Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    Blizzard’s World of Warcraft (more popularly known as WoW) is one of the most popular massively multiplayer online role-playing games (MMORPGs) in the world. With more than 11.5 million subscribers as of 2008, WoW is plagued by a thriving underground online gaming economy.

    The most common scam in WoW that Trend Micro has seen uses the in-game chat/whisper system.

    An unsuspecting player will receive an in-game chat/whisper from an unknown player offering free gifts (usually in-game pets, riding mounts, and vehicles) that they can avail of by registering at the website that is included in the chat message.

    The website included is, of course, a phishing site that will gather the user’s Battle.net account name and password.

    However, we have seen a new approach recently—the use of WoW’s postal system, more commonly known as the in-game mail system. In this new trickery, the phishing URLs are sent via WoW in-game mail and is received by players in their in-game mailboxes.

    The mail message is full of a mix of surprises. It combines several elements from other Blizzard games. Wings of Liberty refers to Starcraft 2, which was launched in July 2010. “Deathy” refers to “Black Dragon Aspect Deathwing,” the major antagonist in the upcoming WoW expansion game, Cataclysm.

    To add to its credibility, the phishing URL contains the string worldofwarcraft and an abbreviation of Cataclysm. It is also interesting to mention that the website domain is registered and hosted in China.

    We also noted that WoW online scammers have raised the bar by pretending to be figures of authority, something seen in spam attacks outside the online gaming industry.

    The scam perpetrator poses as a Blizzard employee with a name that contains a string similar to Blizzard. The attacker threatens to suspend the player’s account if he/she does not register at the website included in the chat message.

    As in the attack mentioned earlier, the link goes to a phishing site that tries to steal the user’s Battle.net credentials. The phishing site very closely resembles the actual site in terms of layout. At first glance, the user may be led to believe that the URL is related to the WoW Armory, an official site containing information on in-game characters, guilds, and items.

    Click for larger view

    To protect its customers, Blizzard has intensified its information campaign on Battle.net’s security page. It also provided very accessible means within the game to report users who are abusing its chat and mail systems.

    Trend Micro users are protected from these World of Warcraft phishing attacks via the Trend Micro™ Smart Protection Network™, which blocks access to the phishing websites.

    For a more in-depth analysis of a Trojan kit targeting online games (including World of Warcraft) and the underground online gaming economy, I highly recommend reading our research paper entitled, “Dissecting the XWM Trojan Kit: A Peek at China’s Growing Underground Online Gaming Economy,” by Lion Gu.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Menard Osena (Solutions Product Manager)

      @Summer B
      Thanks for liking this post :)

    • Menard Osena (Solutions Product Manager)

      @Moriella

      Thanks for sharing your experience on this topic!

      I understand that this might be “old news” for some (especially for hard-core WoW gamers) but as an awareness campaign and as it may be of benefit to other Malware blog readers we continued with the posting.

      For:
      </blockquote>
      Furthermore, some unknown WoW-related forum website has been compromised, and the email addresses registered to that site have been spearphished with "your account is being investigated" messages. The sites are hosted in China with names like wow-support.something-not-wow-related.com or blizzard-armory.something-else-not-wow.us.
      </blockquote>

      I suggest that users DO NOT use the same email address that they use for Blizzard’s Battle.net registration, in registering to 3rd party gaming forums. This safety precaution will help avoid security risks (example: spear-phishing) and is a good security practice.

      For the phishing websites, I agree, we are seeing similar strings, "wow-support.something-not-wow-related.com" which are too numerous to list as these websites are sprouting like mushrooms (faster than infused mushroom spawns in the Dalaran Sewers :) ) in in-game whisper/chat.

      It is interesting to note that majority (if not all) of the URL’s are registered in China, but reading the accompanying research paper on CWM/Rattle Trojan will give a bigger picture of the underground online gaming economy. We will try to put more examples of websites in future blog articles related to this topic.

