It is currently Thu Nov 21, 2024 5:38 am

Scams: Please Read

Category for World of Warcraft-related discussions.

Scams: Please Read

Postby Zancarius » Wed Jan 20, 2010 2:42 pm

It seems that with the new year upon us (and the Chinese new year fast approaching), account stealing scams have been increasing in number. Before we discuss the types of scams, here are some things to keep in mind:

  • Never, ever give your password to anyone, including siblings.
  • Create a unique, difficult to guess password. Never use the name of your child or dog. Adding numbers and changing letter case increases the entropy of your password and makes it much more difficult to guess. For example, "FiDo!!1x" is more secure and difficult to guess (or brute force) than simply "fido".
  • Neither of those two are passwords I have ever used. If you seriously try them, I will laugh at you.
  • Never visit sites advertised via whispers, yells, or in game mail messages no matter how official they might look. Online scams work precisely by making you think you're visiting an official site. Remember this.
  • The ONLY valid sites you should visit related to the game (in the US) are http://www.worldofwarcraft.com and http://www.battle.net. Any site other than these two is likely a fraud.
  • When in doubt it is better to MANUALLY TYPE THE SITE ADDRESS into your address bar than it is to click a link. Why? Here's an example: http://www.microsoft.com/ (forum address suffixes aside, clicking this URL will take you to Google instead of Microsoft).
  • If you create an account on sites like wowhead.com, DO NOT use the same username/password combination you use to log in to World of Warcraft.
  • Consider purchasing an authenticator but be aware of other issues*.

With these things in mind for protecting your account, here are some tips to spot scams:

The Congratulations Scam

Also known as the "you've been selected for account theft" scam. This scam invariably provides a site from which you can "collect" your "reward." Never mind that the true reward is in the data you provide them. Typical implementations of this scam involve rewards for achievement progress or free in game mounts. Worse, the sites linked in the in game mail oftentimes actually look genuine.

What you can do to protect yourself:

Do not by any means go to sites linked via in game mails. If Blizzard gives you a reward such as a vanity pet, the pet is always attached as part of the mail message. Furthermore, e-mail message from Blizzard are always accompanied by the Blizzard logo and the background image in the mail message will have some sort of Blizzard Entertainment logo. Game mails that appear to be identical to those sent from other players always are.

If you get suckered into visiting a site of unknown authenticity, watch for common misspellings or unusual turns of phrase. Scammers are often Chinese and while their skill at duplicating existing content is impressive, their ability to communicate in perfect English often isn't. For a similar but not quite identical example, consider reading the documentation for many of Gigabyte's motherboard offerings.

Account Warning Scam

Scammers are something like spammers: If they obtain your e-mail address, they'll start sending valid-looking e-mails in the hopes you'll click on links provided therein. One of the more recent types of this variety involves e-mail notices of account suspension that look official. However, since most people view their e-mail messages in HTML format, the links contained within this messages do not point to actual Blizzard sites. Other similar messages may include password reset notifications, special offers, and so forth.

What you can do to protect yourself:

Never click on links presented to you via e-mail messages. Instead, type the address carefully yourself into your browser's address bar. For instance, if you receive a notice that your account has been suspended, go to http://www.worldofwarcraft.com and click on "Account Management." From there, you may log in with your username/password (but ONLY from there) and verify that the account is active.

Never buy gold. I realize that gold purchases are often the path of least resistance and make game progress somewhat easier, but it's important to remember that the gold you've purchased was likely obtained by someone else having their account cracked. In fact, purchased gold never comes from a legitimate source no matter how reputable the company because it's against the ToS. Furthermore, many gold sellers require you to provide your e-mail address to confirm payment and delivery. Thus, by giving them your e-mail address, you have inadvertently exposed at least one part of your account data to a scammer. Gold sellers can then sell your e-mail address to spammers (you don't want an inbox full of Viagra ads, do you?) or to other scammers in an attempt to crack your WoW account.

