WoWInterface

WoWInterface (https://www.wowinterface.com/forums/index.php)
-   Site help, bugs, suggestions/questions (https://www.wowinterface.com/forums/forumdisplay.php?f=18)
-   -   WowInterface.com email database has been compromised (https://www.wowinterface.com/forums/showthread.php?t=34456)

swaldman 12-09-09 11:57 AM

WowInterface.com email database has been compromised
 
Apologies for posting this on a forum - I couldn't find any other way of contacting the people who run wowinterface.

I've just received a fairly standard phishing email, with one notable point - it was sent to an email address that I have only ever used with WoWInterface. This suggests to me that somehow, spammers have gained access to the wowinterface email database.

Please would you investigate?

Email below, with some info anonymised. Note that it was sent as base64-encoded text, which means I can't easily paste the source in here - instead you get what gmail renders, plus the headers.

-----

Code:

Delivered-To: [email protected]
Received: by 10.204.118.145 with SMTP id v17cs348724bkq;
        Wed, 9 Dec 2009 08:43:34 -0800 (PST)
Received: by 10.115.38.32 with SMTP id q32mr18748121waj.8.1260377011997;
        Wed, 09 Dec 2009 08:43:31 -0800 (PST)
Return-Path: <[email protected]>
Received: from mail2-162.sinamail.sina.******* (mail2-162.sinamail.sina.******* [60.28.2.162])
        by mx.google.com with ESMTP id 13si18622189pzk.127.2009.12.09.08.43.30;
        Wed, 09 Dec 2009 08:43:31 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 60.28.2.162 as permitted sender) client-ip=60.28.2.162;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 60.28.2.162 as permitted sender) [email protected]
Received: from unknown (HELO login.mail.sina.*******) ([10.29.11.24])
  by mail2-160.sinamail.sina.******* with ESMTP; 10 Dec 2009 00:43:29 +0800
Received: by login.mail.sina.******* (Postfix, from userid 80)
        id 44F5E358C47; Thu, 10 Dec 2009 00:43:29 +0800 (CST)
Received: [email protected]([220.249.132.224]) by mail.sina.******* via HTTP;
 Thu, 10 Dec 2009 00:43:29 +0800 (CST)
Date: Thu, 10 Dec 2009 00:43:29 +0800
From: Blizzard Entertainment <[email protected]>
To: [email protected]
Subject: =?GBK?B?QmF0dGxlLm5ldCBBY2NvdW50IKhDIFBhc3N3b3JkIENoYW5nZSBOb3RpY2U=?=
MIME-Version: 1.0
X-Priority: 0
X-MessageID: 1260377009.2617.44142
X-OriginaIP: 10.28.11.24
X-Mailer: Sina WebMail 4.0
Content-Type: multipart/alternative;
        boundary="=-sinamail_alt_5fa618964e32e7282284018b85d011ad"
Message-Id: <[email protected].*******>

Hello

This is an automated notification regarding the recent change(s) made to your Battle.net account

Your password has recently been modified through the Account Management website.

*** If you made this password change, please disregard this notification.

However, if you did NOT make any changes to your password, we recommend you contact Blizzard Billing & Account Services for assistance keeping your account as secure as possible.

For more information, click here for answers to Frequently Asked Questions or to contact the Blizzard Billing & Account Services team.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Sincerely,
The Battle.net Account Team
Online Privacy Policy


Dolby 12-09-09 12:04 PM

Our database is not accessible from a public ip. Its only on a vlan that our httpd servers can access. Looking at the logs I do not see anything that would suggest a compromise to our data.

Checking some other error logs and will let you know if I find anything.

swaldman 12-09-09 12:12 PM

Quote:

Originally Posted by Dolby (Post 168755)
Our database is not accessible from a public ip. Its only on a vlan that our httpd servers can access. Looking at the logs I do not see anything that would suggest a compromise to our data.

Checking some other error logs and will let you know if I find anything.

The only thing which would suggest a compromise is, I'm afraid, something that you have to take my word on. I use unique email addresses when registering with websites, and only use them for those sites. This spam was sent to the one used for wowinterface. There are other means by which it could have been obtained (problem on my machine, problem with gmail, dubious relay somewhere along the line, etc), but all seem less likely, because I have *only* received it to the wowinterface address and not to other unique addresses, and because it is WoW-related.

Thanks for checking, anyway. If you would like the actual (encoded) text of the email with the actual email address, I'll be happy to send it on by email - but not on a forum.

Dolby 12-09-09 12:20 PM

Sure, please send it to [email protected]

Do you use a shared host? It's possible one of their clients was able to get a list of email addresses on the server.

Any large queries I'm emailed about. However I'm still sifting threw the logs.