      Again thanks for the comment!
      Enjoy the game!

    • Menard Osena (Solutions Product Manager)

      @ross purdie

      <blockquote>
      I ASSUME WOW, HAVE A STANDING LAW. STATING MOST ADAMANTLY THAT UNDER NO CIRCUMSTANCE WILL THEY EVER ASK A PLAYER FOR THER PASSWORD. THIS IS A RECURING PROBLEM & MOST PLAYERS SHOULD BE AWARE OF IT.
      </blockquote>

      Thanks for the comment! Yes Blizzard will NEVER ask for Battle.net account and password (I believe this applies to all of Battle.net games not just WoW and Starcraft 2) so any attempt to get this info from user should be viewed with suspicion.

      Have fun and enjoy the game!

      p.s. I like the way you named the Blizzard/Admin as “Game powers that be” :)

    • Menard Osena (Solutions Product Manager)

      @Andy Brown

      Thanks for appreciating the blog article! :)

      I totally agree that education (via information sharing in Malware Blog) will to raise the awareness level with regards to WoW phishing scams. This effort will also be good starting point to combat these online game threats.

    • http://vanguardguild.net Moriella

      It's good that you're posting this, but it's rather old news. These scams, both in-game and out, have been going on for quite a while. One trick we saw almost a year ago was to use the guild member lists to determine guild leaders, then send in-game mail using a lookalike name, such as replacing lowercase i with í, which are very similar in the in-game font.

      Furthermore, some unknown WoW-related forum website has been compromised, and the email addresses registered to that site have been spearphished with "your account is being investigated" messages. The sites are hosted in China with names like wow-support.something-not-wow-related.com or blizzard-armory.something-else-not-wow.us. Some of the links in the email are valid Blizzard links, but the one they want you to click on are not.

    • http://www.issviews.com Andy Brown

      An excellent post and many thanks for blogging this.

      Having played the game myself for the last 5 years, I have noticed a sharp decline in Blizzard taking action on gold sellers and sites that exploit gamers. Frequently many are spamming or phishing for months on end.

      It appears that the only way to really combat this threat is to educate those less knowledgable, as you have done so here :D

    • ross purdie.

      I AM A STARCRAFT PLAYER, JUST THE OTHER DAY I WAS READING SOME OF THE FORUM CONVERSATIONS. I WAS HAVING PROBLEMS GETTING BACK INTO THE GAME AFTER I DID A TOTAL SCAN OF MY L/TOP. I COULD GET TO A PARTICULAR POINT,WHICH WOULD THEN BAR ME. tELLING ME THAT I NEEDED TO ENTER CORRECT CODES,RAH,RAH.tHIS WAS CRAP SO I TRIED TO GET SOME INFO FROM THE FORUM.THERE WERE A FEW COMPLAINTS,OTHER THAN MY OWN.THESE CONSISTED OF PLAYERS RECEIVING NOTES SAYING THAT THEY WERE BANNED FROM PLAYING.THEY COULD RECTIFY THE PROBLEM BY ENTERING THERE PASSWORD ETC….STARCRAFT,& I ASSUME WOW, HAVE A STANDING LAW. STATING MOST ADAMANTLY THAT UNDER NO CIRCUMSTANCE WILL THEY EVER ASK A PLAYER FOR THER PASSWORD. THIS IS A RECURING PROBLEM & MOST PLAYERS SHOULD BE AWARE OF IT. IF A P/WORD IS REQUIRED,,,IGNORE IT & REPORT IT TO THE GAMES POWERS THAT BE……dont let these scams ruin our fun.

    • http://summerburgen.typepad.com/blog/ Summer B

      Summer B likes this post :)xx

    • Pingback: Darren Foster Computer Services » Play World of Warcraft? – beware the Phishing scam….

    • Pingback: Malware Blog – WoW Scams: Free Gifts and Fake Account Suspension Threats | menardconnect.com



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice