This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Dissecting a World of Warcraft Phishing Attack

I recently recieved the following email attempting to obtain my Battle.net login information. This email is of course designed to steal credentials for World of Warcraft.

from: Blizzard Entertainment kang111329@gmail.com
to: <removed>@gmail.com
date: Thu, Jan 16, 2014 at 4:46 AM
subject: Blizzard Entertainment - Account Investigation Notification
mailed-by: gmail.com
signed-by: gmail.com
Violates our policies for Battle.net
Dear customer,
Because you are involved in the trading of gold and equipment, legitimately means playing with an unaltered game client. Doing otherwise violates our policies for Battle.net, and it goes against the spirit of fair play that all of our games are based on. We strongly recommend that you avoid using any hacks, cheats, bots, or exploits. Suspensions and bans of players that have used or start using cheats and hacks.
You can confirm that you are the original owner of the account to this secure website with:
http://www.blizzardmory.com/login/login.aspx?ref=https%3A%2F%2Fwww.worldofwarcraft.com%2Faccount%2F&app=wamLogin to your account, In accordance following template to verify your account.
* Account Name and Password
* Secret Question and Answer
Show * Please enter the correct information
If you ignore this mail your account can and will be closed permanently.
If you wish to review our current Rules and Policies for World of Warcraft and Battle.net, they can be found at:
http://www.blizzardmory.com/login/login.aspx?ref=https%3A%2F%2Fwww.worldofwarcraft.com%2Faccount%2F&app=wamFor further security tips, please visit:
http://www.blizzardmory.comRegards,
Customer Services
Account Administration Team
Blizzard Entertainment 
Let's take a look at the email in depth and analyze where this phish is coming from.



First let's look at the headers. Keep in mind headers need to be read from bottom to top...

Delivered-To: <removed>@gmail.com
Received: by 10.76.35.106 with SMTP id g10csp333443oaj;
Thu, 16 Jan 2014 01:46:53 -0800 (PST)
X-Received: by 10.236.162.132 with SMTP id y4mr8761022yhk.16.1389865613570;
Thu, 16 Jan 2014 01:46:53 -0800 (PST)
Return-Path: <kang111329@gmail.com>
Received: from mail-pd0-x244.google.com (mail-pd0-x244.google.com [2607:f8b0:400e:c02::244])
by mx.google.com with ESMTPS id r46si8154871yhm.97.2014.01.16.01.46.53
for <REMOVED@gmail.com>
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Thu, 16 Jan 2014 01:46:53 -0800 (PST)
Received-SPF: pass (google.com: domain of kang111329@gmail.com designates 2607:f8b0:400e:c02::244 as permitted sender) client-ip=2607:f8b0:400e:c02::244;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of kang111329@gmail.com designates 2607:f8b0:400e:c02::244 as permitted sender) smtp.mail=kang111329@gmail.com;
dkim=pass header.i=@gmail.com;
dmarc=pass (p=NONE dis=NONE) header.from=gmail.com
Received: by mail-pd0-f196.google.com with SMTP id p10so1672957pdj.7
for <REMOVED@gmail.com>; Thu, 16 Jan 2014 01:46:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=message-id:from:to:subject:date:mime-version:content-type;
bh=pEbnWMutB5IT+Cu6Iw+uG/MCGMaQPpE2Wy5Z/fKV1CQ=;
b=D4J/3RsGsbWvx7mtNusXeNiwt89cN+T2J7ow3zVmeu8EaKj+K9+8eMflkhQAuNQYRJ
275e8YsFNIqokAB+MwaylH6WeqyLlDqmmunHxVlx9OncZ+OLLmKchAgfpommrz+9eQwi
Tfr0Ah1Cq/czOz2DPTjQHpGkHezYlmGPYoGRqcBXZPLllyFRc51qgkzepAFsw2qmrh9K
fgDFa1pSwozQtUXXDzp/auBO8AxSSG1rtPb3SKX0heraBuRTHFWvIjhdfPV1515RuYUy
KMXbDSVXNpd45LdIjz3L8jZT/KJz4lqX4jruWnG1JW2o3UP/vLRVyNhLeAuxIlDiq/V5
ey7w==
X-Received: by 10.66.189.100 with SMTP id gh4mr8670088pac.25.1389865612497;
Thu, 16 Jan 2014 01:46:52 -0800 (PST)
Return-Path: <kang111329@gmail.com>
Received: from bxtpshcob ([1.59.138.191])
by mx.google.com with ESMTPSA id by1sm13841236pbd.25.2014.01.16.01.46.47
for <REMOVED@gmail.com>
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Thu, 16 Jan 2014 01:46:51 -0800 (PST)
Message-ID: <8B06FE22A25624001B3CACB66EBBF065@bxtpshcob>

