World of Phishcraft

Filed Under: SophosLabs, Spam

Security issues with the popular World of Warcraft (WoW) game are nothing new. To those who are not familiar with WoW, it's a Massively Multiplayer Online Role Playing Game (MMORPG) made by Blizzard Entertainment with over 8 million subscribers [1]. We have previously blogged about a trojan that steals WoW passwords [2], and gold-selling spam within WoW [3].

In the latest twist, scammers try to steal login credentials from unsuspecting WoW users via phishing, much like the phish campaigns that have been targeting various financial institutions:

World of Warcraft phishing email

Just like typical phish campaigns, this one looks very authentic, including links that point to appropriate World of Warcraft pages and formatting that mimics the real suspension notifications. There are still a few subtle differences between a real notification and this scam, but they're not easy to identify. The only obvious sign is the link under the "enter in the following link and follow the form:" message. Instead of going to the www.worldofwarcraft.com as the HTML text suggests, the link underneath takes the user to a specially crafted phish domain:

World of Warcraft phishing site

Try to compare this phish site (above) to the real one (below):

World of Warcraft real site

Not much difference between the two sites, is there? The two sites are pretty much identical except for the URL that is displayed in the browser address bar.

So, what is the lesson here? Safe computing practices are not just for visiting financial institutions websites. They should be applied in all aspects of daily computing routines.

In this case, WoW gamers would not end up as potential victims if they typed the full World of Warcraft URL instead of clicking on the link.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s