Thread Tools Display Modes
05-28-10, 03:56 PM   #1
Tithulta
A Black Drake
 
Tithulta's Avatar
AddOn Author - Click to view addons
Join Date: Dec 2006
Posts: 80
Battle.net scam email, almost looks legit

Not sure what i did when i tried to copy the message to repost her so other could see what it looked like and know not to use the link in the email to log in to their account.

Header was Battle.net Investication

dear (me):

It's been discovered your account was involved in a fraudlent gold transfer( read like i'd bought gold or something).

Had a link to Login with, but the address was a bit off toward the center of the web address. I didnt click on it, but instead used my own bookmark to make sure it wasn't legit. Nothing on my battlenet page an no other email. So i went to copy the email txt...highlighted/shift/delete email is completely deleted(not in trash) an nothing was copied lol. shoulda right clicked i guess.

Just beware of emails the Look pretty close to what you'd be used to.
  Reply With Quote
05-28-10, 04:07 PM   #2
Xrystal
nUI Maintainer
 
Xrystal's Avatar
Premium Member
AddOn Author - Click to view addons
Join Date: Feb 2006
Posts: 5,892
I had one that made me go physically check my account it looked so real .. Mailed to my Blizzard Email. Although it is used for other things but thankfully not anything overly important.


Hello <MyNameWithBlizzard>,

This is an automated notification regarding your Battle.net account. Some or all of your contact information was recently modified through Battle.net Account Management. If you recently made changes to your account information, please disregard this automatic notification.

You can log in to Account Management at the following link to review your account settings:
http://www.battle.net/account

If you cannot sign into Account Management using the link above, or if unauthorized changes continue to occur, click here for answers to Frequently Asked Questions or contact the Blizzard Billing & Account Services team.

Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,

The Battle.net Support Team
Blizzard Entertainment
Online Privacy Policy

Hovering over the battle.net link was the only give away but was close enough to the real site for me to have to check for myself. And was happy to see that nothing had changed at all.
__________________
  Reply With Quote
05-28-10, 04:24 PM   #3
Wella
A Rage Talon Dragon Guard
 
Wella's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 322
The bad thing about these emails is that they somehow appear to be using 'official' email servers. However, I never pay any attention to them unless I know I should be looking for them - I've trained myself to tell from the title whether or not the email is legit.
__________________
Addons I use, not that any of you care
* Bejeweled - For boring 5 minute flights to Tanaris
* Genie - Blizzard really should have implemented bag sorting by now
* ncHoverBind - I'm a Lock, what can you expect?
* oGlow - Agan, a missing feature
* Recount - Derp
* ShooShards - Another missing feature


"Your idea is good. So i will try it."
- popmissa
  Reply With Quote
05-28-10, 05:27 PM   #4
orionshock
A Wyrmkin Dreamwalker
 
orionshock's Avatar
AddOn Author - Click to view addons
Join Date: Jul 2006
Posts: 50
Originally Posted by Wella View Post
The bad thing about these emails is that they somehow appear to be using 'official' email servers. However, I never pay any attention to them unless I know I should be looking for them - I've trained myself to tell from the title whether or not the email is legit.
you can fake 90% of an email quite easily.

If you open up the email headers you'll see that most of the scam ones originate from hotmail. Real email from blizzard come from a blizzard.com domain of one sort or another.
__________________
"I was there in the beginning... and things were very different back then" --An Echo from a time before.
  Reply With Quote
05-28-10, 05:30 PM   #5
mankeluvsit
An Onyxian Warder
 
mankeluvsit's Avatar
Join Date: Sep 2008
Posts: 354
its called a email spoofer, nothing new here.
  Reply With Quote
06-02-10, 05:21 AM   #6
Bluspacecow
Giver of walls of text :)
 
Bluspacecow's Avatar
AddOn Author - Click to view addons
Join Date: Dec 2006
Posts: 770
Originally Posted by Wella View Post
The bad thing about these emails is that they somehow appear to be using 'official' email servers. However, I never pay any attention to them unless I know I should be looking for them - I've trained myself to tell from the title whether or not the email is legit.
It's worth noting here that's not the best way of telling if it's legit or not.

Using HTML and faking certain message headers it's possible to construct an email that "looks" exactly like an official email from Blizzard entertainment.

There are however certain email headers that either aren't faked very often or simply can't be hacked. Most gold seller / keylogger emails won't fake these and from this you can tell that it's not actually from Blizzard.

For example "Subject" , "From" and "Reply To" are prettily easily faked and often faked. But again there are certain headers that are either not faked or are very hard to fake.

"Return-Path" , "X-Originating-Email" , ""X-Originating-IP", "Received From" ? Not so much.

The last one the "Received from" field is especially revealing to look at especially when you pass the IP addresses back through a whois search. As an email message passes through email servers on the way to your email , each server leaves it's own "mark". Trace those back and you will see it's origin.

