Dissecting a World of Warcraft Phishing Attack

I recently recieved the following email attempting to obtain my Battle.net login information. This email is of course designed to steal credentials for World of Warcraft.

from:		Blizzard Entertainment kang111329@gmail.com
to:		<removed>@gmail.com
date:		Thu, Jan 16, 2014 at 4:46 AM
subject:		Blizzard Entertainment - Account Investigation Notification
mailed-by:		gmail.com
signed-by:		gmail.com

Violates our policies for Battle.net
Dear customer,
Because you are involved in the trading of gold and equipment, legitimately means playing with an unaltered game client. Doing otherwise violates our policies for Battle.net, and it goes against the spirit of fair play that all of our games are based on. We strongly recommend that you avoid using any hacks, cheats, bots, or exploits. Suspensions and bans of players that have used or start using cheats and hacks.
You can confirm that you are the original owner of the account to this secure website with:
http://www.blizzardmory.com/login/login.aspx?ref=https%3A%2F%2Fwww.worldofwarcraft.com%2Faccount%2F&app=wamLogin to your account, In accordance following template to verify your account.
* Account Name and Password
* Secret Question and Answer
Show * Please enter the correct information
If you ignore this mail your account can and will be closed permanently.
If you wish to review our current Rules and Policies for World of Warcraft and Battle.net, they can be found at:
http://www.blizzardmory.com/login/login.aspx?ref=https%3A%2F%2Fwww.worldofwarcraft.com%2Faccount%2F&app=wamFor further security tips, please visit:
http://www.blizzardmory.comRegards,
Customer Services
Account Administration Team

Blizzard Entertainment 

Let's take a look at the email in depth and analyze where this phish is coming from.

#ALERT: As Tensions Escalate with Syria, Beware Phishing Attacks

As tensions escalate with Syria, it is highly probable that phishing attacks will begin accompanying real news articles.

A common tactic used by malware writers and phishing senders is to exploit recent news to get you to download their malicious files.  This could be through a well crafted email with an embedded link, or infected attachment, claiming to be a real news article.

The most important step you can take is to be vigilant, and don't click on links within emails, even if they appear to original from friends. A common tactic now used by scammers and phishers is to compromise someone's email account, then use that email account to send messages to the person's contacts.

Also, don't expect this to just be through email.  Many spammers and phishers are now using social media, including Facebook and Twitter messages.

Know the signs of targeted spear phishing. If you work for the government, or are employed by a government contractor, you will be a prime target.  Spearphishing directed towards you may appear very credible, and may even be sent to your work email address.

Stay Vigilant.

Why the Syrian Electronic Army Didn't Hack the NY Times

I'm just going to come out and say it. The Syrian Electronic Army (SEA) is a fraud. They didn't "hack" the New York Times, or any other high visibility websites today.

All SEA did today was an extremely old trick of domain hijacking.  For those not familiar with it, here's a great writeup on how domain hijacking works.

Now it's possible that SEA performed the domain hijacking through compromise of MelbourneIT, this in itself is also unlikely, based upon previous successful "attacks" using low-tech spearphishing (targeted social engineering) to obtain credentials of target organizations.

Previously, Syrian Electronic Army gained control of the Associated Press' Twitter account, The Onion's Twitter account, and the advertising service "Outbrain", all through spearphishing attacks.

Sensationalize their "hacking abilities" all you want. The Syrian Electronic Army has so far displayed very little technical skill, instead attacking "soft targets" and using social engineering. While these attacks have so far been effective, they only point out the lack of security awareness training in today's workforce, and not any serious software flaws.

Any organization which has been directly hit by SEA (and that excludes the victims of domain hijacking) should seriously reexamine their employee security awareness training, and possibly consider bringing in an outside consulting company to help identify deficiencies.

The weakest link in any network will always be uneducated users.

A Look at Fax Phishing

I recently setup a new honeypot which appears to be an IT security related company.

In addition to a few other hidden gems, this honeypot is complete with fake contact information for the company, including email, phone, and fax.

Today I received my first hit from the honeypot - and I was very surprised when it was a phishing attempt over fax!

The Phishing Attempt sent over Fax

This fax claims to be from the company's HR department, and is addressed to all employees, and advertises a 6 day all inclusive vacation at an exotic out-of-the-country location for only $129 per person.

The old adage holds true here - if something sounds too good to be true, it probably is.

A quick search shows that the number is very commonly used in scams, as seen here and here.

Of course the dead giveaway that this is a scam is that my honeypot doesn't have an HR department, and no one actually exists in the company to send such an offer out to the honeypot's nonexistent employees.

I have a feeling this new honeypot will provide for some great entertainment. Stay tuned for more!