Protect Yourself

As always, typical methods of protecting yourself apply: Always keep your antivirus up to date, enable Windows firewall if you're using Windows (it isn't perfect, but it's better than nothing), if you're using Vista/7 do not make a habit of automatically clicking "YES" when UAC pops up asking for administrative privileges (always verify that the application requesting privilege escalation is what you would expect it to be), and don't visit questionable sites. Further steps you can take to prevent hostile applications and sites from taking over your system are:

  • Never visit anything except for well known sites with Microsoft Internet Explorer. Always use an alternative browser like Firefox, Chrome, or Opera.
  • If you have Adobe Flash enabled, you must update it regularly (at least every month). Increasingly, more and more attack vectors are using exploits in Flash to gain access to your system.
  • If you use Firefox, go to https://addons.mozilla.org/en-US/firefox/ (it'll show a green "Mozilla Corporation (US)" in the address bar under Firefox and display a secure connection icon somewhere on your browser) and download the addons: NoScript and Flashblock. These two addons are capable of halting most attack vectors by default including many that have not yet been discovered.
  • If you use Opera, disable scripting and plugins by default. To do this, go to: Tools -> Quick Preferences and uncheck "Enable JavaScript" and "Enable Plugins". For safe sites that you visit regularly to go Tools -> Quick Preferences -> Edit Site Preferences and check "Enable Plugins" under the "Content" tab and "Enable JavaScript" under the "Scripting" tab.
  • If you use Microsoft Internet Explorer and are not visiting your bank or other site that absolutely requires MSIE, click on the "X" button in the upper right hand corner and launch Mozilla Firefox. If you don't have Firefox, go to http://www.mozilla.org/
  • Again, never give your password to anyone, including siblings. Siblings are one of the worst attack vectors that cannot be engineered around and have no remedy that is otherwise legal in most countries (unless you live in jurisdictions like Uganda where human sacrifice is still allowed).
  • When in doubt, ask a knowledgeable guild mate. It's better to ask a question if you're unsure of a message's authenticity than to have your account compromised.
  • If you absolutely, positively must view questionable sites, consider doing so with a separate (unprivileged) user account under a browser with scripting and plugins disabled. Better yet, do so under a virtual machine. (Windows 7 Professional and up have fully licensed copies of Windows XP--however, "XP mode" has full, administrative access to the file system--don't use it. Oddly, you can run the XP mode virtual machine under separate virtualization software like VirtualBox, which is a safer approach.)
  • * The Blizzard authenticator is great and will protect you even from a keylogger. However, keyloggers are exceedingly dangerous: While the authenticator will protect your World of Warcraft account from theft it will not protect your online bank account from being compromised. Keep this in mind.

Edit: Fixed font sizes due to breakage from phpBB2 -> phpBB3 update.
Last edited by Zancarius on Mon May 24, 2010 3:39 pm, edited 2 times in total.
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male

Postby MaxRile » Mon May 24, 2010 10:10 am

And when ever they whisper you you have a few mins to whisper then back. Type this "wo gok Dow" they love it
Alice: How long is forever?
White Rabbit: Sometimes, Just one second.
-Lewis Carrol
User avatar
MaxRile
Crazy Goon
 
Posts: 467
Joined: Mon Feb 23, 2009 10:06 pm
Location: bottom of a cliff. Join me!
Gender: Male

Postby Zancarius » Mon May 24, 2010 3:37 pm

Thank you for bumping this. I forgot I wrote it.
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male

Postby MaxRile » Tue May 25, 2010 4:31 pm

i felt it needed a refresher. i know ive been getting more and more whispers... hope they read english because my words are colorful =D
Alice: How long is forever?
White Rabbit: Sometimes, Just one second.
-Lewis Carrol
User avatar
MaxRile
Crazy Goon
 
Posts: 467
Joined: Mon Feb 23, 2009 10:06 pm
Location: bottom of a cliff. Join me!
Gender: Male

Re: Scams: Please Read

Postby Zancarius » Thu Oct 07, 2010 6:37 pm

I was looking through my Gmail this evening and realized that I had some WoW-related scam e-mail sitting in my junk folder. The plus side is, Google will alert you about scams:

gmail-screen.png
gmail-screen.png (47.04 KiB) Viewed 6978 times


However, if you're using other e-mail providers or stand alone clients like Thunderbird or Outlook, there's a strong possibility that you may think this is genuine. Mousing over the links in the e-mail message will generally hint that they are most certainly not from Blizzard. But, there's another possibility to determine who it originated from.