By looking at the raw source or full email headers of the message we can spot some things that don't look right.

http://mail.google.com/support/bin/a...y?answer=22454

Will tell you how to view these full headers for most clients and webmail providers.

Let's go to an example.

Here's an email that landed in my gmail spam mailbox recently (OT: I love Gmail's anti spam feature... cuts down on 75% of spam that lands in my Mail program)

From: Blizzard Entertainment <[email protected]>
Reply-to: [email protected]
To: (censored)@gmail.com
Date: Tue, Jun 1, 2010 at 11:54 PM
Subject: World of Warcraft Account security

Greetings,

An investigation of your World of Warcraft account has found strong evidence that the account in question is being sold or traded. As you may not be aware of,this conflicts with Blizzard's EULA under section 4 Paragraph B which can be found here:
WoW -> Legal -> End User License Agreement
and Section 8 of the Terms of Use found here:
WoW -> Legal -> Terms of Use
The investigation will be continued by Blizzard administration to determine the action to be taken against your account. If your account is found violating the EULA and Terms of Use, your account can, and will be suspended/closed/or terminated.

In order to keep this from occurring, you should immediately verify that you are the original owner of the account.

To verify your identity please visit the following webpage: http://www.worldofwarcraft.com/account/security/support

Blizzard staff will verify your account information submitted in two days, please do not modify your account information during this time . It will not affect your game uptime.If you are unable to successfully verify your password . using the automated system, please contact Billing & Account Services at 1-800-59-BLIZZARD (1-800-592-5499) Mon-Fri, 8am-8pm Pacific Time or at [email protected]. Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,


Account Administration
Blizzard Entertainment
http://www.blizzard.com/support/wowindex/
"Looks" legit right ?

It's got all the usual signs of an official Blizzard email right down to the correct domain name , correct email and what looks to be a correct phone number. You would be easily fooled by this email just from the contents of it right?

Now let's look at the source of that message :

Delivered-To: (censored)@gmail.com
Received: by 10.140.191.9 with SMTP id o9cs477961rvf;
Tue, 1 Jun 2010 04:56:54 -0700 (PDT)
Received: by 10.227.156.84 with SMTP id v20mr5748359wbw.191.1275393412309;
Tue, 01 Jun 2010 04:56:52 -0700 (PDT)
Return-Path: <[email protected]>
Received: from blu0-omc1-s32.blu0.hotmail.com ([65.55.116.43])
by mx.google.com with ESMTP id e9si19533340wbb.12.2010.06.01.04.56.51;
Tue, 01 Jun 2010 04:56:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 65.55.116.43 as permitted sender) client-ip=65.55.116.43;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 65.55.116.43 as permitted sender) [email protected]
Received: from BLU0-SMTP16 ([65.55.116.9]) by blu0-omc1-s32.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 1 Jun 2010 04:56:23 -0700
X-Originating-IP: [60.248.58.160]
X-Originating-Email: [[email protected]]
Message-ID: <[email protected]>
Return-Path: [email protected]
Received: from zcdcpuimq ([60.248.58.160]) by BLU0-SMTP16.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 1 Jun 2010 04:56:19 -0700
Reply-To: <[email protected]>
From: "Blizzard Entertainment" <[email protected]>
To: < (censored)@gmail.com>
Subject: World of Warcraft Account security
Date: Tue, 1 Jun 2010 19:54:17 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0131_016621BB.1C0EF690"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 01 Jun 2010 11:56:21.0672 (UTC) FILETIME=[73E0EA80:01CB0181]
Now bear in mind I have changed the email it was sent from as you never know it could be someone's email that's been comprimised and used as a bot to send out gold seller emails.

But have a look above. The fist thing you should see is the "Return-Path" field above. "[email protected]" ... um that's not a Blizzard email address. "X-Originating-Email" has also very helpfully been filled out for us.

Also "X-Originating-IP" has a non Blizzard IP address. It's one registered in and run out of China. Please note that not all email clients will fill this one out.

Now remember what I said above about each email server adding it's own "Received: from" field ? I have yet to see an example of that being faked so it should be a good indication of where the email has come from. They are added to the top so the one at the very end should the mail server where it's come from (ie the bottom one)

Let's have a special look at that now :

Received: from zcdcpuimq ([60.248.58.160]) by BLU0-SMTP16.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 1 Jun 2010 04:56:19 -0700
BLU0-SMTP16.blu0.hotmail.com looks to be a SMTP server for hotmail.com

Rembember when you have a domain somedomain.fishy.somethingelse.hotmail.com that domain is a subdomain of the main domain "hotmail.com"

Again this is not a Blizzard domain. Blizzard run their own mail servers so have no need to be using a Hotmail SMTP server.

