WowInterface.com email database has been compromised

Apologies for posting this on a forum - I couldn't find any other way of contacting the people who run wowinterface.

I've just received a fairly standard phishing email, with one notable point - it was sent to an email address that I have only ever used with WoWInterface. This suggests to me that somehow, spammers have gained access to the wowinterface email database.

Please would you investigate?

Email below, with some info anonymised. Note that it was sent as base64-encoded text, which means I can't easily paste the source in here - instead you get what gmail renders, plus the headers.

-----

Code:

Delivered-To: [email protected]
Received: by 10.204.118.145 with SMTP id v17cs348724bkq;
        Wed, 9 Dec 2009 08:43:34 -0800 (PST)
Received: by 10.115.38.32 with SMTP id q32mr18748121waj.8.1260377011997;
        Wed, 09 Dec 2009 08:43:31 -0800 (PST)
Return-Path: <[email protected]>
Received: from mail2-162.sinamail.sina.******* (mail2-162.sinamail.sina.******* [60.28.2.162])
        by mx.google.com with ESMTP id 13si18622189pzk.127.2009.12.09.08.43.30;
        Wed, 09 Dec 2009 08:43:31 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 60.28.2.162 as permitted sender) client-ip=60.28.2.162;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 60.28.2.162 as permitted sender) [email protected]
Received: from unknown (HELO login.mail.sina.*******) ([10.29.11.24])
  by mail2-160.sinamail.sina.******* with ESMTP; 10 Dec 2009 00:43:29 +0800
Received: by login.mail.sina.******* (Postfix, from userid 80)
	id 44F5E358C47; Thu, 10 Dec 2009 00:43:29 +0800 (CST)
Received: [email protected]([220.249.132.224]) by mail.sina.******* via HTTP;
 Thu, 10 Dec 2009 00:43:29 +0800 (CST)
Date: Thu, 10 Dec 2009 00:43:29 +0800 
From: Blizzard Entertainment <[email protected]>
To: [email protected]
Subject: =?GBK?B?QmF0dGxlLm5ldCBBY2NvdW50IKhDIFBhc3N3b3JkIENoYW5nZSBOb3RpY2U=?=
MIME-Version: 1.0
X-Priority: 0
X-MessageID: 1260377009.2617.44142
X-OriginaIP: 10.28.11.24
X-Mailer: Sina WebMail 4.0
Content-Type: multipart/alternative;
	 boundary="=-sinamail_alt_5fa618964e32e7282284018b85d011ad"
Message-Id: <[email protected].*******>

Hello

This is an automated notification regarding the recent change(s) made to your Battle.net account

Your password has recently been modified through the Account Management website.

*** If you made this password change, please disregard this notification.

However, if you did NOT make any changes to your password, we recommend you contact Blizzard Billing & Account Services for assistance keeping your account as secure as possible.

For more information, click here for answers to Frequently Asked Questions or to contact the Blizzard Billing & Account Services team.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Sincerely,
The Battle.net Account Team
Online Privacy Policy

[Dolby]

Our database is not accessible from a public ip. Its only on a vlan that our httpd servers can access. Looking at the logs I do not see anything that would suggest a compromise to our data.

Checking some other error logs and will let you know if I find anything.

Originally Posted by Dolby Our database is not accessible from a public ip. Its only on a vlan that our httpd servers can access. Looking at the logs I do not see anything that would suggest a compromise to our data. Checking some other error logs and will let you know if I find anything.

The only thing which would suggest a compromise is, I'm afraid, something that you have to take my word on. I use unique email addresses when registering with websites, and only use them for those sites. This spam was sent to the one used for wowinterface. There are other means by which it could have been obtained (problem on my machine, problem with gmail, dubious relay somewhere along the line, etc), but all seem less likely, because I have *only* received it to the wowinterface address and not to other unique addresses, and because it is WoW-related.

Thanks for checking, anyway. If you would like the actual (encoded) text of the email with the actual email address, I'll be happy to send it on by email - but not on a forum.

[Dolby]

Sure, please send it to [email protected]

Do you use a shared host? It's possible one of their clients was able to get a list of email addresses on the server.

Any large queries I'm emailed about. However I'm still sifting threw the logs.

[Seerah]

For future reference (for both you and any others reading this), since Dolby forgot to mention it, there is a link in the footer of the site, on the bottom-right, which says "Contact WoWInterface".

Originally Posted by Dolby Sure, please send it to [email protected]

Done.

Originally Posted by Dolby Do you use a shared host? It's possible one of their clients was able to get a list of email addresses on the server.

It's my own domain, run via google apps (so gmail), on which I'm the only user.

I'm no expert, so it's entirely possible that something else is up - but I thought I'd alert you to the possiblity. Sorry if it's a wild goose chase :-)

[Bluspacecow]

Is it possible that email was public before you turned off displaying it in your public profile for wowinterface ?

[Ihadurca]

Originally Posted by swaldman I use unique email addresses when registering with websites, and only use them for those sites. This spam was sent to the one used for wowinterface.

That is a lot of email addresses then. O.o And I thought I was bad w/ my multiple emails for categories, you got me beat w/ emails for each website. ^_^

Also keep in mind, they don't have to "find" your email address somewhere to send it to you. They have automated scripts that randomly put letters and numbers together to make email addresses and send them out. For example. A few months ago I created a new email address. Not yet sure what I wanted to do with it yet, so I just haven't done anything with it yet. I have never registered it with anyone for anything.... and my spam box was flooded with in a week. LOL Crazy.

But that is a big coincidence w/ your email.