Most e-mail clients provide a method of viewing the message source. In Gmail, clicking the down arrow on the reply button yields an option labeled "Show Original"; when you click this, a second window will open up and display the actual message source. This includes the headers, or information fields provided by the mail servers involved in handling that particular message, and typically reveals some interesting details. The message above contains the following:

Code: Select all
Delivered-To: zancarius@gmail.com
Received: by 10.220.184.69 with SMTP id cj5cs200540vcb;
        Fri, 1 Oct 2010 13:19:18 -0700 (PDT)
Received: by 10.142.185.16 with SMTP id i16mr5244444wff.212.1285964357729;
        Fri, 01 Oct 2010 13:19:17 -0700 (PDT)
Return-Path: <mkjdkthi@xfyqbyf.org>
Received: from xfyqbyf.org (h-72-244-54-251.snfccasy.static.covad.net [72.244.54.251])
        by mx.google.com with ESMTP id j6si3569650wfe.115.2010.10.01.13.19.11;
        Fri, 01 Oct 2010 13:19:17 -0700 (PDT)
Received-SPF: neutral (google.com: 72.244.54.251 is neither permitted nor denied by best guess record for domain of mkjdkthi@xfyqbyf.org) client-ip=72.244.54.251;
Authentication-Results: mx.google.com; spf=neutral (google.com: 72.244.54.251 is neither permitted nor denied by best guess record for domain of mkjdkthi@xfyqbyf.org) smtp.mail=mkjdkthi@xfyqbyf.org
Reply-To: <noreply@blizzard.com>
Date: Sat, 2 Oct 2010 04:19:02 +0800
From: "noreply@blizzard.com" <noreply@blizzard.com>
To: <zancarius@gmail.com>
Subject: Battle.net Account - Account Change Notice
Message-ID: <20101002041911623338@xfyqbyf.org>
X-mailer: Foxmail 6, 13, 102, 15 [cn]
Mime-Version: 1.0
Content-Type: multipart/alternative;
   boundary="=====003_Dragon262528317858_====="

This is a multi-part message in MIME format.

--=====003_Dragon262528317858_=====
Content-Type: text/plain;
   charset="utf-8"
Content-Transfer-Encoding: base64

SGVsbG8sIA0KVGhpcyBpcyBhbiBhdXRvbWF0ZWQgbm90aWZpY2F0aW9uIHJlZ2FyZGluZyB5b3Vy
IEJhdHRsZS5uZXQgYWNjb3VudC4gU29tZSBvciBhbGwgb2YgeW91ciBjb250YWN0IGluZm9ybWF0
aW9uIHdhcyByZWNlbnRseSBtb2RpZmllZCB0aHJvdWdoIHRoZSBBY2NvdW50IE1hbmFnZW1lbnQg
d2Vic2l0ZS4NCioqKiBJZiB5b3UgbWFkZSByZWNlbnQgYWNjb3VudCBjaGFuZ2VzLCBwbGVhc2Ug
ZGlzcmVnYXJkIHRoaXMgYXV0b21hdGljIG5vdGlmaWNhdGlvbi4NCg0KKioqIElmIHlvdSBkaWQg
Tk9UIG1ha2UgYW55IGNoYW5nZXMgdG8geW91ciBhY2NvdW50LCB3ZSByZWNvbW1lbmQgeW91IGxv
ZyBpbiB0byBBY2NvdW50IE1hbmFnZW1lbnQgcmV2aWV3IHlvdXIgYWNjb3VudCBzZXR0aW5ncy4N
CklmIHlvdSBjYW5ub3Qgc2lnbiBpbnRvIEFjY291bnQgTWFuYWdlbWVudCB1c2luZyB0aGUgbGlu
ayBhYm92ZSwgb3IgaWYgdW5hdXRob3JpemVkIGNoYW5nZXMgY29udGludWUgdG8gaGFwcGVuLCBw
bGVhc2UgY29udGFjdCBCbGl6emFyZCBCaWxsaW5nICYgQWNjb3VudCBTZXJ2aWNlcyBmb3IgZnVy
dGhlciBhc3Npc3RhbmNlLg0KQmlsbGluZyAmIEFjY291bnQgU2VydmljZXMgY2FuIGJlIHJlYWNo
ZWQgYXQgMS04MDAtNTktQkxJWlpBUkQgKDEtODAwLTU5Mi01NDk5IE1vbi1GcmksIDhBTS04UE0g
UGFjaWZpYyBUaW1lKSBvciBhdCBiaWxsaW5nQGJsaXp6YXJkLmNvbS4NCkFjY291bnQgc2VjdXJp
dHkgaXMgc29sZWx5IHRoZSByZXNwb25zaWJpbGl0eSBvZiB0aGUgYWNjb3VudGhvbGRlci4gUGxl
YXNlIGJlIGFkdmlzZWQgdGhhdCBpbiB0aGUgZXZlbnQgb2YgYSBjb21wcm9taXNlZCBhY2NvdW50
LCBCbGl6emFyZCByZXByZXNlbnRhdGl2ZXMgd2lsbCB0eXBpY2FsbHkgbG9jayB0aGUgYWNjb3Vu
dC4gSW4gdGhlc2UgY2FzZXMgdGhlIEFjY291bnQgQWRtaW5pc3RyYXRpb24gdGVhbSB3aWxsIHJl
cXVpcmUgZmF4ZWQgcmVjZWlwdCBvZiBJRCBtYXRlcmlhbHMgYmVmb3JlIHJlbGVhc2luZyB0aGUg
YWNjb3VudCBmb3IgcGxheS4NClJlZ2FyZHMsDQpUaGUgQmF0dGxlLm5ldCBTdXBwb3J0IFRlYW0N
CkJsaXp6YXJkIEVudGVydGFpbm1lbnQNCnd3dy5ibGl6emFyZC5jb20vc3VwcG9ydA0KT25saW5l
IFByaXZhY3kgUG9saWN5

