WowInterface.com email database has been compromised
 

Apologies for posting this on a forum - I couldn't find any other way of contacting the people who run wowinterface.

I've just received a fairly standard phishing email, with one notable point - it was sent to an email address that I have only ever used with WoWInterface. This suggests to me that somehow, spammers have gained access to the wowinterface email database.

Please would you investigate?

Email below, with some info anonymised. Note that it was sent as base64-encoded text, which means I can't easily paste the source in here - instead you get what gmail renders, plus the headers.

-----

Our database is not accessible from a public ip. Its only on a vlan that our httpd servers can access. Looking at the logs I do not see anything that would suggest a compromise to our data.

Checking some other error logs and will let you know if I find anything.

The only thing which would suggest a compromise is, I'm afraid, something that you have to take my word on. I use unique email addresses when registering with websites, and only use them for those sites. This spam was sent to the one used for wowinterface. There are other means by which it could have been obtained (problem on my machine, problem with gmail, dubious relay somewhere along the line, etc), but all seem less likely, because I have *only* received it to the wowinterface address and not to other unique addresses, and because it is WoW-related.

Thanks for checking, anyway. If you would like the actual (encoded) text of the email with the actual email address, I'll be happy to send it on by email - but not on a forum.

Sure, please send it to [email protected]

Do you use a shared host? It's possible one of their clients was able to get a list of email addresses on the server.

Any large queries I'm emailed about. However I'm still sifting threw the logs.

For future reference (for both you and any others reading this), since Dolby forgot to mention it, there is a link in the footer of the site, on the bottom-right, which says "Contact WoWInterface". :)

Done.

It's my own domain, run via google apps (so gmail), on which I'm the only user.

I'm no expert, so it's entirely possible that something else is up - but I thought I'd alert you to the possiblity. Sorry if it's a wild goose chase :-)

Is it possible that email was public before you turned off displaying it in your public profile for wowinterface ?

Hmm. Maybe. I forgot I even had a public profile... most likely I would have created the account and then immediately turned off display of the email address, but if the default is to show it then it would have been visible for a few minutes!

By "shared host", I think Dolby meant cloud hosting, or rather, running multiple people off the same server. Typically, if you get cheap hosting and don't much care about anything server-side, then that's what you're on. However, since you're using GMail for your email service, Google is remotely handling the email, not your server, so your server wouldn't have that data (except potentially the ones you registered the domain and/or hosting with, and maybe one or two default ones).

That is a lot of email addresses then. O.o And I thought I was bad w/ my multiple emails for categories, you got me beat w/ emails for each website. ^_^

Also keep in mind, they don't have to "find" your email address somewhere to send it to you. They have automated scripts that randomly put letters and numbers together to make email addresses and send them out. For example. A few months ago I created a new email address. Not yet sure what I wanted to do with it yet, so I just haven't done anything with it yet. I have never registered it with anyone for anything.... and my spam box was flooded with in a week. LOL Crazy.

But that is a big coincidence w/ your email.

Much like when I get WoW phishing spam on a couple of email addresses that I have NEVER used for any WoW site and one email site was never used to sign up for anything. The old brute force approach. Of course I had a couple of chuckles just before pressing the "Delete" button.

I created a gmail account for my dad some time ago. He almost never uses it, and even if he does it's only for mailing with some friends/colleges.
So the mail was never public. And the name is fairly long and not generic, so it's not likely to "guess"...

Still, from day 1 i think, the mail is full of spam, and I mean really full (at least 10 spam/day, gets even to 100/day...

In short: a gmail account can get spam w/o ever being public...

They all can. Be it free web mail, ISP mail, or private domain created mail.

Ye sure, i just sad gmail cause it was mentioned in the opening post...

So...

I'd like to report that I have the same thing happening with me.

I have an email address that's unique to wowinterface... my email system routes anything in the name of myaddress-anyrandomtext directly to me, and I tag my sites that way... so my address here is [email protected]in

A week(ish) ago I got a phishing mail asking for WoW information.

I run my own mail server, nobody shares it but the people that live with me (who don't have administrator access), this email address has never been posted, used to send mail, or otherwise exposed to the real world, other than being used as the account email for wowinterface.

One roommate (who doesn't use the per-site unique addresses) got the same thing to the email address they have registered with wowinterface (though they use it on several sites, so that's not authoritative proof).

I seriously doubt that someone just randomly thought to append -wowinterface to an otherwise working address to get through to me. I think the likelyhood of doing it twice with two different people's addresses is pretty damned unlikely. And my roommate never had an attempt at using a -wowinterface form of their address, just their normal address, so somehow the pharmer knew who was using tagged addresses and who wasn't? Seems incredibly unlikely.