One of these days when my muse hits over the head with a baseball bat and steals my lunch money I might think about typing up a proper tutorial for all this.

PS Yes Torhal I think I just did.
__________________
tuba_man on Apple test labs : "I imagine a brushed-aluminum room with a floor made of keyboards, each one plugged into a different test box somewhere. Someone is tasked with tossing a box full of cats (all wearing turtlenecks) into this room. If none of the systems catch fire within 30 minutes, testing is complete. Someone else must remove the cats. All have iPods." (http://community.livejournal.com/tec...t/2018070.html)
  Reply With Quote
06-02-10, 05:48 AM   #7
Torhal
A Pyroguard Emberseer
 
Torhal's Avatar
AddOn Author - Click to view addons
Join Date: Aug 2008
Posts: 1,196
You need to stop reading my mind - I'm pretty sure that falls along the same lines as reading my mail...
__________________
Whenever someone says "pls" because it's shorter than "please", I say "no" because it's shorter than "yes".

Author of NPCScan and many other AddOns.
  Reply With Quote
06-02-10, 09:24 AM   #8
Bornabe
A Flamescale Wyrmkin
 
Bornabe's Avatar
AddOn Author - Click to view addons
Join Date: Apr 2008
Posts: 133
I chose to ignore any and all eMails from 'Blizzard'. I don't buy gold, nor sell it, don't use anything other than addons that can be gotten from here or curse and have an authenticator... nor do I visit any web sites for game information other than the very few I know are legit from the beginning and don't dare install anything on my computer, which is highly secured.

Never a guarrantee you or I won't get spoofed, but I've found it best to just stay away from it all. If you're account has issues, believe me, you'll know when you try to logon and you can't or have character(s) & bank(s) empty.

THEN you can CALL Blizzard and handle the hour or more wait time, but will know for sure you're contacting someone that can start the process of helping you fix / recover / prevent a problem.
  Reply With Quote
06-02-10, 03:01 PM   #9
Wella
A Rage Talon Dragon Guard
 
Wella's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 322
Originally Posted by Bluspacecow View Post
It's worth noting here that's not the best way of telling if it's legit or not.
I know that just looking at the title isn't exactly ideal, but it's a very quick way to to do so and anyway, I would only expect to receive an email from Blizzard well, when I expect one. For a specific purpose, that is. Of course, I sometimes double-check if the email isn't about 'Account Confirmation' or whatever, but that's just me.

Thanks for the tip about checking out the source code, though. I doubt I'll ever use it, but still, it's interesting. :D
__________________
Addons I use, not that any of you care
* Bejeweled - For boring 5 minute flights to Tanaris
* Genie - Blizzard really should have implemented bag sorting by now
* ncHoverBind - I'm a Lock, what can you expect?
* oGlow - Agan, a missing feature
* Recount - Derp
* ShooShards - Another missing feature


"Your idea is good. So i will try it."
- popmissa
  Reply With Quote
06-03-10, 08:46 AM   #10
Bluspacecow
Giver of walls of text :)
 
Bluspacecow's Avatar
AddOn Author - Click to view addons
Join Date: Dec 2006
Posts: 770
Originally Posted by Wella View Post
Thanks for the tip about checking out the source code, though. I doubt I'll ever use it, but still, it's interesting.
See the problem I find with looking at the title or subject line of the email is it smacks too much of ...of ... well I'm not sure what word to use but it's sort of like basing your decision on things the other party "won't do".

Blizzard won't do this ... Blizzard won't do that ..... Timmy wouldn't shoot Bill in the foot .....See where I'm going with this ?

It depends solely on you making the correct judgmental decision at the right point.

Looking at the source code of the email itself is like looking at the physical evidence itself. The "smoking gun" if you will. You don't have to depend on making the right decision to judge if the email is legit or not.

You're looking at exactly where the email actually come from. It's not subject to interpretation as once you've practiced how to do you can do it pretty quickly.

If on Gmail open up the message and go to the drop down on the right (little triangle) and select "Show Original"

Look straight at the "Return-Path" field. If in doubt then move to "X-Originating-Email" and failing that then check the receive history.

Once you've done this a few times for a few fake emails those 2 fields filled out with something strange just pops right out at you like something you can't fail to notice. Often times I just look for a hotmail.com address.

"Return-Path" is the field that is right at my eye level when I open up the source code of the email on Gmail
__________________
tuba_man on Apple test labs : "I imagine a brushed-aluminum room with a floor made of keyboards, each one plugged into a different test box somewhere. Someone is tasked with tossing a box full of cats (all wearing turtlenecks) into this room. If none of the systems catch fire within 30 minutes, testing is complete. Someone else must remove the cats. All have iPods." (http://community.livejournal.com/tec...t/2018070.html)
  Reply With Quote

WoWInterface » General Discussion » Chit-Chat » Battle.net scam email, almost looks legit

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off