Notify Message
Forums » Guild News
May 25, 2010 at 03:19 PM
Fantastic Four
177 Posts

Phishing emails, how to tell the brown from the blue.

I'm going to give an example of an email that hit my mailbox today. As I've already replaced my Bnet email with the one I had previously, I know this to be spam without a doubt. Then there's the blatant disregard for grammar. Either way, I'm going to tell you how to check yo shit!

I modified the addresses so you can't click on them.

First, I got this email:

5ffffawfwafwry


This is an automated notification sent from our account security system. You logined your account successfully at 4:27 on April 26th form the 125.21.167.* range, but our system shows the 125.94.112.* IP range exists a large number of hackers. As too many customer complaints, the 125.19.169.* IP range has been blacklisted. We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you check your account status here as soon as possible. If you have any questions, please visit : www,wowaccountadmin-logincheck,com/login/login.asp?ref=www,worldofwarcraft,com/account/&app=wam
Blizzard staff will verify your account information submitted in two days, please do not modify your account information during this time . It will not affect your game uptime.If you are unable to successfully verify your password .using the automated system, please contact Billing & Account Services at 1-800-59-BLIZZARD (1-800-592-5499) Mon-Fri, 8am-8pm Pacific Time or at billing@blizzard,com. Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.
Regards,
The World of Warcraft Support Team Blizzard Entertainment


Now, I read that message and did the following in Yahoo!: I right clicked the message and dropped down to the "view full headers" option. It brought up this information:

From wowaccountadmin Tue May 25 17:14:30 2010
X-Apparently-To: zguy300x@yahoo,com via 76.13.9.106; Tue, 25 May 2010 10:19:23 -0700
Return-Path: <yldilaver@hotmail,com>
X-YahooFilteredBulk: 65.55.116.44
Received-SPF: pass (mta1030.mail.ac4.yahoo.com: domain of yldilaver@hotmail,com designates 65.55.116.44 as permitted sender)
X-YMailISG: NeEAJWQcZApkW_k12KOk44tVD6UDbA4KibSOog9gTnuKNzRqtasdTmh0cHqGrV5Pd3WPMfiUoG9rPK.oSmiTAq9HkN4RINE9pppYaih9mZmfmQwUhphiTNHzQeJrMAG3jUKghPBJGwDSVMrnUr61ks1pyCpcGl3DVNin7_D.ttwmNMmGXHGHQWVgMTOzt8hAiYabsicRvmS2KfQBX78JhNmD9f8hJDXEFo4GPzy9bK4gqaZTmFH7VfyW7Z5X4viUbpj4n4WNuRoMYNjWHQ2FuxpI.nGKQeRKr5FHYBnxIiFoLHBO48EpygDIbjj_.ArFfd8sgxNZp5WrE6cnnODoDEwzXBEpKanUdtS8j23uFNCUUWSTPa4V2c0AOMmJHh0Hw9fB7d2Lx34.9ZUsFyiXPfHC4ZAdF9vFbvUpOyNSMyuMCGH.eb4V8UnXY7_KkScGaMItsHvs0am93Pt6ehoVzCxp.smuSgQR4Nq1zwRmlMn7zi7GVoUzWiu5429okc24_3GDCv1k.du_gIQ40UvTHf7tassX3Bw3wCY2kepC.Jot.hxDIJQ0Qg--
X-Originating-IP: [65.55.116.44]
Authentication-Results: mta1030.mail.ac4.yahoo.com from=blizzard.com; domainkeys=neutral (no sig); from=blizzard.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO blu0-omc1-s33.blu0.hotmail.com) (65.55.116.44)
by mta1030.mail.ac4.yahoo.com with SMTP; Tue, 25 May 2010 10:19:23 -0700
Received: from BLU0-SMTP15 ([65.55.116.8]) by blu0-omc1-s33.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 25 May 2010 10:18:48 -0700
X-Originating-IP: [112.186.54.130]
X-Originating-Email: [yldilaver@hotmail,com]
Message-ID: <BLU0-SMTP15A6B183CF60EF55447E98BBE80@phx,gbl>
Return-Path: yldilaver@hotmail,com
Received: from mgy ([112.186.54.130]) by BLU0-SMTP15,blu0,hotmail,com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 25 May 2010 10:18:45 -0700
Reply-To: <noreply@blizzard,com>
From: "wowaccountadmin" <noreply@blizzard,com>
To: <zguy300x@yahoo,com>
Subject: =?utf-8?B?V29ybGQgb2YgV2FyY3JhZnQgQWM=?=
=?utf-8?B?Y291bnQgUGFzc3dvcmQgdmVyaWY=?=
=?utf-8?B?aWNhdGlvbuKAj+KAjw==?=
Date: Wed, 26 May 2010 01:14:30 +0800
MIME-Version: 1.0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 25 May 2010 17:18:46.0528 (UTC) FILETIME=[556B7000:01CAFC2E]
Content-Length: 7844
*************************************************************************

Now lets take a look at a REAL Blizzard email:

Battle.net Account - Password Reset
...
From:
Blizzard Entertainment <noreply@blizzard.com>
...
Add to Contacts
To: "zguy300x@yahoo,com" <zguy300x@yahoo,com>
´╗┐Battle.net Account - Password Reset