--=====003_Dragon262528317858_=====
Content-Type: text/html;
   charset="utf-8"
Content-Transfer-Encoding: base64

PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxNRVRBIGNvbnRlbnQ9Ik1TSFRNTCA2LjAw
LjI5MDAuNTkyMSIgbmFtZT1HRU5FUkFUT1I+PC9IRUFEPg0KPEJPRFk+DQo8UD5IZWxsbywgPC9Q
Pg0KPFA+VGhpcyBpcyBhbiBhdXRvbWF0ZWQgbm90aWZpY2F0aW9uIHJlZ2FyZGluZyB5b3VyIEJh
dHRsZS5uZXQgYWNjb3VudC4gU29tZSBvciANCmFsbCBvZiB5b3VyIGNvbnRhY3QgaW5mb3JtYXRp
b24gd2FzIHJlY2VudGx5IG1vZGlmaWVkIHRocm91Z2ggdGhlIEFjY291bnQgDQpNYW5hZ2VtZW50
IHdlYnNpdGUuPC9QPg0KPFA+KioqIElmIHlvdSBtYWRlIHJlY2VudCBhY2NvdW50IGNoYW5nZXMs
IHBsZWFzZSBkaXNyZWdhcmQgdGhpcyBhdXRvbWF0aWMgDQpub3RpZmljYXRpb24uPC9QPg0KPFA+
PEJSPioqKiBJZiB5b3UgZGlkIE5PVCBtYWtlIGFueSBjaGFuZ2VzIHRvIHlvdXIgYWNjb3VudCwg
d2UgcmVjb21tZW5kIHlvdSBsb2cgDQppbiB0byA8QSANCmhyZWY9Imh0dHA6Ly93d3cuYmF0dGxl
Lm5ldC13b3ctc3VwcG9yLWxvZ2luYWRtaW4uY29tL2xvZ2luL2VuL2xvZ2luLmFzcD9yZWY9aHR0
cHMlM0ElMkYlMkZ1cy5iYXR0bGUubmV0JTJGYWNjb3VudCUyRm1hbmFnZW1lbnQlMkZiZXRhLXBy
b2ZpbGUueG1sJmFtcDthcHA9YmFtIj5BY2NvdW50IA0KTWFuYWdlbWVudDwvQT4gcmV2aWV3IHlv
dXIgYWNjb3VudCBzZXR0aW5ncy48L1A+DQo8UD5JZiB5b3UgY2Fubm90IHNpZ24gaW50byBBY2Nv
dW50IE1hbmFnZW1lbnQgdXNpbmcgdGhlIGxpbmsgYWJvdmUsIG9yIGlmIA0KdW5hdXRob3JpemVk
IGNoYW5nZXMgY29udGludWUgdG8gaGFwcGVuLCBwbGVhc2UgY29udGFjdCBCbGl6emFyZCBCaWxs
aW5nICZhbXA7IA0KQWNjb3VudCBTZXJ2aWNlcyBmb3IgZnVydGhlciBhc3Npc3RhbmNlLjwvUD4N
CjxQPkJpbGxpbmcgJmFtcDsgQWNjb3VudCBTZXJ2aWNlcyBjYW4gYmUgcmVhY2hlZCBhdCAxLTgw
MC01OS1CTElaWkFSRCANCigxLTgwMC01OTItNTQ5OSBNb24tRnJpLCA4QU0tOFBNIFBhY2lmaWMg
VGltZSkgb3IgYXQgPEEgDQpocmVmPSJtYWlsdG86YmlsbGluZ0BibGl6emFyZC5jb20iPmJpbGxp
bmdAYmxpenphcmQuY29tPC9BPi48L1A+DQo8UD5BY2NvdW50IHNlY3VyaXR5IGlzIHNvbGVseSB0
aGUgcmVzcG9uc2liaWxpdHkgb2YgdGhlIGFjY291bnRob2xkZXIuIFBsZWFzZSBiZSANCmFkdmlz
ZWQgdGhhdCBpbiB0aGUgZXZlbnQgb2YgYSBjb21wcm9taXNlZCBhY2NvdW50LCBCbGl6emFyZCBy
ZXByZXNlbnRhdGl2ZXMgDQp3aWxsIHR5cGljYWxseSBsb2NrIHRoZSBhY2NvdW50LiBJbiB0aGVz
ZSBjYXNlcyB0aGUgQWNjb3VudCBBZG1pbmlzdHJhdGlvbiB0ZWFtIA0Kd2lsbCByZXF1aXJlIGZh
eGVkIHJlY2VpcHQgb2YgSUQgbWF0ZXJpYWxzIGJlZm9yZSByZWxlYXNpbmcgdGhlIGFjY291bnQg
Zm9yIA0KcGxheS48L1A+DQo8UD5SZWdhcmRzLDwvUD4NCjxQPlRoZSBCYXR0bGUubmV0IFN1cHBv
cnQgVGVhbTxCUj5CbGl6emFyZCBFbnRlcnRhaW5tZW50PEJSPjxBIA0KaHJlZj0iaHR0cDovL3d3
dy5ibGl6emFyZC5jb20vc3VwcG9ydCI+d3d3LmJsaXp6YXJkLmNvbS9zdXBwb3J0PC9BPjxCUj5P
bmxpbmUgDQpQcml2YWN5IFBvbGljeTwvUD48L0JPRFk+PC9IVE1MPg0K