This email indeed traveled through Gmail, and appears to be sent using a genuine Google account. Of course this should be the very first "red flag" for anyone that this isn't a real Blizzard email - as those emails wouldn't come from Gmail.

So where did this email originate from? The very first step in the headers provides valuable insight...

Received: from bxtpshcob ([1.59.138.191])by mx.google.com with ESMTPSA id by1sm13841236pbd.25.2014.01.16.01.46.47for <REMOVED@gmail.com>
This header shows the message was originally sent through SMTP by 1.59.138.191. Most likely the email was sent by mass mailer software.

According to Network-Tools, 1.59.138.191 is from China. Specifically, the IP address is owned by China Unicom, a state owned mobile phone and internet provider. As far as I can tell, they do not provide server hosting. This leads to the conclusion that the attacker is either using a compromised system or home network in China to send out the phishing attacks, or they're actually bold enough to use their own connection to send these emails.

Next let's take a look at the hosting information for the phish.

The phish uses the domain blizzardmory.com. This of course is a misspelling of "Blizzard Armory".

According to whois records, the domain was registered on December 22, 2013, and was only paid for 1 year.

Domain Name: BLIZZARDMORY.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.4CUN.COM
Name Server: NS2.4CUN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 22-dec-2013
Creation Date: 22-dec-2013
Expiration Date: 22-dec-2014
Registry Registrant ID:
Registrant Name: wu di wu di
Registrant Organization: wu di
Registrant Street: baiyunshan
Registrant City: GuangZhou
Registrant State/Province: Jiangsu
Registrant Postal Code: 100000
Registrant Country: CN
Registrant Phone: +86.015445654612
Registrant Phone Ext:
Registrant Fax: +86.015445654612
Registrant Fax Ext:
Registrant Email: dsadsa@16.com 

As you can see, the domain was registered to a most likely fraudulent name in China. The registrar, Bizcn, is also based in China.

A Google search shows that the email dsadsa@16.com has only been used in association with this phishing campaign. 16.com is apparently a website for teens to get advice and info on different topics. Most likely the site's email was compromised to establish the domain, or Bizcn does not verify email addresses.

Interestingly enough, the domain itself blizzardmory.com points to 74.126.177.26.

This IP address is hosted by INTERNETXTUSA. Having never heard of this company before, I did a quick search and found that the company is actually a "forwarder" for Chinese spam/malware.

So why does all of this point back at China? As many Warcraft players know, there's a "cottage industry" in China for the selling of in-game currency in multiple MMO games. Despite the fact that this is against most games' terms of service, this industry thrives as long as players will pay for the gold. When hundreds or even thousands of gold can be purchased for pennies, it becomes very tempting for a player to "get the extra edge". In an effort to increase profits, most of the gold sellers have resorted to stealing gold from players through phishing, then re-selling that gold to other players.

Unfortunately, I was unable to identify any common identifiers with known gold sellers. Hopefully, someone else can take my research and identify which gold seller is making its profits by stealing accounts.

No comments:

Post a Comment