[Zyonin]

Originally Posted by Ihadurca That is a lot of email addresses then. O.o And I thought I was bad w/ my multiple emails for categories, you got me beat w/ emails for each website. ^_^ Also keep in mind, they don't have to "find" your email address somewhere to send it to you. They have automated scripts that randomly put letters and numbers together to make email addresses and send them out. For example. A few months ago I created a new email address. Not yet sure what I wanted to do with it yet, so I just haven't done anything with it yet. I have never registered it with anyone for anything.... and my spam box was flooded with in a week. LOL Crazy. But that is a big coincidence w/ your email.

Much like when I get WoW phishing spam on a couple of email addresses that I have NEVER used for any WoW site and one email site was never used to sign up for anything. The old brute force approach. Of course I had a couple of chuckles just before pressing the "Delete" button.

[numein]

I created a gmail account for my dad some time ago. He almost never uses it, and even if he does it's only for mailing with some friends/colleges.
So the mail was never public. And the name is fairly long and not generic, so it's not likely to "guess"...

Still, from day 1 i think, the mail is full of spam, and I mean really full (at least 10 spam/day, gets even to 100/day...

In short: a gmail account can get spam w/o ever being public...

[aalnydara]

Let me start by saying I am very careful protecting my real email address. Every website I visit that wants my email address gets a randomly generated address at a different domain that gets forwarded to my real address until I choose to delete it. WowInterface.com is no exception. I just received a WoW phishing email to the address registered with this site. So it's safe to say this is the only place they could have gotten the address.

The phishing email wasn't terribly clever. Here's the contents:

From: "World of Warcraft - Account Action Notification" <[email protected]>
Subject: World of Warcraft Billing Account Services
To: [email protected]
Content-Type: text/plain;charset="GB2312"
Date: Fri, 13 Aug 2010 19:16:22 +0800
X-Priority: 3
X-Mailer: FoxMail 3.11 Release [cn]
X-SOURCE-IP: [38.113.6.65]

Greetings

World of Warcraft -> Legal -> End User License Agreement
and Section 8 of the Terms of Use:
Blizzard Entertainment -> Legal -> Terms of Use
A 3-hour probationary suspension is pending on this account, awaiting confirmation from a spe******t. A final warning has been issued. The investigation will be continued by the Account Administration team to determine the any further suspensions. If the account in question is found in violation of the EULA and Terms of Use, further action will be taken. Be aware that any additional inappropriate actions may result in the permanent closure of the account.
Thank you for respecting our position on this matter.
==================================================================================================================
** We request that you verify your legitimate ownership of the account:
click Website <http://us.battele.info/login/login.xmlref=https=www.worldofwarcraft.com=accountapp=wamcir=true.htm> to proceed.

Blizzard staff will verify your account information submitted in two days, Please do not repeat to submit verify, please do not modify your account information during this time . It will not affect your game uptime.If you are unable to successfully verify your password . using the automated system, please contact Billing & Account Services at 1-800-59-BLIZZARD (1-800-592-5499) Mon-Fri, 8am-8pm Pacific Time or at [email protected]. Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.


Regards

The World of Warcraft Support Team Blizzard Entertainment

[yj589794]

your email address is listed on your public profile page

[Dolby]

Yes aalnydara, per your options you have your email address public in your profile on our site.

Options > Edit Options > Uncheck "Receive Email from Other Members".

[aalnydara]

My apologies. I didn't realize how that vBullentin feature worked. I assumed that by saying I would "allow email from other members" that if a member wanted to email me, it would be funneled through some sort of web form rather than giving them my email address outright.

Not that you guys have control over the vBulletin code, but the explanation for that feature would be more appropriately named "Allow other members to view your email address".

In any case, I've unchecked the box. Sorry for the hassle.

[schmakk]

Originally Posted by Dolby Yes aalnydara, per your options you have your email address public in your profile on our site. Options > Edit Options > Uncheck "Receive Email from Other Members".

I have had an account for quite a while but this option isn't enabled and as far as i know, never have. I have within the last few weeks recieved two well crafted phising mails.
I'm using sneakemail.com, which means a randomly generated email address is used for every service i sign up for.
If there has been changes to default settings or anything like it, that might be why scammers got my address, but if not, something is very very wrong.

Edit: i do have "Receive Email from Administrators" enabled though...

[Seerah]

As mentioned earlier, the site was compromised a couple of years ago. Since your account is an old one, it is highly likely that this is where your emails stem from. Have you changed your email address for WoWI?

[Mordaki987]

the thing with all of this is that keyloggers and things that can be used for hacking purposes can also be placed unknowingly into a user interface itself. be it through an addon, or whatever the case may be. I should know since my wow account itself has been compromised not once but 4 times. and from my understanding and by word of mouth as well as email wowinterface.com is known to be hacked quite consistantly. at least that is what i have heard.

[Dolby]

Our email database was only compromised once, thats why you see every one with old accounts alerting us.

AddOns CAN NOT contain key loggers unless there is an exe or some executable file packaged with them. We manually moderate every upload to verify each file is safe. We dont even allow authors to package addons with executable files so there is no mistake.

[Vuelhering]

Originally Posted by Dolby Our email database was only compromised once, thats why you see every one with old accounts alerting us.

Yeah, I guess that old hack got resurrected by some jerk.

AddOns CAN NOT contain key loggers unless there is an exe or some executable file packaged with them. We manually moderate every upload to verify each file is safe. We dont even allow authors to package addons with executable files so there is no mistake.

As an addon author, this is 100% correct, minus some small epsilon such as an executable error in the Lua interpreter that's never been caught.

Your account was compromised 4 times because you ran unknown executable programs or were unfortunate enough to click on the wrong email link (sent by a goldseller site) or visit the wrong site. None of your issues were caused by wow addons.

[enjaxx]

Hey all,

I'm getting spam on my unique email address, which I'm using only here for quite a while. Did WoWInterface got hacked or did you sell my address to a spammer?