How cybercriminals victimize WoW players

[harlan4096]

How attackers hunt for Battle.net accounts in World of Warcraft, aiming to get valuable content.

A Battle.net account is something attackers find valuable. They can use it to get access to purchased games as well as characters and in-game currency and items. If a player has properly configured their account, however, then contacting technical support will likely help them regain control and restore stolen virtual wealth.

Nevertheless, attackers can still cause you a lot of inconvenience, so it’s better to act now to avoid being hacked later. So that you too can avoid this unpleasant situation, I’m going to tell you what I learned from an attempt to hijack my Battle.net account using in-game phishing in World of Warcraft Classic.

The “Bizzard” account theft scheme

Phishing used to be a fairly common problem in the original version of WoW. However, I had almost never run into it in the recently released World of Warcraft Classic[i] — that is, until some warrior named “Bizzard” messaged me: “[Blizzard Entertainment] GM: Violation: Economic exploit. Please visit: [www.blizzardwarcraft.com]. Otherwise, we will suspend your account.”[/i]

To say that there was something fishy about this message would be an understatement. For starters, it’s hard to believe that a real game master at Blizzard Entertainment would respond to such violations as “economic exploits” using a character name that was similar but not identical to the name of the company and inform a player that they had to visit a particular site. Moreover, just for the record, I absolutely did not violate anything.

I usually just ignore such messages, but this time I got curious and decided to investigate how this particular scheme worked. First, I checked the link using whois services because I recognized that the domain was not one of the domains belonging to Blizzard (such as blizzard.com, battle.net, or worldofwarcraft.com). Also calling the site’s legitimacy into question was the lack of any security certificate whatsoever.

As I suspected, the blizzardwarcraft.com domain that the mighty Bizzard wanted me to visit had been registered for less than a week. Moreover, the attackers did not even try very hard to cover their tracks: The domain was registered by someone from the Chinese province of Anhui through the Hong Kong registrar Hongkong Domain Name Information Management Co., Ltd.

Nevertheless, the phishing site looks convincing. Its appearance is quite similar to legitimate login page eu.battle.net. The Security Check label, which is formatted using the wrong font and color, does spoil the impression a bit. And the Facebook and Google login options don’t work, as you might already suspect. However, almost all other links on this fraudulent page lead to real Blizzard sites. That said, their nationality is not consistent: Some are European, others American.

I decided to continue my investigation to see exactly how the attacker would pursue hijacking my account. Right on the fake page, I clicked the “Create a free Blizzard Account” link (which was fine; the link led to the genuine Blizzard site), and signed up for a new account. Having thus prepared myself for my experiment, I proceeded to hand over my newly created account and password to the attackers.

After I entered my credentials on the fake page, the creators of the site asked me to help them secure my new account by performing a quick check. To do that, of course, I had to enter a verification code sent by e-mail. This code came from Blizzard’s real address.

I had anticipated that step, and as soon as I entered my credentials on the fake page, the attackers immediately entered them on the real site. But they also needed to enter a verification code. Blizzard sent that code to my mail, but the attackers needed to get it from me. Of course, I played along and entered the code on the fake page.

In addition, for some reason, they asked me to answer a secret question on the final page. The truth is, when I registered, I did not set up any secret questions. No worries there, though: I was ready to give them an answer.

...

Continue Reading