Thread: Battle.net scam email, almost looks legit
View Single Post
06-02-10, 05:21 AM   #6
Bluspacecow
Giver of walls of text :)
 
Bluspacecow's Avatar
AddOn Author - Click to view addons
Join Date: Dec 2006
Posts: 770
Originally Posted by Wella View Post
The bad thing about these emails is that they somehow appear to be using 'official' email servers. However, I never pay any attention to them unless I know I should be looking for them - I've trained myself to tell from the title whether or not the email is legit.
It's worth noting here that's not the best way of telling if it's legit or not.

Using HTML and faking certain message headers it's possible to construct an email that "looks" exactly like an official email from Blizzard entertainment.

There are however certain email headers that either aren't faked very often or simply can't be hacked. Most gold seller / keylogger emails won't fake these and from this you can tell that it's not actually from Blizzard.

For example "Subject" , "From" and "Reply To" are prettily easily faked and often faked. But again there are certain headers that are either not faked or are very hard to fake.

"Return-Path" , "X-Originating-Email" , ""X-Originating-IP", "Received From" ? Not so much.

The last one the "Received from" field is especially revealing to look at especially when you pass the IP addresses back through a whois search. As an email message passes through email servers on the way to your email , each server leaves it's own "mark". Trace those back and you will see it's origin.

By looking at the raw source or full email headers of the message we can spot some things that don't look right.

http://mail.google.com/support/bin/a...y?answer=22454

Will tell you how to view these full headers for most clients and webmail providers.

Let's go to an example.

Here's an email that landed in my gmail spam mailbox recently (OT: I love Gmail's anti spam feature... cuts down on 75% of spam that lands in my Mail program)

From: Blizzard Entertainment <[email protected]>
Reply-to: [email protected]
To: (censored)@gmail.com
Date: Tue, Jun 1, 2010 at 11:54 PM
Subject: World of Warcraft Account security

Greetings,

An investigation of your World of Warcraft account has found strong evidence that the account in question is being sold or traded. As you may not be aware of,this conflicts with Blizzard's EULA under section 4 Paragraph B which can be found here:
WoW -> Legal -> End User License Agreement
and Section 8 of the Terms of Use found here:
WoW -> Legal -> Terms of Use
The investigation will be continued by Blizzard administration to determine the action to be taken against your account. If your account is found violating the EULA and Terms of Use, your account can, and will be suspended/closed/or terminated.

In order to keep this from occurring, you should immediately verify that you are the original owner of the account.

To verify your identity please visit the following webpage: http://www.worldofwarcraft.com/account/security/support

Blizzard staff will verify your account information submitted in two days, please do not modify your account information during this time . It will not affect your game uptime.If you are unable to successfully verify your password . using the automated system, please contact Billing & Account Services at 1-800-59-BLIZZARD (1-800-592-5499) Mon-Fri, 8am-8pm Pacific Time or at [email protected]. Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,


Account Administration
Blizzard Entertainment
http://www.blizzard.com/support/wowindex/
"Looks" legit right ?

It's got all the usual signs of an official Blizzard email right down to the correct domain name , correct email and what looks to be a correct phone number. You would be easily fooled by this email just from the contents of it right?

Now let's look at the source of that message :

Delivered-To: (censored)@gmail.com
Received: by 10.140.191.9 with SMTP id o9cs477961rvf;
Tue, 1 Jun 2010 04:56:54 -0700 (PDT)
Received: by 10.227.156.84 with SMTP id v20mr5748359wbw.191.1275393412309;
Tue, 01 Jun 2010 04:56:52 -0700 (PDT)
Return-Path: <[email protected]>
Received: from blu0-omc1-s32.blu0.hotmail.com ([65.55.116.43])
by mx.google.com with ESMTP id e9si19533340wbb.12.2010.06.01.04.56.51;
Tue, 01 Jun 2010 04:56:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 65.55.116.43 as permitted sender) client-ip=65.55.116.43;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 65.55.116.43 as permitted sender) [email protected]
Received: from BLU0-SMTP16 ([65.55.116.9]) by blu0-omc1-s32.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 1 Jun 2010 04:56:23 -0700
X-Originating-IP: [60.248.58.160]
X-Originating-Email: [[email protected]]
Message-ID: <[email protected]>
Return-Path: [email protected]
Received: from zcdcpuimq ([60.248.58.160]) by BLU0-SMTP16.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 1 Jun 2010 04:56:19 -0700
Reply-To: <[email protected]>
From: "Blizzard Entertainment" <[email protected]>
To: < (censored)@gmail.com>
Subject: World of Warcraft Account security
Date: Tue, 1 Jun 2010 19:54:17 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0131_016621BB.1C0EF690"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 01 Jun 2010 11:56:21.0672 (UTC) FILETIME=[73E0EA80:01CB0181]
Now bear in mind I have changed the email it was sent from as you never know it could be someone's email that's been comprimised and used as a bot to send out gold seller emails.

But have a look above. The fist thing you should see is the "Return-Path" field above. "[email protected]" ... um that's not a Blizzard email address. "X-Originating-Email" has also very helpfully been filled out for us.

Also "X-Originating-IP" has a non Blizzard IP address. It's one registered in and run out of China. Please note that not all email clients will fill this one out.

Now remember what I said above about each email server adding it's own "Received: from" field ? I have yet to see an example of that being faked so it should be a good indication of where the email has come from. They are added to the top so the one at the very end should the mail server where it's come from (ie the bottom one)

Let's have a special look at that now :

Received: from zcdcpuimq ([60.248.58.160]) by BLU0-SMTP16.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 1 Jun 2010 04:56:19 -0700
BLU0-SMTP16.blu0.hotmail.com looks to be a SMTP server for hotmail.com

Rembember when you have a domain somedomain.fishy.somethingelse.hotmail.com that domain is a subdomain of the main domain "hotmail.com"

Again this is not a Blizzard domain. Blizzard run their own mail servers so have no need to be using a Hotmail SMTP server.

One of these days when my muse hits over the head with a baseball bat and steals my lunch money I might think about typing up a proper tutorial for all this.

PS Yes Torhal I think I just did.
__________________
tuba_man on Apple test labs : "I imagine a brushed-aluminum room with a floor made of keyboards, each one plugged into a different test box somewhere. Someone is tasked with tossing a box full of cats (all wearing turtlenecks) into this room. If none of the systems catch fire within 30 minutes, testing is complete. Someone else must remove the cats. All have iPods." (http://community.livejournal.com/tec...t/2018070.html)
  Reply With Quote