My WoW-account's been compromised

[SurfD]

My account gets locked every time I forget to turn on the vpn back to my home network and attempt to log in to my WoW account while traveling.

Blizzard must have some sort of geo-location or ip address logging service running to catch hackers.

I think that is part of the new security measures that went in when they launched the Dial In Authenticator thing.  Now there is a chance that if you log in from an IP that is not one you usually use, they will lock your account on suspicion of chineese hackers.

[Sir T]

I got this email today

Greetings:

Thank you for your attention in this matter regarding the compromised World of Warcraft account you are using. Unfortunately, multiple parties have contacted Blizzard Entertainment seeking restoration of the account in question. This message contains an updated Account Retrieval process, which will enable the rightful user of the account to resume their adventures in the World of Warcraft.

The investigation will be continued by Blizzard administration to determine the action to be taken against your account. If your account is found violating the EULA and Terms of Use, your account can, and will be suspended/closed/or terminated. In order to keep this from occurring, you should immediately verify that you are the original owner of the account.

To verify your identity please visit the following webpage:
{redacted}

Only Account Administration will be able to assist with account retrieval issues.

Please help us to avoid any further delays in restoring Account access by following the instructions exactly and in their entirety. We will contact you again once all information has been received and thank you in advance for your patience and cooperation in resolving this account issue. Please be sure to provide all pertinent data as soon as possible since Blizzard Entertainment is unable to offer any type of reimbursement for the time an account is locked for verification and investigation purposes.

In the meantime, please make sure to scan the computer system you are using to remove all viruses, Trojan files, and key loggers. For more computer/Internet security tips, please visit
{redacted}

In addition, World of Warcraft account passwords should be periodically changed by visiting :
{redacted}

Any inquiries concerning this account retrieval process can only be addressed by Account Administration. To learn more about how Account Administration is able to assist you, please visit us at :
{redacted}

Thank you for your patience and anticipated cooperation in this matter.

Sincerely,
Account AdministrationBlizzard
Entertainment
{redacted}

I did play WOW. On a trial CD I picked up for 2 euro. For a week and a half. In 2009.

This looks legit.

{edit} links redacted

[Minvaren]

Might want to obfuscate or un-HTML the very first link in your post, Sir T...

[Polysorbate80]

Authenticator ordered.

Logged in this morning to find both my main and my wife's main have been rebound to Netherstorm and have apparently been busy farming Botanica.  Y'know, to fill up the bag/bank space that had all been emptied, except for hearthstones (hers was even still on cooldown, they've been busy li'l devils)

A round of password changes later, Blizzard's emails tell me everythings back where it was though, with only about ~3 hours to do it.  The design team may not think their job is providing customer service, but fortunately their actual CR people haven't bought into that 

[Merusk]

If her hearth was still on CD you might have booted them offline right then.  Found out that little feature of the game back in vanilla when I booted my wife offline by logging into her account.   I get why they do it, so you don't have to do the oldschool EQ dance of "am I offline yet? What about now? What about now? when you're DC'd.  It does make for some fun times when you want to mess with someone whose password you know, however.

[Koyasha]

EQ also booted you offline when someone tried to log in.  It would take a minute or so for you to be able to get in, but just the attempt to log in would disconnect the person playing.

And yeah, ever since my accounts got hacked somehow way back, I've had an authenticator on mine, as much as I've had the rabble rabble of not using the goddamn piece of junk that requires manual input.  I hate the thing and it annoys me every single time I pick it up to use it, but when they can apparently find my passwords even when I haven't been playing for a year, no amount of personal 'caution' or security is going to make a difference, it seems.

Even with the authenticator I stay paranoid by having an email devoted purely to contact with Blizzard and nothing else; if anything else ever comes over that email I'll switch it on my account.

[Mattemeo]

This is a delight in every sense!

Greetings,

NO.FH54GGSGD4SFA94

***Please read this e-mail carefully, as it is related to your account state of World of Warcraft ID.

Deathwing the Destroyer returns to Azeroth. There is a serious saturation point in the World of Warcraft ID(s) and it is very difficult for players to creat a role. That we may delete some of the same as role's ID(s) to ensure to get a better gaming experience for players.

Sorry, because the part ID(s) which is not logged on ,for a long time. For our regular check may cause your ID(s) is cleared. We need you to submit the further questionnaire in person. In order to confirm that you are still in Azeroth. Please click

hilariouslybadurl://NO.FH54GGSGD4SFA94.us.battle.cataclysm.blizzardid.net/login.html?ref=https://us.battle.net/account/management/index.xml&app=bam&t

Login to your account, In accordance following template to verify your account.

*We look forward to seeing you back in Azeroth.

Once we verify your account, we will reply to your e-mail informing you that we have given up deleting.

Game Masters:

Game Masters (GMs) are Blizzard Entertainment personnel that are available in-game to assist you with your gameplay related questions, problems, etc. Learn more about Game Masters, including how to contact them at .blizzard.com/support/wowgm/

Best regards,
World of Warcraft Account Administration Team
.blizzard.com/support/wowaa/
Blizzard Entertainment

Haven't had a phish this wonderfully bad in a long time!