Unless my email address is public. I just looked through all of the account options I could find, though, and couldn't find anything about making one's email address visible (or not).

So, I tend to agree, something might be going on here.

And no, unless you use a common name as an email address (e.g. "john@wherever"), a private domain can't get spam if the email address is never used anywhere. Especially not something like mine, where the -wowinterface (or whatever) part doesn't even exist.

-j

I would like to report a similar email that I just received a few minutes ago.

As with a few people above, I know that this was sent directly to the email address I used ONLY for Wowinterface (because I use a unique email for each website...). This is a bit too coincidental to assume it's by chance.

Judging by how log checks showed no success, perhaps there is an exploit used to query the MySQL database (I'm assuming MySQL, for the sake of simplicity) of Wowinterface for a user's email address. Perhaps it's worthwhile to review the PHP code to see if such a leak exists?

Please note that the link (withheld so no poor soul clicks on it) really points to a different website, www.worldofwarcraft______.com where ______ is withheld ;).

I'm forwarding the email to Dolby.

The log's are scanned for injection attacks and any malformed url's are listed nightly in my logwatch. I of course mysql_real_escape_string() everything that is remotely entered.

Also nafe you do not have a "@nafe.com" email address in our database.


Since you are long time members its possible when we were compromised a few years ago (we posted news about it when it happened) that they got away with some email addresses. That was on our old server and I do not have the logs for that.

"Me too" post...
 

I'll chime in and mention I just got the same phishing email to my wowinterface.com@<mydomain>.net which, like the OP, I setup for use only with this site. I'm not sure if I was a member during the "old server" compromise mentioned above but it would be worth comparing my registered date to that to see if that holds water. The content of the two spam mails I got is identical to the above. The header info is slightly different as you might expect from forged senders/relays.

I use my e-mail address everywhere and for many years, never received a single spam message similar to those explained by above users. I'll let know if that changes.

I've not received such mail (just to - you know break cycles).

Has anyone at any point considered spam sent at random?

I worked for an ISP and now for an anti-viruscompany and I also have my own hosting, which includes mail, you wouldn't believe the amount of spam we get (we actually almost disable our spamfilters so clients can get through with ludicrous mails).

For those with own mailservers/hosting : do you have a catch-all address? Any mail sent to a non-existing addresses will then be sent to the main account.

Since the spam is directed at wow-account farming, they just try random stuff with names of well known wow-oriented sites.

Ah, this seems quite plausible.

For me at least it's not a problem - I've only had one message, it's hardly a flood - I just raised it in case it indicated a problem. If it's a remenant of a problem of years ago, no need to worry about it!

I've also just received a phishing email to an address that I use exclusively for wowinterface. It wasn't sent to a catchall, but to the specific address and it's not something that would be easily guessable. (I can forward the email on request if you need it Dolby).

I've been a member here since May 2008 and my email address has never been public.

I'm not worried that that particular email address has found it's way onto a phishing list - it's easily changed - however as someone who's worked in the computer industry for some 25 years with plenty of server admin experience, I'd say that there had almost certainly been some sort of leak of data from this site, given the other reports already in this thread.

I'd also suggest that it probably happened fairly recently as I can't see someone hacking the site and then sitting on the email addresses for a year or two before trying to use them.

This is not about blame, but if there is a possibility of a leak from here then it might be worth warning the entire membership as the email is one of the better phishing attempts I've seen and could catch out the unwary.

The particular phising site in the email I received was www . wor1dofwercraft . com (spaced out so it's not clickable from here, registered by some bod in China), I have reported the site to the apparent hosters vpls.net

Just adding a "Me too" as well. Same deal, I create new aliases for various things I sign up with, and the email I use here is unique to this site. I got a phishing email just like the ones noted before. Came with a return address of some guy from hotmail.com.

I sent the mess over to blizzard for them to have fun with.

I am going to be changing my alias I have for this website. If I get another email to the new alias, then you guys are compromised again.

Hey Dolby and all,

In the past couple weeks I've received two well-crafted phishing scams in my Gmail spam box. I don't have the emails anymore since I reported them to Gmail and deleted them but they were as described above. Thought I would mention I got something. I use my address for multiple sites, and been a long-time member though, so who knows.
Hope everything works out.

Nothing to do with compromise but thought I would chime in and say I have received 2 emails in the same day phishing for account info.

They both looked legit as they are exact copies of the one I recieved when I was actually hacked a while back.

Both where the same just spaced out differently.

The links for http://www.worldofwarcraft.com though did not go to where they looked like they would go.