Seerah 12-09-09 12:57 PM

For future reference (for both you and any others reading this), since Dolby forgot to mention it, there is a link in the footer of the site, on the bottom-right, which says "Contact WoWInterface". :)

swaldman 12-09-09 04:32 PM

Quote:

Originally Posted by Dolby (Post 168759)
Sure, please send it to [email protected]

Done.

Quote:

Originally Posted by Dolby (Post 168759)
Do you use a shared host? It's possible one of their clients was able to get a list of email addresses on the server.

It's my own domain, run via google apps (so gmail), on which I'm the only user.

I'm no expert, so it's entirely possible that something else is up - but I thought I'd alert you to the possiblity. Sorry if it's a wild goose chase :-)

Bluspacecow 12-10-09 11:01 AM

Is it possible that email was public before you turned off displaying it in your public profile for wowinterface ?

swaldman 12-10-09 01:51 PM

Quote:

Originally Posted by Bluspacecow (Post 169048)
Is it possible that email was public before you turned off displaying it in your public profile for wowinterface ?

Hmm. Maybe. I forgot I even had a public profile... most likely I would have created the account and then immediately turned off display of the email address, but if the default is to show it then it would have been visible for a few minutes!

BWarner 12-10-09 04:35 PM

By "shared host", I think Dolby meant cloud hosting, or rather, running multiple people off the same server. Typically, if you get cheap hosting and don't much care about anything server-side, then that's what you're on. However, since you're using GMail for your email service, Google is remotely handling the email, not your server, so your server wouldn't have that data (except potentially the ones you registered the domain and/or hosting with, and maybe one or two default ones).

Ihadurca 12-19-09 12:55 AM

Quote:

Originally Posted by swaldman (Post 168756)
I use unique email addresses when registering with websites, and only use them for those sites. This spam was sent to the one used for wowinterface.

That is a lot of email addresses then. O.o And I thought I was bad w/ my multiple emails for categories, you got me beat w/ emails for each website. ^_^

Also keep in mind, they don't have to "find" your email address somewhere to send it to you. They have automated scripts that randomly put letters and numbers together to make email addresses and send them out. For example. A few months ago I created a new email address. Not yet sure what I wanted to do with it yet, so I just haven't done anything with it yet. I have never registered it with anyone for anything.... and my spam box was flooded with in a week. LOL Crazy.

But that is a big coincidence w/ your email.

Zyonin 12-19-09 08:05 AM

Quote:

Originally Posted by Ihadurca (Post 170885)
That is a lot of email addresses then. O.o And I thought I was bad w/ my multiple emails for categories, you got me beat w/ emails for each website. ^_^

Also keep in mind, they don't have to "find" your email address somewhere to send it to you. They have automated scripts that randomly put letters and numbers together to make email addresses and send them out. For example. A few months ago I created a new email address. Not yet sure what I wanted to do with it yet, so I just haven't done anything with it yet. I have never registered it with anyone for anything.... and my spam box was flooded with in a week. LOL Crazy.

But that is a big coincidence w/ your email.

Much like when I get WoW phishing spam on a couple of email addresses that I have NEVER used for any WoW site and one email site was never used to sign up for anything. The old brute force approach. Of course I had a couple of chuckles just before pressing the "Delete" button.

numein 12-20-09 03:10 PM

I created a gmail account for my dad some time ago. He almost never uses it, and even if he does it's only for mailing with some friends/colleges.
So the mail was never public. And the name is fairly long and not generic, so it's not likely to "guess"...

Still, from day 1 i think, the mail is full of spam, and I mean really full (at least 10 spam/day, gets even to 100/day...

In short: a gmail account can get spam w/o ever being public...

Petrah 12-20-09 03:36 PM

Quote:

Originally Posted by numein (Post 171096)
In short: a gmail account can get spam w/o ever being public...

They all can. Be it free web mail, ISP mail, or private domain created mail.

numein 12-20-09 08:11 PM

Quote:

Originally Posted by Petrah (Post 171100)
They all can. Be it free web mail, ISP mail, or private domain created mail.

Ye sure, i just sad gmail cause it was mentioned in the opening post...

elfchief 12-29-09 07:49 PM

So...

I'd like to report that I have the same thing happening with me.

I have an email address that's unique to wowinterface... my email system routes anything in the name of myaddress-anyrandomtext directly to me, and I tag my sites that way... so my address here is [email protected]in

A week(ish) ago I got a phishing mail asking for WoW information.

I run my own mail server, nobody shares it but the people that live with me (who don't have administrator access), this email address has never been posted, used to send mail, or otherwise exposed to the real world, other than being used as the account email for wowinterface.