[Azazel]

Found this in my Spam folder...



Too Many Attempts Warning No.46

Dear customer,

Due to suspicious activity, your Battle.net account has been locked. You tried to login your account too many times (403). We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you follow these steps:

Step 1: Secure Your Computer

In the event that your computer has been infected with malicious software such as a keylogger or trojan, simply changing your password may not deter future attacks without first ensuring that your computer is free from these programs. Please visit our Account Security website to learn how to secure your computer from unauthorized access.

Step 2: Secure Your E-mail Account

After you have secured your computer, check your e-mail filters and rules and look for any e-mail forwarding rules that you did not create. For more information on securing your e-mail account, visit our Support page.

Step 3: Restore access to Your account

We now provide a secure link for you to verify whether you have taken the appropriate steps to secure the account, your computer, and your email address. Please follow this site to restore the access to your account: LOLINK

If you still have questions or concerns after following the steps above, feel free to contact Customer Support at LOLINK.

Sincerely,
The Battle.net Account Team
Online Privacy Policy

 

[apocrypha]

Found this in my Spam folder...



Too Many Attempts Warning No.46

I've been getting one of those a day for a few weeks now. To an email address that has never been used for any WoW accounts.

[taolurker]

Just received an email that is the best imposter phishing email I've ever seen.


The email shows it coming from newsletter@email.blizzard.com, but the links contained within the email direct to www-wowgm-battle.org (which appears to be pretending to be a European WoW login page).

The return path of the email in the Headers shows the message actually originated in Taiwan, and the below visual traceroute actually allowed me to get right down to the exact address.


Even better was the WHOIS information on record for the site that's part of the links:


What's truly funny about this is I've never ever had ANY Warcraft account (not even a free trial) and the only battle.net account I ever had (for Diablo 1/2) was a totally different email address completely.

Beware phishing scams, and I already forwarded this to hacks@blizzard.com just like their website suggests... But then again their site also says "The most important thing to avoid becoming a victim of a malicious website is to make sure your browser and anti-virus software are up-to-date." but mentions nothing about Spyware/Malware (but does recommend: "Check to make sure your browser’s phishing filter is activated.").

[raydeen]

I'm going to start saying 'haha hengheng' now when I think something is funny.

[Der Helm]

Hm. I got almost the same email, but my links seem to point towards https://www.worldofwarcraft.com/account/claim-promotion.html?promoId=SEVEN_DAYS_PROMOTION

I almost clicked those links. Did I dodge a bullet or did some spammer copy a legit email from blizzard ?

[taolurker]

I copied the link and didn't click it (and never visited the site itself), plus part of the link after the www-wowgm address was a login address for the Warcraft page. I have no idea if it was a copied Blizzard email, but I am pretty sure I'd be wary of any offer like this. Also check the message Headers to make sure it's origin was really from Blizzard.

[Mattemeo]

Just received an email that is the best imposter phishing email I've ever seen.

The thing that I noticed instantly that made me think that graphic wasn't quite right is at the very top...

"Dear Players"...

Blizz tend to be more personal. I have a similar promotion graphic but it adresses me by my first name.

The other thing I noticed (but don't know if you decided not to include it in the image you posted) is
that it's missing a whole bunch of legal bunf at the bottom framed in black; ERSB, privacy policy etc.

Still, it's a worryingly sophisticated phish; for all that we laugh at the terrible ones it's worth remembering
there are scammers out there who actually try.

[taolurker]

The other thing I noticed (but don't know if you decided not to include it in the image you posted) is
that it's missing a whole bunch of legal bunf at the bottom framed in black; ERSB, privacy policy etc.

There was no legal at the bottom, below the image, and where the screenshot ended was exactly where the image on the phishing email did.

Still, it's a worryingly sophisticated phish; for all that we laugh at the terrible ones it's worth remembering
there are scammers out there who actually try.

It was very sophisticated, with no usual bad spelling or grammar, and was using a Blizzard logo'd image.

[WindupAtheist]

Man these Chinese account thieves sure are getting sophisticated.


Looks legit!  

Meanwhile I logged into my actual WoW email for the first time in months to find a still-empty inbox. Which is good since it's never been used for any other purpose ever.

[Der Helm]

What the fuck happened here ?

Hello zhang,

Welcome to Battle.net!

You have successfully created the following Battle.net account:

myreal.name@googlemail.com

The Battle.net account is a centralized account system that will let you manage all of the Blizzard Entertainment games you play, including World of Warcraft and future games, in one place without having to remember multiple sets of login information.

We highly recommend that you take this opportunity to verify your e-mail address. Verifying your e-mail address will unlock extra Battle.net account features, including the ability to register Blizzard games you own so that you can download them, free of charge, any time you want. To do so, simply click here:

https://sea.battle.net/account/email/confirm.xml?ticket=*snip*

In addition, you may also merge any World of Warcraft accounts you play with this Battle.net account. After merging, you will log in to the game and its associated online services such as World of Warcraft Account Management, the World of Warcraft Forums, and the World of Warcraft Armory, using your Battle.net login information. You can begin the account merge process at the Battle.net account homepage, located at http://www.battle.net/account.

