to evade anti-spam and human measures that are in place to combat them. This new method has obviously found an exploit within the forum software to do its signature spam dirty deeds which will have no effect on many admin users just banning the accounts and working on the information given within the profile on the mod tools. Lets follow the path I took to discover this:
On inspecting the user profile we see a signature link has been incorporated. This one (removed) directed you to typical pharmacy spam.
Ok, there is now grounds to take further action and remove the links, ban the spammer and add their details to an Anti-spam database therefore I opened the mod tools function and went straight to editing the profile signature but this was blank. There was no hidden code in it what-so-ever!
Hmmm, lets just ban him and see what happens. Exactly what I suspected, the spam link was still live and being accessed through SEO’s. The only way I have so far found to combat this, other than disallow anyone using signatures which would be unfair to legitimate users, is over-write a non-existant signature in the mod tools and place something like ‘removed’.
Now this adds to the workload somewhat but is not an impossible task as gone are the days where we could rely on the VB mod tools to quickly check for spammers. Both measures will have to be employed, viewing forum profiles within the forum itself and also utilising the mod tools to go a bit deeper.
So, in essence, this poses a deeper threat to forums as many spammer accounts can sit idle for weeks or even months before they get re-activated and insert their links, many of which will be totally malicious. Anyone that is a moderator or has admin status on forums should:
- Utilise spam checking tools to check IP, username and e-mail on new registrants to the forum. I use Spambot Search Tool
- Remove any information and links they feel to be spam or malware from posts and user profiles.
- Record any confirmed spammer at StopForumSpam. You will need to register and obtain an API key to do so.
- Once the above has been completed you can delete the user profile. This saves having a massive database where most will hit and run, never to be seen again.
- Consider employing forum protection measures such as: fspamlist, VB Stopforumspam and (my personal favourite) ZB Block.
In the meantime, you are now aware of this latest tactic of theirs plus have sufficient info to thwart their attacks. Keep up the fight and don’t give ground. 
Some very interesting articles have come to light over the past few months which clearly show cybercrime is rapidly growing in all areas of the internet which threaten not only the general surfer but high profile companies, government organisations, the police and lately even the stock market. This is due to the easy in which to earn vasts sums of money where the chances of being caught are far less likely than traditional robberies from days-gone-by. Much of this is conducted by highly organised gangs where the financial gains are immense however many of the tools these gangs use are being released into the open market for anyone to use where inexperienced script kiddies are adding to the issue as they require no programming skills or real hacking knowledge but are able to severe damage to those targeted. This leaves the internet in a very vulnerable position where governments and other prominent organisations are starting wake up and take positive action to combat the threats although it will take time before we see any real changes and will inevitably lead to many users having to change their way of thinking or accept certain measures which may conflict with their personal beliefs.
Lets quickly cover some of the recent issues:
Internet Explorer 6 – Companies and users were strongly advised to upgrade to IE8 or move to another browser. French Government advice and German Government advice.
Hacked sites, domains and companies – These included The US Treasury, Google, Yahoo, hotmail, Godaddy and WordPress sites plus many others which not only meant personal data being obtained but also increased the hosts for malware and other scams.
Phishing and spam -This is so diverse where money can be illegally gained from just about every source. 3.7 billion phishing emails sent in the last 12 months including the gaming sector where 44 Million Stolen Gaming Credentials were Uncovered which is believed a Single gang behind two thirds of phishing attempts, relying on Money Mules, to help launder the cash.
Malware - Hiding as fake security software, Trojans, toolbars, etc. are spread about on so many different sites that it is becoming harder to avoid them as they mostly install without your knowledge or fool you into installing them by giving fake digital certificate credentials, employing scareware tactics to goad the user into buying the product or ransomware which locks your PC totally requiring you to visit the malware site and pay money to unlock your system. There are many others I could mention but you can look here to see Rogue Software threats recently found.
So, what is the answer?
