NEWS FROM THE LAB - Monday, July 26, 2010

WoW Account Phishing Posted by Response @ 03:49 GMT

A World of Warcraft account could be a gold pot for phishers, depending on the player's achievement. In-game items are in demand and could be sold for real cash value, making WoW accounts a favorite phishing target.

An analyst from our Response Lab recently received an e-mail from Blizzard (the creator of WoW) asking for account verification. At a glance, the e-mail appeared to be coming from a legit source. Look at the "From" address. Nothing suspicious here.

WoW Phishing, Normal View

Upon further reading of the e-mail content (click image above for larger view), something seemed off. The account has to be verified at an external site not associated with Blizzard; the e-mail content was written with noticeable grammatical errors.

Further investigation revealed that the e-mail was sent from an individual e-mail account. The phisher is using a SMTP relay attack to spoof the "From" address so that the e-mail seem to be originated from Blizzard (click the image below for a larger view):

WoW Phishing, Full headers

Accounts for Blizzard games, particularly WoW, Starcraft II and Diablo III are currently being handled by Battle.net. Take note that any changes in the account require a thorough verification process, where a valid ID has to be presented.

Battlenet TOC

Phishers are getting smarter, and their social engineering has gotten more subtle and harder to detect. It is up to user to be extra careful and not to trust every source blindly.