Please retain this e-mail for your reference.

For more information, click here for answers to Frequently Asked Questions or to contact the Blizzard Billing & Account Services team.

Sincerely,
The Battle.net Account Team
Online Privacy Policy

My name is not Zhang, btw.

[Merusk]

Spammer fails at understanding mail merge fields!

[raydeen]

Here's a new one. Great idea and they were doing so well up until the second paragraph...

Greetings!

When you take to the skies astride a blazing, eagle-winged lion, your comrades will know you mean business. Serious business. So saddle up, because this flying mount will travel as fast as your riding skill will take you, and it can even travel at 310% speed if you have at least one other 310% speed mount.
Once activated, this World of Warcraft in-game pet key applies to all present and future characters on a single World of Warcraft license.
we will be complimentary seat to the 5,000 players. You can log Web site application, we will be lucky players randomly.
Please click this link to apply
http://us.battle.net.login.worldofwarrcraft.tk/battle_net_account.html?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam&t=1

If your account passes the check successfully, we will send a code for the Winged Guardian flying mount to you in the form of e-mail.
The World of Warcraft Support Team
Blizzard Entertainment

[Kail]

Here's a new one. Great idea and they were doing so well up until the second paragraph...

Greetings!

When you take to the skies astride a blazing, eagle-winged lion, your comrades will know you mean business. Serious business. So saddle up, because this flying mount will travel as fast as your riding skill will take you, and it can even travel at 310% speed if you have at least one other 310% speed mount (etc. etc.)

Jesus, just got this one (except slighty improved grammar, and it was faking the EU WoW site) and almost died to it.  It had background art and everything, and it got through my spam filter (which usually doesn't let anything through).  Fortunately, my virus checker kicked me in the balls when I hit the link.

[Ironwood]

I gave up playing about a year ago.

I've just got an actual legitimate mail from Blizzard banning me for bad stuff.  I sort out the account issues and look at the account to find someone applied a gamecard to the account for this purpose.

What the fuck ?

 

[Xuri]

Interesting. Just checked my own account + account history, and while the account history shows that my three-month subscription lapsed in november 2010, under "Game time" on the main page it now says "Expired: 2/5/2011 12:24 PM". Hrm.

[Ironwood]

As far as I can see, someone used my account to log on, shout shit in general, get banned and that's it.

And it cost them to do so.

I'm really, really not seeing the point of this.  Nor how they managed it.  I'm clean as a whistle.

[Rokal]

Use the same login/password on shitty websites like kotaku or random forums > website/forums get hacked > hackers try the username/password on every MMO > profit.

[Ironwood]

Yeah, I get that.  I have one WoW Password.  It has it's own E-mail account.

I really don't get it.

Edited to add :

The amount of fucking ORE they left on my chaps and GOLD on my other alt is fucking unbelievable.  I mean, really, really unbelievable.  Given that I don't play anymore, I shouldn't have bothered to report this and just sent the whole lot to the Guild or my wife or something.

Online games are mental.  The idea that there's a market in this is just MENTAL.

I used to wade through it without bothering, but when it's filling your bags, it really makes you think.

[Merusk]

You've never used that e-mail account anywhere else? Not even your old guild's forums or as a Wowhead login or something similar?

Sounds like it wasn't the usual gold spammer looking to strip an account but someone stole the account and sold it.   If you haven't played in a year I don't get why they would have, since you'd be lacking the expansion.

[Fordel]

Maybe it was a middle man mule or whatever?

[Lantyssa]

Probably that or a miner bot since it was loaded down with ore and gold.

[Ironwood]

Yeah, there was defo Botting going on.  I have all the 'oversized' bags and they were fucking full of Eternium and Pyrite.  Enough to make well over 550 bars.

My drood was clearly the fence, since he had about 100,000 in AH mail in his inbox and about 50,000 on his person.

Which is more gold than I've ever, ever had, I suspect.

It was mental.  Utterly mental. 

Since I told Blizzard that the Timecard wasn't mine, they took that away also.  So I can't even log in to find out what state I was left in.

[Mattemeo]

Phishers are getting fast. 24 hour gap between the legit Blizzcon Foo Fighters e-flyer and the scam Foo Fighters e-flyer that got filtered to my junk folder. Little fuck ups include a ? instead of a © and bullet points, and replacing my name with 'Warrior of Azeroth'. Oh, and the ludicrously long url hyperlinks on mouse-over, naturally.

[Phred]

I gave up playing about a year ago.

I've just got an actual legitimate mail from Blizzard banning me for bad stuff.  I sort out the account issues and look at the account to find someone applied a gamecard to the account for this purpose.

What the fuck ?

 

That happened to me last summer after not having played for almost a year as well. I sorted it out with support and asked them to leave my account banned so no one could steal it again. Some one told me at the time that Battle.net had no anti-brute force stuff applied at all. i.e. you could spam it with password guesses and it wouldn't even slow down much less stop talking to you.

[Azazel]

Yeah, happened to me as well just before Cata came out. I ended up with a free month and a half since they left the gamecard time on there even after they restored my stuff.