Well, a few governments are beginning to react by implementing or reviewing differing legislation aimed at ISPs and users. The reasoning behind this is due to the difficulty in prosecuting offenders outside of that countries jurisdiction. Such measures include: The Digital Economy Bill approved by House of Commons, Make Zombie Code mandatory: Govt Report, Australian ISPs to cut off unsafe users, UK telecom giant Virgin Media monitoring customers’ file sharing, Brits accused of illegal file-sharing forking out £500 plus actions by China and Russia to restrict the flow of spam and easily obtained DNS for malware hosting.
Is this a surprise considering the Scareware plague continues despite $163,175,539.95 bust where Bots for Sale! makes it easy for anyone to conduct crime on the Internet as a High-living hacker swaps Porsche for porridge found out due to downloading and writing his own scripts. Add illegal downloading to the problem and malware is spread with ease.
Campaign groups and some users opposed to many new proposals or implemented laws.
With anything, there will always be those that oppose change. No one like invasion of privacy by governments, organisations or software and believe in keeping the Internet a place for all to conduct their habits unhindered or without monitoring which leaves a very big hole for those to exploit this service, as is currently being seen and on the increase. Naturally any measures have to be regulated as there has been concerns over illicit data gathering being employed however this should not be the sole excuse for dismissal of laws.
Times change, technology becomes more advanced and the Internet is fast outgrowing current measures to protect users from crime. Something needs to be done and like it or not, there will be an up/down side to it. Just like driving a car, people should be responsible for their actions on the Internet especially when it affects other people. It’s the irresponsibility while using a PC, lack of knowledge or simply the pure desire to commit harm or fraud that needs addressing. The Internet is simply too easy to connect and use without any prior knowledge, training or skills.
How will this affect us and what other options are there?
If you are not participating in any wrong doings and have taken every precaution to ensure your system, your Internet connection and personal data is safe by using good security, then you have nothing to fear.
Perhaps we may yet see some form of PC and Internet test where users have to pass an exam to connect and use the service.
We may have to provide Identity/contact information as proof when we wish to provide any online service in the future.
The National Curriculum could educate children more on the downside of so-called Internet fame through using illegal scanning, bot programs and hacking tools. I often witnessed over the years, young teenagers look on hacking as a 1337 (Leet) as a way to get status which they can boast about to friends.
The variable DNS pool which many connect to the Internet through our ISP is a good thing in one way as we can surf and change our source IP easily. The downside is users and machines have to be identified through other means when they are involved in illegals activity. Perhaps we may yet see the Internet address system expand to where each household has its own permanent static IP that is fixed. This would greatly enable tracing those that were involved in spam, malware and other malicious activities. Such Ip addresses could look like this:
44.92.152.166.123.111.222 <Country>.<ISP>.<County/Zip code>.<Town/city>.<Street>.<Household>.<Body (gov, edu, company, home user)>
Who knows, time will tell, as the Internet develops and Governments, the Police and other authoritative bodies lock down the ability of malicious users to conduct crime here.
As much as you may want to be one of the first to try the next Cataclysm patch, dont be fooled into parting with your login details on site pretending to be a part of Blizzard or their services, such as the one below:
world of warcraft: Cataclysm Beta Test Invitation!
Get those opt-ins ready for the World of Warcraft: Cataclysm closed beta! The sundering of Azeroth is nigh, and you don’t want to be left out in the cold of Northrend when you could be enjoying the sun-drenched beaches on the goblin isle of Kezan. To ensure you’re opted-in and eligible as a potential candidate, you’ll need a World of Warcraft license attached to your Battle.net account, have your current system specifications uploaded to the Battle.net Beta Profile Settings page, and have expressed interest through the franchise-specific check boxes.
Get the Installer – Log in to your Battle.net account : hxxp;//www,wow-authentication-blizzard,com/login/login.asp?ref=hxxps%3A%2F%2Fus,battle,net%2Faccount%2Fmanagement%2Fbeta-profile,xml&app=bam&rhtml=y&rhtml=true
Enjoy the game!
Blizzard Entertainment, Inc.
Selecting the message properties shows you the sender info:
Delivered-To: <Removed>@<Removed>.com
Received: by 10.150.144.18 with SMTP id <Removed>;
Sun, 20 Jun 2010 04:21:46 -0700 (PDT)
Received: by 10.204.81.222 with SMTP id <Removed>;
Sun, 20 Jun 2010 04:21:45 -0700 (PDT)
Return-Path: <domidandois@hotmail.com>
Received: from blu0-omc1-s18.blu0.hotmail.com (blu0-omc1-s18.blu0.hotmail.com [65.55.116.29])
by mx.google.com with ESMTP id h10si24199362bkb.9.2010.06.20.04.21.44;
Sun, 20 Jun 2010 04:21:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of domidandois@hotmail.com designates 65.55.116.29 as permitted sender) client-ip=65.55.116.29;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of domidandois@hotmail.com designates 65.55.116.29 as permitted sender) smtp.mail=domidandois@hotmail.com
Received: from BLU0-SMTP69 ([65.55.116.9]) by blu0-omc1-s18.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 20 Jun 2010 04:21:44 -0700
X-Originating-IP: [59.175.201.2]
X-Originating-Email: [domidandois@hotmail.com]
Message-ID: <BLU0-SMTP<Removed>@phx.gbl>
Return-Path: domidandois@hotmail.com
Received: from bekzgj ([59.175.201.2]) by BLU0-SMTP69.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 20 Jun 2010 04:21:42 -0700
From: “WOWbetaUS@blizzard.com” <WOWbetaUS@blizzard.com>
To: <<Removed>@<Removed>.com>
Subject: Blizzard Entertainment Cataclysm Beta
Date: Sun, 20 Jun 2010 19:21:26 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_<Removed>”
As before, details have been recorded with hphosts and WOT. Delete any e-mail you receive of this nature. DO NOT open or respond to it or your account will be hijacked. If in doubt, use the actual battle net account management link from within your game login screen to check your account status or contact Blizzard directly.
Seems us.Batt1e dot com are at it again with yet a new phish based on an older one. Easy to spot and laugh at.
Greetings!
Our goal is to make the experience may be the most blizzard games, so we hope to get epic of your feedback for registered users of world of warcraft. We invite you to join an online survey in your feedback will help us to decide what will we focus on the next few months.
hxxp://us,batt1e-account [dot] com
If you are unable to successfully verify your password .
using the automated system, please contact Billing & Account Services at 1-800-59-BLIZZARD (1-800-592-5499) Mon-Fri, 8am-8pm Pacific Time or at billing@blizzard.com. Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
Regards,The World of Warcraft Support Team Blizzard Entertainment
Keep wasting your time, anyone with an ounce of sense will spot the phish with ease.
Delivered-To: <Removed>@<Removed>.com
Received: by 10.150.144.18 with SMTP<Removed>;
Fri, 18 Jun 2010 13:29:55 -0700 (PDT)
Received: by 10.151.28.13 with SMTP id f13mr1481902ybj.143.1276892994349;
Fri, 18 Jun 2010 13:29:54 -0700 (PDT)
Return-Path: <gnvsmvpr@kkmb.net>
Received: from kkmb.net ([222.172.99.35])
by mx.google.com with ESMTP id t4si24405005ybe.172.2010.06.18.13.29.51;
Fri, 18 Jun 2010 13:29:54 -0700 (PDT)
Received-SPF: neutral (google.com: 222.172.99.35 is neither permitted nor denied by best guess record for domain of gnvsmvpr@kkmb.net) client-ip=222.172.99.35;
Authentication-Results: mx.google.com; spf=neutral (google.com: 222.172.99.35 is neither permitted nor denied by best guess record for domain of gnvsmvpr@kkmb.net) smtp.mail=gnvsmvpr@kkmb.net
Received: from xufgfhxxs (unknown [107.40.111.129])
by kkmb with SMTP id XE50hUACvBRVNmz9.1
for <<Removed>@<Removed>.com>; Sat, 19 Jun 2010 04:50:48 +0800
Message-ID: <<Removed>@xufgfhxxs>
From: “blizzard” <billing@blizzard.com>
To: <<Removed>@<Removed>.com>
Subject: World of Warcraft Mounts Application Trial
Date: Sat, 19 Jun 2010 04:50:34 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_<Removed>”
As before, details have been recorded with hphosts and WOT. Delete any e-mail you receive of this nature. DO NOT open or respond to it or your account will be hijacked. If in doubt, use the actual battle net account management link from within your game login screen to check your account status or contact Blizzard directly.
Those cretins are at it again with a new ploy to get people to fall for their scam.
Greetings! <the name consisted on a multitude of senseless characters>
This is an automated notification regarding the recent change(s) made to your World of Warcraft account. Your contact info has recently been modified through the Account Management website.
*** If you made this change, please disregard this notification. However, if you did NOT make changes to your account, we recommend you login verify your password: hxxp;//us,battle,net/account.
If you are unable to successfully verify your password, please contact Billing & Account Services.
Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
Regards,
Account Support Team
Blizzard Entertainment<Unreadable characters were on this line which I suspected was a username or message identifier>
Delivered-To: <Removed>@<Removed>.com
Received: by 10.150.144.18 with SMTP id r18cs143493ybd;
Fri, 18 Jun 2010 07:11:58 -0700 (PDT)
Received: by 10.87.42.2 with SMTP id u2mr1768309fgj.79.1276870317933;
Fri, 18 Jun 2010 07:11:57 -0700 (PDT)
Return-Path: <speed_demon_z28@hotmail.com>
Received: from blu0-omc1-s27.blu0.hotmail.com (blu0-omc1-s27.blu0.hotmail.com [65.55.116.38])
by mx.google.com with ESMTP id d8si2408129fga.1.2010.06.18.07.11.57;
Fri, 18 Jun 2010 07:11:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of speed_demon_z28@hotmail.com designates 65.55.116.38 as permitted sender) client-ip=65.55.116.38;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of speed_demon_z28@hotmail.com designates 65.55.116.38 as permitted sender) smtp.mail=speed_demon_z28@hotmail.com
Received: from BLU0-SMTP20 ([65.55.116.9]) by blu0-omc1-s27.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 18 Jun 2010 07:11:56 -0700
X-Originating-IP: [114.85.38.216]
X-Originating-Email: [speed_demon_z28@hotmail.com]
Message-ID: <BLU0-SMTP207757BD3EF0FBB9180F10B5C00@phx.gbl>
Return-Path: speed_demon_z28@hotmail.com
Received: from hfujuety ([114.85.38.216]) by BLU0-SMTP20.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 18 Jun 2010 07:11:55 -0700
From: “Accountadmin@email.blizzard.com” <Accountadmin@email.blizzard.com>
To: <<Removed>@<Removed>.com>
Subject: Blizzard – New Account Info Notice
Date: Fri, 18 Jun 2010 22:11:16 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_0F52_removed”
As before, details have been recorded with hphosts and WOT. Delete any e-mail you receive of this nature. DO NOT open or respond to it or your account will be hijacked. If in doubt, use the actual battle net account management link from within your game login screen to check your account status or contact Blizzard directly.
A new e-mail is doing the rounds to steal the account details from those using Blizzards Authenticator.
Greetings! <the name consisted on a multitude of senseless characters>
This is an automated notification regarding your Battle.net account. You have reset your authenticator with this account. Resetting this authenticator will lock you out of any Battle.net account still associated with it.
If you made this change to your account, please disregard this automatic notification.
*** If you did NOT make any changes to your account, we recommend you go to the Account Management website(hxxp;//us,battle,net/account) and remove this authenticator from your Battle.net account, you can also find them here.
