World of Warcraft Phishing

Due to building my new business, I rarely have time to play World of Warcraft (WoW) anymore.  I find it amusing now that I don’t play that I get phishing attempts, especially to an email account no longer linked to the account.  Here is the email:

From: wowaccountadmin <wowaccountadmin@blizzard.com>
To: mouzer <xxxxxx@xxxxxxx.net>
Sent: Saturday, October 10, 2009 2:31:20 PM
Subject: World of Warcraft – Account Information Change Instructions

Greetings!

It has come to our attention that you are trying to sell/trade your personal World of Warcraft account(s).

As you may or may not be aware of, this conflicts with the EULA and Terms of Agreement.

If this proves to be true, your account can and will be disabled. It will be ongoing for further investigation by Blizzard Entertainment’s employees.

If you wish to not get your account suspended you should immediately verify your account ownership. If the information is deemed accurate, the investigation will be dropped.

This action is taken because we at Blizzard Entertainment take these sales

quite seriously. We need to confirm you are the original owner of the account..

This is easiest done by confirming your personal information along with concealed information about your account.

You can confirm that you are the original owner of the account by replying to this email with:

Use the following template below to verify your account and information via email.

* First and Surname

* Date of birth

* Address

* Zip code

* Phone number

* Country

* Account e-mail

* Account name

* Account password

* Secret Question and Answer

-Or-

WoW CD-Key

Show * Please enter the correct information

If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.

We ask you to NOT change password until the investigation is fully completed.

Blizzard Entertainment Inc

Account Administration Team

P.O. Box 18979, Irvine, CA 92623

Regards,

Account Administration Team

Blizzard Entertainment

2009-10-11

---

wowaccountadmin

Looking a little deeper, it is easy to tell this is fake.  To do this though, you have to be able to look at the Full Header.  Each mail program and webmail site handles this a bit different.  In Yahoo webmail, I just hit the Actions Button, and select Full Header to got a pop up screen showing the Full Message Headers content.  Here is the header of the fishing email with the clues in Bold:

From wowaccountadmin Sat Oct 10 19:31:20 2009
X-Apparently-To: xxxxxx@xxxxx.net via 67.195.8.72; Sun, 11 Oct 2009 00:31:48 -0700
Return-Path: <drum_150@hotmail.com>
X-YMailISG: CLMtmbkWLDt2UbXYHjwDz3GY5Z3MDbVxt9ri8TfrBxbLtgCLxiGIzQnhD9fDPAlmdr4tVO7_5sYXqSmFr_CfH2qSwgGTI4Ed5PJV9bouWsNLSP8gkUPZHRrjDy5PDh4vrN7_KzA5l..fXgtt19Fdb91y8uM67MhntbiOePswQx6oCIezaGInYsZiRK9lg7Rdi_KrSwd9RF9jKM.u4oMMHNMVT_6BQczWRO7dfzKerO_iBybvIg3Q5jIbJoHRlYPy7shhpBdzmpAAo1MMa_IMmHh_nKQf2InxVDlxSn6wOZvvSKeSC0UKU6Z.Nr.uBXTqTFBqDrQ3yPCokDFHNjymHJSvExlVqoASID1aPei4qoPwezwYXfVRGoiw8UMhuhrh3IMX7wwpGQNzjy3.NrA-
X-Originating-IP: [65.55.111.157]
Authentication-Results: mta141.sbc.mail.mud.yahoo.com  from=blizzard.com; domainkeys=neutral (no sig); from=blizzard.com; dkim=neutral (no  sig)
Received: from 207.115.36.169  (EHLO nlpi155.prodigy.net) (207.115.36.169)
by mta141.sbc.mail.mud.yahoo.com with SMTP; Sun, 11 Oct 2009 00:31:48 -0700
X-Originating-IP: [65.55.111.157]
Received: from blu0-omc4-s18.blu0.hotmail.com (blu0-omc4-s18.blu0.hotmail.com [65.55.111.157])
by nlpi155.prodigy.net (8.13.8 inb ipv6 jeff0203/8.13.8) with ESMTP id n9B7Vl2N015162
for <xxxxxx@xxxxxx.net>; Sun, 11 Oct 2009 02:31:48 -0500
Received: from BLU0-SMTP59 ([65.55.111.136]) by blu0-omc4-s18.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Sun, 11 Oct 2009 00:31:47 -0700
X-Originating-IP: [114.94.67.251]
X-Originating-Email: [drum_150@hotmail.com]
Message-ID: <BLU0-SMTP59C0490813B5BAF9F6F95BAAC90@phx.gbl>
Received: from WWW-1984BD1A9E9 ([114.94.67.251]) by BLU0-SMTP59.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Sun, 11 Oct 2009 00:31:47 -0700
Date: Sun, 11 Oct 2009 03:31:20 +0800
From: “wowaccountadmin” <wowaccountadmin@blizzard.com>
Reply-To: wowaccountadmin@vip.citiz.net
To: “mouzer” <xxxxx@xxxxxx.net>
Subject: World of Warcraft – Account Information Change Instructions
X-mailer: Foxmail 6, 15, 201, 22 [cn]
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary=”=====003_Dragon570470480664_=====”
X-OriginalArrivalTime: 11 Oct 2009 07:31:47.0418 (UTC) FILETIME=[E3D63BA0:01CA4A44]
Content-Length: 5949

It is very easy to see that email is not really associated with Blizzard by the “Reply-To: wowaccountadmin@vip.citiz.net” and “X-Originating-IP: [114.94.67.251]
X-Originating-Email: [drum_150@hotmail.com]” parts.

