Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Digg this story   Add to del.icio.us  
World of PhishCraft
Symantec Security Response, 2008-02-15

It is surely of no surprise, especially to regular readers of our Weblog, that not only banks are targeted by phishing attacks, but nearly anything that can be scammed. We already commented on the rise in attacks targeting virtual worlds and especially massively multiplayer online role-playing games (MMORPGs) in earlier posts. The growing market for virtual currency and player accounts does attract new scammers. It's the nature of things that if something becomes popular to use, it will also become popular to attack.

There was no exclamation of surprise then (a.k.a. Wow!) when I saw the latest phishing email for World of Warcraft. In general, it attempted to get a reaction from me by telling me that my account was temporarily suspended and that I need to log in to verify my details. Well actually, I would rather not log in to unlock my account but hey, it's their story, not mine.

If you were to follow the masked link you would end up at a spoofed site:
http://wow-europe.good*******.eu/servicehttps3A2F2Fwwwwoweuropecom2Faccount2F.html

The page asks you for your password. If you actually read the text you will notice that the scammer even left the phishing warning intact, which tells you that you should make sure that you are on a page that starts with "httpS://www.worldofwarcraft.com/". Clearly this condition is not met on this fake site. On the other hand, we all know that users are having problems reading and identifying URLs correctly.

The page is made to appear quite convincing, which is not that surprising because they just copied everything and used direct linking to all the original images. So let's say you just woke up and didn't notice the glitch in the URL and therefore logged in. You would be taken to a Web site that asks you for even more personal information. After you give all those away as well, including the answer to your secret question, you will be redirected to the official WoW main page. All the while, your account is scheduled for infiltration so all of your gold and items can be stolen by the scammer.

If you follow some simple rules then you should not fall victim to dumpy phishing attacks such as these. Always make sure you are on the official site when you log in. Blizzard's account security information found here sums it up as follows:

The vast majority of account compromises originate from one of three sources:

1. "Spoof" Web sites and emails
2. Downloading hacks, cheats, or other executable content
3. Sharing account information and/or using power-leveling services

There are only four places where you should EVER type your password:
- The World of Warcraft game login screen.
- The Account Management page on the official site (http://www.worldofwarcraft.com/account/)
- The World of Warcraft Armory page (https://www.wowarmory.com/login.xml).
- The official World of Warcraft forums (http://forums.worldofwarcraft.com)

So the next time you get an invite to join the special beta testing group for the next expansion set, make sure that you know where you are. Of course, other MMORPGs are targeted by phishers as well, so watch out no matter what sort of games you play.

(A tip of the hat goes to Per for the heads up.)




The information, views, and opinions contained on this page are those of the author and do not necessarily reflect the views and opinions of SecurityFocus.






 

Privacy Statement
Copyright 2009, SecurityFocus