If you cannot sign into Account Management, or if unauthorized changes continue to happen, please contact Blizzard Billing & Account Services for advanced assistance.
Regards,
Account Support Team
Blizzard Entertainment
<Unreadable characters were on this line which I suspected was a username or message identifier>
Another Hotmail sender, well probably the same group that sends all these fake e-mails.
Delivered-To: xxxxxx@xxxxxxx.com
Received: by 10.150.144.18 with SMTP id r18cs54298ybd;
Wed, 16 Jun 2010 17:37:55 -0700 (PDT)
Received: by 10.223.30.10 with SMTP id s10mr263341fac.4.1276735074087;
Wed, 16 Jun 2010 17:37:54 -0700 (PDT)
Return-Path: <aymeric_hadl@hotmail.com>
Received: from blu0-omc1-s27.blu0.hotmail.com (blu0-omc1-s27.blu0.hotmail.com [65.55.116.38])
by mx.google.com with ESMTP id a24si6838102fak.149.2010.06.16.17.37.51;
Wed, 16 Jun 2010 17:37:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of aymeric_hadl@hotmail.com designates 65.55.116.38 as permitted sender) client-ip=65.55.116.38;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of aymeric_hadl@hotmail.com designates 65.55.116.38 as permitted sender) smtp.mail=aymeric_hadl@hotmail.com
Received: from BLU0-SMTP43 ([65.55.116.7]) by blu0-omc1-s27.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 16 Jun 2010 17:37:51 -0700
X-Originating-IP: [222.69.162.218]
X-Originating-Email: [aymeric_hadl@hotmail.com]
Message-ID: <BLU0-SMTPxxxxxxxxxx@phx.gbl>
Return-Path: aymeric_hadl@hotmail.com
Received: from xllusw ([222.69.162.218]) by BLU0-SMTP43.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 16 Jun 2010 17:37:49 -0700
From: “Accountadmin@email.blizzard.com” <Accountadmin@email.blizzard.com>
To: <xxxxxxxxx@xxxxxxxxx.com>
Subject: Authenticator Reset Notification
Date: Thu, 17 Jun 2010 08:37:19 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_xxxxxxxxxxxxxxxxx”
X-Priority: 3
X-MSMail-Priority: Normal
As before, details have been recorded with hphosts and WOT. Delete any e-mail you receive of this nature. DO NOT open or respond to it or your account will be hijacked. If in doubt, use the actual battle net account management link from within your game login screen to check your account status or contact Blizzard directly.
Another e-mail phish arrived in my inbox today supposedly from Blizzard:
Greetings!
lease use the form below to confirm your account information, including your e-mail address and your and Secret Question Answer. Once the fields have been completed, press the “Update” button below.
*Note: Please ensure that your e-mail and Server:is currently accessible submit this form, as future regarding this account Trial mounts will be sent to the you account.
hxxp;//wow,batt1e-account [dot] com
If you are unable to successfully verify your password .
using the automated system, please contact Billing & Account Services at 1-800-59-BLIZZARD (1-800-592-5499) Mon-Fri, 8am-8pm Pacific Time or at billing@blizzard,com. Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
Regards,The World of Warcraft Support Team Blizzard Entertainment
As with previous fake sites, the sender is not related to Blizzard at all (didn’t expect them to be either):
Delivered-To: xxxxxxx@xxxxxx.com
Received: by 10.150.144.18 with SMTP id r18cs126871ybd;
Tue, 15 Jun 2010 04:43:23 -0700 (PDT)
Received: by 10.220.124.105 with SMTP id t41mr3940498vcr.6.1276602202626;
Tue, 15 Jun 2010 04:43:22 -0700 (PDT)
Return-Path: <ydnqiugme@taiyk.org>
Received: from taiyk.org ([222.170.31.45])
by mx.google.com with ESMTP id p1si4127746vcf.116.2010.06.15.04.43.19;
Tue, 15 Jun 2010 04:43:22 -0700 (PDT)
Received-SPF: neutral (google.com: 222.170.31.45 is neither permitted nor denied by best guess record for domain of ydnqiugme@taiyk.org) client-ip=222.170.31.45;
Authentication-Results: mx.google.com; spf=neutral (google.com: 222.170.31.45 is neither permitted nor denied by best guess record for domain of ydnqiugme@taiyk.org) smtp.mail=ydnqiugme@taiyk.org
Received: from nvgwmu (unknown [65.70.148.16])
by taiyk with SMTP id LcaSdcyKPQyZciVw.1
for <xxxxxxxx@xxxxxxx.com>; Tue, 15 Jun 2010 20:04:11 +0800
Message-ID: <xxxxxxxxx@nvgwmu>
From: “blizzard” <billing@blizzard.com>
To: <xxxxxxxx@xxxxxxx.com>
Subject: World of Warcraft Mounts Application Trial
Date: Tue, 15 Jun 2010 20:04:03 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=xxxxxxxxxxxxxxxxxxxxxxxx
X-Priority: 3
X-MSMail-Priority: Normal
Relevent data has been submitted to hphosts and also input on the WOT (Web of Trust) scorecards. If you receive this e-mail, DO NOT respond to it or visit the site links, delete the e-mail immediately.
One of the biggest indicators that an e-mail is NOT from Blizzard but requires you to activate account details, download patches or anything else, is when it is sent to an e-mail that your game account is not registered to.
world of warcraft: Cataclysm Beta Test Invitation!
Get those opt-ins ready for the World of Warcraft: Cataclysm closed beta! The sundering of Azeroth is nigh, and you don’t want to be left out in the cold of Northrend when you could be enjoying the sun-drenched beaches on the goblin isle of Kezan. To ensure you’re opted-in and eligible as a potential candidate, you’ll need a World of Warcraft license attached to your Battle.net account, have your current system specifications uploaded to the Battle.net Beta Profile Settings page, and have expressed interest through the franchise-specific check boxes.
Get the Installer – Log in to your Battle.net account:
hxxp://blizzard.wow-login-support-blizzard.com/login/login.xml?ref=hxxps%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Fbeta-profile.xml&app=bam&rhtml=y&rhtml=true** IMPORTANT ** To avoid graphical bugs and other technical issues, please ensure your video card drivers are up-to-date.
Enjoy the game!
?2010 Blizzard Entertainment, Inc.
and this one too
Greetings!
Recently, the problem of account invasion is getting worse and worse which cause enormous players’equipments and virtual currency stolen. This severely damages the benefits of mass players, also causes our company lose a lot of customers.
Our company has to adopt some measures to safeguard our common benefits in order to strengthen the safety of mass players’accounts, and firmly resist the account to be stolen again.Through our company’s research and investigation to xxx customers,we will make the following decisions: we launch a package of updated code strengthen system and dynamic code protection card which can effectively prevent the accounts invaded. We will send this package of code protection system to players free of charge.
Please open this connection: hxxp://www.worldofwarcraft.com/secure
If your account passes the check successfully, we will send this package of dynamic code protection card to you in the form of e-mail.
In 3 days after you receiving the e-mail, if you don’t submit your information, we have right to freeze your account, every player is obligated to protect the safety of the account. You must work together with us to be determined to crack down all the behaviors of destroying games.
If you had already authenticator your account, please disregard this automatic notification.
Regards,
The World of Warcraft Support Team
Blizzard Entertainment
hxxp://www.blizzard.com/support/wowindex/
Looks quite authentic but simply not good enough. The message senders were Hotmail addresses in both cases. Naturally Blizzard DO NOT use Hotmail to send anyone e-mails plus they personalise the mails with your name etc, on. Anyone receiving these e-mails should immediately delete them as following the links will get your account hacked.
I am sure there will be many more of these hitting my inbox over the weeks/months. New ones will be blogged here to help keep you safe from these parasites.
