Blizzard’s World of Warcraft (more popularly known as WoW) is one of the most popular massively multiplayer online role-playing games (MMORPGs) in the world. With more than 11.5 million subscribers as of 2008, WoW is plagued by a thriving underground online gaming economy.
The most common scam in WoW that Trend Micro has seen uses the in-game chat/whisper system.
An unsuspecting player will receive an in-game chat/whisper from an unknown player offering free gifts (usually in-game pets, riding mounts, and vehicles) that they can avail of by registering at the website that is included in the chat message.
The website included is, of course, a phishing site that will gather the user’s Battle.net account name and password.
However, we have seen a new approach recently—the use of WoW’s postal system, more commonly known as the in-game mail system. In this new trickery, the phishing URLs are sent via WoW in-game mail and is received by players in their in-game mailboxes.
The mail message is full of a mix of surprises. It combines several elements from other Blizzard games. Wings of Liberty refers to Starcraft 2, which was launched in July 2010. “Deathy” refers to “Black Dragon Aspect Deathwing,” the major antagonist in the upcoming WoW expansion game, Cataclysm.
To add to its credibility, the phishing URL contains the string worldofwarcraft and an abbreviation of Cataclysm. It is also interesting to mention that the website domain is registered and hosted in China.
We also noted that WoW online scammers have raised the bar by pretending to be figures of authority, something seen in spam attacks outside the online gaming industry.
The scam perpetrator poses as a Blizzard employee with a name that contains a string similar to Blizzard. The attacker threatens to suspend the player’s account if he/she does not register at the website included in the chat message.
As in the attack mentioned earlier, the link goes to a phishing site that tries to steal the user’s Battle.net credentials. The phishing site very closely resembles the actual site in terms of layout. At first glance, the user may be led to believe that the URL is related to the WoW Armory, an official site containing information on in-game characters, guilds, and items.
To protect its customers, Blizzard has intensified its information campaign on Battle.net’s security page. It also provided very accessible means within the game to report users who are abusing its chat and mail systems.
Trend Micro users are protected from these World of Warcraft phishing attacks via the Trend Micro™ Smart Protection Network™, which blocks access to the phishing websites.
For a more in-depth analysis of a Trojan kit targeting online games (including World of Warcraft) and the underground online gaming economy, I highly recommend reading our research paper entitled, “Dissecting the XWM Trojan Kit: A Peek at China’s Growing Underground Online Gaming Economy,” by Lion Gu.