One roommate (who doesn't use the per-site unique addresses) got the same thing to the email address they have registered with wowinterface (though they use it on several sites, so that's not authoritative proof).

I seriously doubt that someone just randomly thought to append -wowinterface to an otherwise working address to get through to me. I think the likelyhood of doing it twice with two different people's addresses is pretty damned unlikely. And my roommate never had an attempt at using a -wowinterface form of their address, just their normal address, so somehow the pharmer knew who was using tagged addresses and who wasn't? Seems incredibly unlikely.

Unless my email address is public. I just looked through all of the account options I could find, though, and couldn't find anything about making one's email address visible (or not).

So, I tend to agree, something might be going on here.

And no, unless you use a common name as an email address (e.g. "john@wherever"), a private domain can't get spam if the email address is never used anywhere. Especially not something like mine, where the -wowinterface (or whatever) part doesn't even exist.

-j

Nafe 12-29-09 11:50 PM

I would like to report a similar email that I just received a few minutes ago.

As with a few people above, I know that this was sent directly to the email address I used ONLY for Wowinterface (because I use a unique email for each website...). This is a bit too coincidental to assume it's by chance.

Judging by how log checks showed no success, perhaps there is an exploit used to query the MySQL database (I'm assuming MySQL, for the sake of simplicity) of Wowinterface for a user's email address. Perhaps it's worthwhile to review the PHP code to see if such a leak exists?

Quote:

When we carry out a routine check when the account, we have evidence to show that your account has been involved in the disputed transactions.
So we have to inform you visit our website(http://www.worldofwarcraft.com) fill out some information to facilitate our investigation.
If you can not tie in with our soon we will have to temporarily lock your account.

Sincerely,
Blizzard, Inc.
Copyright @ 2009 Blizzard, Inc. All rights reserved.
Please note that the link (withheld so no poor soul clicks on it) really points to a different website, www.worldofwarcraft______.com where ______ is withheld ;).

Quote:

...

Received: FROM blu0-omc2-s29.blu0.hotmail.com (blu0-omc2-s29.blu0.hotmail.com [65.55.111.104])
By ____________ ID 4B3AE3FB.60720.11556 ;
30 Dec 2009 00:24:11 EST
Received: from BLU0-SMTP18 ([65.55.111.71]) by blu0-omc2-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 29 Dec 2009 21:24:09 -0800
X-Originating-IP: [60.19.232.196]
X-Originating-Email: [[email protected]]
Message-ID: <[email protected]>
Received: from tszmkl ([60.19.232.196]) by BLU0-SMTP18.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 29 Dec 2009 21:24:07 -0800
From: "[email protected]" <[email protected]>
To: <[email protected]>
Subject: World of Warcraft Account Trade Dispute Notice
Date: Wed, 30 Dec 2009 13:24:20 +0800
MIME-Version: 1.0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 30 Dec 2009 05:24:08.0226 (UTC) FILETIME=[4FA64820:01CA8910]
I'm forwarding the email to Dolby.

Dolby 12-30-09 12:18 AM

The log's are scanned for injection attacks and any malformed url's are listed nightly in my logwatch. I of course mysql_real_escape_string() everything that is remotely entered.

Also nafe you do not have a "@nafe.com" email address in our database.


Since you are long time members its possible when we were compromised a few years ago (we posted news about it when it happened) that they got away with some email addresses. That was on our old server and I do not have the logs for that.

Ughmahedhurtz 12-30-09 04:17 PM

"Me too" post...
 
I'll chime in and mention I just got the same phishing email to my wowinterface.com@<mydomain>.net which, like the OP, I setup for use only with this site. I'm not sure if I was a member during the "old server" compromise mentioned above but it would be worth comparing my registered date to that to see if that holds water. The content of the two spam mails I got is identical to the above. The header info is slightly different as you might expect from forged senders/relays.

Polarina 12-30-09 05:14 PM

I use my e-mail address everywhere and for many years, never received a single spam message similar to those explained by above users. I'll let know if that changes.

MoonWitch 12-30-09 09:44 PM

I've not received such mail (just to - you know break cycles).

Has anyone at any point considered spam sent at random?

I worked for an ISP and now for an anti-viruscompany and I also have my own hosting, which includes mail, you wouldn't believe the amount of spam we get (we actually almost disable our spamfilters so clients can get through with ludicrous mails).

For those with own mailservers/hosting : do you have a catch-all address? Any mail sent to a non-existing addresses will then be sent to the main account.

Since the spam is directed at wow-account farming, they just try random stuff with names of well known wow-oriented sites.


All times are GMT -6. The time now is 01:40 AM.

vBulletin © 2024, Jelsoft Enterprises Ltd
© 2004 - 2022 MMOUI