We have reset the password for the Battle.net account associated with this email address. To choose a new password, please click the following link and follow the instructions:

//us,battle,net/account/support/password-reset-confirm,xml?ticket=9991E9FC1F2E715CD68E997

If you did not request the reset, it is possible that this Battle.net account has been accessed by someone not authorized to do so. If you notice issues with the Battle.net account or associated games after logging in with your new password, please contact the appropriate support department for assistance immediately: http://us.blizzard.com/support/article/30791

Please remember that it is your responsibility to keep your login information confidential. You may not share access to the account with anyone who is not expressly permitted in the Battle.net Terms of Use and the Terms of Use for the games you play. You are also responsible for every use of your login information, whether you have authorized it or not.

COMPUTER AND ACCOUNT SECURITY:

Account compromises can occur when a player shares login information with an unauthorized third party or plays on a computer that has a virus, Trojan, or keylogger. In a case where you believe your account has been accessed by an unauthorized party, we would like to suggest that you review the following pages for various security awareness tips (as well as how to recover in-game items or characters) before you log back into the account:

- Security Checklist: http://us.battle.net/security/checklist.html

- Types of Account Thefts: http://us.battle.net/security/types.html

- Account and Computer Security: http://us.blizzard.com/support/article/30794

- What to do if the Account has been compromised: http://us.blizzard.com/support/article/30796

- Account Security and Recovery FAQ: http://us.blizzard.com/support/article/30791

- Email Address Security: http://us.blizzard.com/support/article/30814

We highly recommend adding a Battle.net Authenticator to an account as it is the highest level of security we currently offer. For more information, please visit: http://us.blizzard.com/support/article.xml?tag=BLIZZARDAUTH.

Billing and Account Services can be reached directly at 1-800-592-5499. Players in Australia and Singapore should call 1-800-041-378 and 800-2549927 respectively if unable to connect via the first number. Our representatives are available seven days a week, between 8:00AM and 8:00PM Pacific Time. Alternately, our support team can be reached via email at billing@blizzard.com.

Thank you,

Blizzard Entertainment


Now, I read that message and did the following in Yahoo!: I right clicked the message and dropped down to the "view full headers" option. It brought up this information:

From Blizzard Entertainment Thu May 20 07:11:27 2010
X-Apparently-To: zguy300x@yahoo,com via 76.13.9.98; Thu, 20 May 2010 00:11:28 -0700
Return-Path: <noreply@battle.net>
Received-SPF: pass (mta1164.mail.mud.yahoo.com: domain of noreply@battle.net designates 12.129.242.48 as permitted sender)
X-YMailISG: M3GYk2AcZApLbeqz45VGlIjbLdtNJ0MePlxE9BZTc9Wlt3EPQw3wDdLVgya3kZH7dL_J93NpijG7Gj_K600DuP4Qo68INkDLJc3bAVtkYCYS17QG.1x8aII_M3LFRKEMIkkO0Kk9wyVrBfgg9PvVbGZmETW6CV51Jvf6fEaJ35Gk70drH1fNfBnLvOByRUYpmi1T2OIDu5bekKdfzU5IqtZoFTl8kFzIv.OFUBL4mWcg697dJFhWbBDtCfUzD0UtZV8b9IYaENKsqFU3h3cPYIx_DHBX_r12Qv3FtrWQ2cWyS1_VWEtmg.TwWh8rVKxStivzdt7DuvfkZqo0aDsAZJdjhJu_Tmk7.70XnSRvSuzudFdVK9vpOqPJjzXaG.0IL.H1X07ZelP8EyGSmyny2GW.NfucUy1aowEtOAIov42QdCcejcYyCpm60t4YXLCpW9osG3ROVAh6L0dqdglinLNaVTlc_w--
X-Originating-IP: [12.129.242.48]
Authentication-Results: mta1164.mail.mud.yahoo.com from=blizzard.com; domainkeys=neutral (no sig); from=blizzard.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO smtp12.us.worldofwarcraft.com) (12.129.242.48)
by mta1164.mail.mud.yahoo.com with SMTP; Thu, 20 May 2010 00:11:28 -0700
Received: from uw1-web-16-blade01.wowadmin.net (uw1-web-16-blade01.wowadmin.net [10.48.54.41])
by smtp12.us.worldofwarcraft.com (8.13.8/8.13. with ESMTP id o4K7BRbR010561
for <zguy300x@yahoo,com>; Thu, 20 May 2010 07:11:27 GMT
Date: Thu, 20 May 2010 07:11:27 GMT
Message-ID: <22712098.1274339487668.JavaMail.tomcat@uw1-admin-smtp-vip.wowadmin.net>
From: Blizzard Entertainment <noreply@blizzard.com>
To: "zguy300x@yahoo,com" <zguy300x@yahoo,com>
Subject: Battle.net Account - Password Reset
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Length: 3172
*************************************************************************

Notice how the phishing email has a whole lot of hotmail accounts and the real emails have battle.net stuff? Use the handy dandy "view full headers" option in your email service to identify the bastards!

Text Block