One went to http : // worldofwarcraft - blizzard - service . com/ (spaced out to prevent clicking)
the other http : // www .worldofwarcioft . com/ (notice the clever mispelling of warcraft) (spaced out to prevent clicking)

Both have been reported as phishing sites as Firefox warns of this as well as Safari on my iPhone. Now Comcast is auto directing me to their own search page for the first website.

The first thing I did when I saw these was log into my account. I then reported them to Blizzard.

A word of advice to anyone. NEVER click a link in an email like this until you verify it. I use Thunderbird and mousing over the links shows their correct path in the bottom left of the window.

Here is a pick of the first site when you visit it.

Blizzard has been warning users not to click on links in emails that ask for personal information (such as your username or password) for years, as have thousands of other companies, security experts, and individuals. Sadly, too many people ignore all of their warnings, and then are surprised when confronted by evidence of the very real problem, or devastated when their WoW (or any other) account is stolen.

My aunt is a perfect example of this. She doesn't run anti-virus or anti-malware software. She doesn't run a firewall. She clicks on every banner ad and popup she sese. She downloads anything she's offered. She clicks on any link that promises free stuff. She enter her personal information on any site that claims to be running a drawing for free stuff. She buys and installs anything they sees adverstied on TV or at a store. She never updates anything that doesn't silently update itself in the background. After the first time and realizing the scope of the problem, I started charging her by the hour to clean up her computer every few months. After I moved to a different state, I wasn't in the least bit surprised to hear that she'd been the victim of identity theft. If she played WoW, she'd have had her account information keylogged and sent to 25 different parties simultaneously. :o

That said, you should always forward those emails to Blizzard's hacks and piracy team at [email protected]. I generally report them to PhishTank.com as well, which maintains an open database of known phishing sites that's used by a number of browsers.

You should also be very suspicious of any email from any source that asks you to log into your account, but doesn't address you by name.

Finally, if you're going to log into a secure site, you should always type the URL yourself, or access it from a trusted bookmark, rather than clicking on a link in an email or on a website, even if you think the email/website is legit.

Also, as to the original issue, I have several email addresses set up on my personal domain that I've never used on any website, and they still get spam, so I don't think it's a failing on WoWI's part.

But what I, and a number of other people, have explained, is that the email addresses that we refer to have only ever got spam to do with WoW, while our other email addresses don't get spam to do with WoW. This would be... something of a coincidence, if the addresses had not been obtained from somewhere. Having said this, I've still only had the one message (at least, one that has made it past gmail's filtering).

If your email address contains the letters "wow" in consecutive order, as is the case if it contains the term "wowinterface," then it's not even remotely surprising that it gets WoW-related spam.

Fair point :-)

I'd like to ditto, same as others, I use a unique email for websites and the wowinterface one has started getting the phishing ones. I've been a longtime member so it could easily have been before, it doesn't bother me personally. A lot of the email addresses go bad after a while, just wnated to make sure that you don't blame the messengers.

Peace.

Well, I thought it was my ex's new little internet boyfriend trying to steal my account, but I'm getting the exact same thing, 2-3 times a day now, as the rest. I do use 1 email address for most things, and have an authenticator, so I'm not worried (as much, there have been *rumors* that authenticators can still be hacked and someone even showed *proof* it could be/has been done). One thing that is fun to do, log onto those sites from a secure source (smart phone, Linux box, etc) and type in the replyto email address then some nice swear words, or use the presidents email address (president @ whitehouse . gov) and see what the secret service decides to do about the spam email HE gets!! :cool: Obviously you don't want to put your own info in there, but it's fun to put fake email addresses in there or just lots and lots of swear words. Due to possible virus', Trojans and the like, I wouldn't use a computer you were concerned about being infected. (Hence the Linux, MacOS, Smart Phone idea)

I've reported mine to [email protected] as well as reporting them as phishing to gmail. (notice most of us use gmail that are replying to this!?) It should also be noted, there's nothing anywhere related to "wow" "games" or anything else that shows it's for WoW or anything WoW related. (Some people said they have xxxx-wowinterface at whatever dot com, showing it's a wow-related email address). Ok, I'll shut up now.

The sad part is, it's not that hard to recreate the page of the world of warcraft login(every html and css file on the internet is open-source and nothing you can do about it), just changing the direction where the info should go. Then you create a PHP script(or any other language) who receives the information and puts it in a database. Just like the form does I'm typing this message in.

In fact, it aint even hard to get a page "secure", just go to a company distributing those "secure" signatures while having a normal page on your site, after you got the certificate you change the website and voilá, you got yourself a "secure" https page.