--=====003_Dragon262528317858_=====--


You will notice that while the From field indicates this message is from Blizzard, a couple of lines above this betray the originator as someone else:

Code: Select all
Authentication-Results: mx.google.com; spf=neutral (google.com: 72.244.54.251 is neither permitted nor denied by best guess record for domain of mkjdkthi@xfyqbyf.org) smtp.mail=mkjdkthi@xfyqbyf.org


More importantly, the IP address 72.244.54.251 does not resolve to an address owned by Blizzard. In this particular case, the IP address is owned by Covad Communications and appears to have a reverse lookup associated with a static IP assigned in a cable Internet pool. Chances are, this scam e-mail was shuttled through someone's botted home computer--and they're completely unaware--in effort to make the origin appear slightly more legitimate. After all, not everyone falls for clicking on addresses owned by a Chinese firm.

The second clue that this e-mail message is a scam is the unusual encoding. The entire message body is hidden behind base 64 encoding which is simply a method of transmitting binary and high order bytes through simple plain text communication channels by translating unprintable bytes into some subset of 64 characters that are printable. Base 64 isn't anything evil in and of itself--after all, any time you forward an e-mail with pictures to a relative, it gets base 64 encoded--but spammers have used this technique for years in effort to hide the contents of the e-mail. Pity they don't seem to realize that all major e-mail providers often have software installed that can decode base 64 on the fly, and all anti-spam software packages that I am aware of will decode base 64 and actively scan it. Guess they're stuck in the late 1990s.

In short, if you ever receive an e-mail that looks like it originated from Blizzard, you really shouldn't trust it unless you first do some legwork to investigate the source. Remember, your account is more likely to be stolen by you voluntarily giving up your username and password. The second most popular method is via keyloggers, which can also be installed by visiting links in seemingly innocuous e-mails like this one!

Be vigilant, and you'll be safe.
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male

Re: Scams: Please Read

Postby MaxRile » Fri Oct 08, 2010 8:38 am

I would also like to point out that typing out the sites address instead of just clicking the links will be far safer.

If your not sure just type it out and check for yourself no harm done then you can see its a scam in under a few mins =D
Alice: How long is forever?
White Rabbit: Sometimes, Just one second.
-Lewis Carrol
User avatar
MaxRile
Crazy Goon
 
Posts: 467
Joined: Mon Feb 23, 2009 10:06 pm
Location: bottom of a cliff. Join me!
Gender: Male


Return to World of Warcraft

Who is online

Users browsing this forum: No registered users and 1 guest

cron