If you get an email like this and you are still concerned about your account, just contact Blizzard using a phone number from their website.  Or, simply check the Full Headers for clues. Read the rest of this post »

Fantastic site dedicated to Social Engineering

I am always on the look out for new tools and websites, especially security stuff.  One of the more interesting websites, Social-Engineer.org, came to me today via a tweet from a former colleague, James Blake.  The site is dedicated to the manipulative, hacker art of Social Engineering made famous by guys like Kevin Mitnik.

The Social-Engineer team, consisting of notables like Chris “loganWHD” Hadnagy, Jim “Elwood” O’Gorman,  and Mati “muts” Aharoni, have put together an impressive site to:

“create a place where professional social engineers can meet and share information with industry expert on deception detection, interrogation, neuro lingustic programming, elicitation  and pretexting. Not just from one angle but how all these different aspects can be utilized in different parts of life.”

They have loaded it up with tools, videos, how-to’s and a wiki for what they are calling the Social Engineering Framework.

You can read their launch announcement here.

One clever thing with their home page that I really enjoyed was hitting refresh to see what new random quote would pop up at the bottom of the page.  Two of my favorites were:

“The Internet, where men are men, women are men, and children are FBI agents.”

and

“Because there is no patch for human stupidity”

Definitely a very cool site.

links for 2009-09-13

• Cognoscape | Frisco, TX
  When other network support companies put you on hold, Cognoscape puts you first. Our world-class customer service and unique partnership approach are a step above the rest, with proactive, personalized network solutions that minimize downtime and maximize productivity.

  Cognoscape is ready with the support and expertise to keep you focused on running your business.

  Cognoscape delivers proactive maintenance services through our flat-rate TotalCare IT Support Service. Designed to reduce your costs, increase your profits and mitigate your business risks, we partner with you as your Virtual CIO and IT Department, allowing you to focus on running your business, not your technology.

  (tags: technology computers itservices helpdesk computerrepair networking phonesystems email spam anti-virus voip managedservices itsolutions informationtechnology sharepoint broadband servers web webdesign disasterrecovery businesscontinuity Frisco)

New Ventures

For most of this year I have been making ends meet by doing mostly Consulting work.  After a few months of planning and bringing on a partner, we have now launched Cognoscape, LLC.  Our vision as a MSP, Managed Services Provider, is to take on the operational headache of technology for businesses and at the same time lower costs.  With our proactive approach, our customers’ systems are more secure, stable, and efficient.  Business owners are able to focus their time and energy on their business rather than management of technology.

I have always wanted to scratch my entrepreneurial itch, now I have my chance.

Apple fixes iPhone vulnerabilty

Apple has release a fix for the vulnerability used in the iPhone Hack demonstrated at BlackHat last week.  This firmware patch fixes the bug in the decoding of SMS messages that allowed code execution.  Nice of Apple to give credit:

“Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue.”

Read the details of the patch at http://support.apple.com/kb/HT3754 .

iPhone Hack from BlackHat Conference

I found it interesting my wife had heard on a local pop radio station about hackers being able to take over iPhones by sending symbols via SMS text.  The radio personalities warned that people should turn there phones off if they were to receive such a text.  The first thing that came to mind as we talked this morning was that this was some sort of hoax.  After a little research it seems that security experts Charlie Miller and Collin Mulliner have exposed a fun iPhone hack at BlackHat this week and seems to be true. 

Would have been fun to be there.  You can read some details about it here iPhone Hack Exposed: The Key Facts.

links for 2009-07-27

• Microsoft Security Bulletin Advance Notification for July 2009
  Notification of Critical Out-ofBand Security bulletins from Microsoft.
  (tags: Microsoft security vendor vulnerability)

Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses | Gadget Lab | Wired.com

 Wired.com has an interesting arctle about flaws in the iPhone 3GS’s encryption feature.  While defeating the device’s encryption does require several steps and third part tools, it is an interesting read and does highlight there are risks depite the marketing.  Always be mindfull of the private personal data you keep on these type of devices.

Dangers of PC repair

Many people drop off their computers with strangers every day across the US.  Whether using the Geek Squad at Best Buy or a neighborhood PC repair shop, there are still risks.  A recent research study in the UK looks into what can happen with your PC.  While this may be common sense to some, I doubt they would be the type to use this type of service since they can probably diagnose and repair the system themselves.  For the majority of trusting people here are some suggestions for protecting personal data when needing to use a PC Repair service:

• Remove the Hard Drive before dropping off the system (if the problem is not related to the OS or Hard Drive)
• Encrypt files and data that you would not want to share with everyone on the planet (Better to use encryption software over built in Windows encryption)
• If using Windows built in encryption, create a new username/password for the repair person to use.
• Protect files and data from dataloss by keeping data backed up.  ( Check out iBackup as an online backup solution)

You can read the original article of the UK study here PC repair shop caught trying bank fraud • Channel Register.

links for 2009-04-25

• Conficker virus begins to attack PCs: experts | Technology | Reuters
  Conficker slowly waking up. After all the hysteria over April 1st, we now are starting to see some action from Conficker.
  (tags: security virus botnet worm Conficker Downadup Waledac)