The lesson we learn from this:
Always look at the URL before typing in sensitive information. If the page is "secure", that only means OTHER people but the webserver can't see what you communicate with the server. If the webserver you're connecting with ain't OK, then you still aren't secure.

To my knowledge my email isn't public - I've had a look in options but can't find anything that seems to be there for showing/hiding email address.

I also use an email address specific to WoWInterface and have received 18 phishing emails, all from January this year.

If my email address is visible to anyone, how do you change it in vBulletin? I just couldn't see an option about it anywhere...

There isn't an option; WoWI just doesn't show your email address. There may have been an option in the past (and many other forums still do have that option) but it isn't there now.

One way to also help: www.mywot.com (Web of Trust).

Puts a mark next to links if they are Green (safe), Yellow (warning), Red (stay clear).

Here's an example: (the link is written as www.worldofwarcraft.com, but if you click it, it sends you to www.worldofwarcraft-*******.com)

same with me, today i've got this phishing mail to [email protected] - i have only used it to register to this site because i wanted to see a forum post for which a valid username was required.

i have never changed my settings and i only logged in once (after registration).. today it's my 2nd time.

mail header:

Also got one for the very first time on 1/22. Have a a custom email ****[email protected]. This email address is only used here and never get spammed until now.

I've been getting a slew of emails to my wowinterface specific address. I just happened to be looking at my spam folder for some yuks when I noticed the "Account Warnings" every other day since 12/30/09.

As others have mentioned, I have an email set aside specifically to this site, so I find it strange that my non-WI emails have not been getting phished.

Good luck finding it!

Cheers

I also received phish email via my wowinterface.com email address
 

I as well have received a phishing email to my wowinterface_com@MYDOMAINNAME email address, which is not known by anybody else except for this web site.

Here's the link in Blizzard's Customer Service forum where I report the problem to Blizzard...

http://forums.worldofwarcraft.com/th...504016&sid=1#0

And in case the link no longer works, what I posted there...

Any new news about this issue?
 

Any new news about this issue?

No, I read that, but that doesn't address the problem if there was a breach in security on their web site or not.

I get they wouldn't want to necessarily admit it, but I need to know if my email address was compromised because their database was, or something else.

Considering that many have posted this problem, I'm thinking they were compromised. I'd just like to hear some 'official update' on the subject.

Yes it does. And yes there was. Ages ago. And we posted about it. So how is that not admitting it?

Yes Cosmic Cleric, it does look like they did get a dump of our database back when we were hacked a few years ago and they are using it to send out phishing emails. At the time I only thought our filevault was compromised but it looks like they took our database as well.

I have since gone over every query to make sure there is no injection vulnerabilities. We have also moved to new servers since then with much better security.

I should have posted to make that more clear and I'm very sorry this happened.

Furthermore, please do not post malicious links, with spaces or without. There's neither anything difficult nor confusing about putting a "[link removed]" message in a post.

Thank you for the reply.

The only lingering thought i have though is that you speak about 'a few years ago' but the attack just happened a few days ago? From what I understand, usually information is used right away, before it becomes outdated. /shrug

Apologies, but I didn't know if the information was needed or not in diagnosing where the hackers were coming from.
I felt it was better to supply as much information as possible to you guys, in hopes you'd be able to determine what was going on.

Since the link was non-usable, I don't think there's any issue with it being posted (malformed with spaces so its not a valid URL of course).

If someone goes to the trouble of copy/pasting the web link, removing the spaces, then going to that web site, then maybe they deserve what they get. /shrug

EDIT: By the way, while you're so fast to chastise me for the link and to go back and edit my post, you may want to check the OTHER posts made in this same topic for the same kind of links (with spaces added) that you object to me having done.

To be honest, the 'feel' I'm getting about this is that this is a recent break-in, and that you all are trying to pretend its actually from a long time ago.

I honestly don't know if I'm right or wrong about it, but the perceived hostilty level I'm seeing from the admins seems excessive based on the concern of the posts being made by your users.

Do you all honestly think that this RECENT sending of emails is from a data theft from YEARS AGO?

Really?

So far every one that has posted has had an older account. I haven't received a report from any one with a newer account report that they have received a phishing email from a wowinterface only email address. I know its a bit strange and it has me un-easy as well and I'm monitoring queries extremely close right now.

I don't see anything in our logs or logwatch that would suggest a break in since then either. I have even recently gone over our mysql queries that take external data and make sure they are all protected from injection attacks. I also have plans to switch to mysqli so that injection attacks aren't possible.

Again I'm very sorry this happened to every one. I appreciate every one posting about they received one and in no way am I or other staff trying to cover it up. I'm sorry if you feel jumped on Cosmic Cleric however shirik just didn't want google/yahoo/bing bots to index that site by crawling our threads.

If we do find anything in the future we will let every one know.

Thank you for the additional information and apology, they are appreciated. :)

I think that the answer to your question is yes as I have been getting a spike of phishing emails at the account I used to register with originally. However I am getting zero phishing spam at the address that I am currently using as my WoWI registered address which I have been using for the last year or so. The email address I am getting the phishing spam is the one that I used when the file vault was broken into a couple of years ago.

Many times, crackers who swipe details like email addresses don't act on the data right away. In many instances they will wait until everyone has forgotten about the theft. In many cases, the thieves will sell the harvested addresses. This is likely the case here, the thieves have sold the addresses to numerous parties or have stashed the db in some forum/community were phishers hang out.

Fortunately in my case, Yahoo is real good at filtering all this crap into the spam box. In addition, I don't use that address for day to day email anymore.

I'll add my own anecdote to this thread. As with others, I am using a unique email address (this one from Sneakemail) that I only gave to WoWI, and no one else. Also, as with others here, I can see no other possible means by which they extracted my e-mail except for through WoWI.

The idea of a random assemblage of letters and numbers (brute force) is possible, I suppose, but hardly seems likely, since that's exactly how Sneakemail generates redirect addresses, that and it seems an awful lot of trouble to go through just to send me an e-mail with a phishing link and baiting me by telling me an Aion account I have never had in the past or present is compromised.

I have been here a while, and this sounds like a possibility, though as others have, I'd have to question: "Why now and not when they made off with the addresses?" I've never before had this sort of issue with WoWI, and that I'm just now having it seems significant enough to mention. It also seems significant that two months after the last post made in this thread is past, this issue is still cropping up.

On my end it's a simple matter of changing the redirect address I have linking me to WoWI. But if something is compromised somehow at your end, well, I suppose the bottom line is that all this information is far more valuable to you than to me.

In the meantime, I suppose the ultimate test would be simply to change the address and keep an eye on what happens. If water still somehow makes it out the bottom of the bucket after that, it seems fair to assume there's a hole in it.

See my previous post in this thread:

Likely the folks that did the original break-in a couple of years are NOT the ones spamming everyone's email account.

Data thieves will usually hold onto and wait to use data like email addresses, WoW Account info, Social Security numbers and other such data. It's not "perishable" like Authenticator keys, credit card numbers and bank account data; thus the thieves can afford to wait months before using or selling the data. This also adds a "fog of time" effect that causes confusion for victims as in most cases they will not be able to remember when and where the theft occurred.

This issue will keep cropping until the email addresses that were stolen are either closed, relegated to spam "honeypots" (like my old email account that was used to register here) or otherwise ignored. Change your account email address and keep an eye on the email that comes in.

In case it helps- I also got a phishing mail to an account that was only registered on this site (I have a wildcarded set of e-mail addresses so it wasn't just an address that they had guessed)- hopefully this combined with my first registered account date will give you more indication that this is just the old hack on the previous server.

There's a hole in the bucket
Dear Liza, Dear Liza
There's a hole in the bucket
Dear Liza
A hole.

By which I mean to say, I've since the above event changed to another unique e-mail address, and once again, I find myself getting scam e-mails trhough the address given uniquely to WoWI and only WoWI.

This time it was a beta test scam. You know when your e-mail reader tells you that you need to install a chinese language pack to read all the e-mail's content correctly, that's not a good sign from the get-go.

'Greetings'?

So, I'm once again forced to wonder if there is not a more recent or ongoing breach of your servers.

When did you last change your email address?

I'm sorry this happened to you again.

Just yesterday I had found a potential hole into our database where when you updated an AddOn the cached username could allow an injection based upon the users name. So far it looks like that was the only field that wasnt wrapped with mysql_real_escape_string() due to the fact it was getting the name from vbulletin and I wasnt thinking. I'm investigating the logs to see if anything was taken advantage of there.

We are upgrading to new servers soon (already upgraded our addon file server). I will again audit my mySQL queries and change all passwords (As I do with all moves).

The date of my second to last post in this thread (the one I quoted in my latest post) is a pretty reliable date for that- so I'd say around about 04-22-2010.

I'll probably change it again not long from now, but I figured I'd see about what was happening here first.

Ok if it isn't too much trouble and when you have the time please change your email address again. I have a few test accounts too but have received zilch from them at the moment.

I'm going to have a 2nd set of eyes look over my queries too.

Done as of yesterday (7/25). Thanks for your diligence.

I'm sure you've read this but since you mention vBulletin I thought this might be related:

http://www.h-online.com/open/news/it...n-1044462.html