Patch 5.2 interview with Dave Kosak
Inside an old alt's vault
The latest patch 5.2 news
All of the latest Mists of Pandaria newsBeware of Blood Elves selling mounts
by Robin Torres 
Jun 4th 2009 at 7:00PM
A friend of mine recently got hit by a pretty devious phishing scam targeting wealthy (in-game) players looking to make legitimate purchases. My friend, we'll call him Cobra, was in a major city when an offer in the Trade Channel caught his eye. A player, we'll call him Bubbles, was offering a Spectral Tiger Mount for 5000 gold. Since this mount is only available as a code on a rare loot card, Cobra contacted Bubbles to inquire. Purchasing codes for in-game items with in-game cash is perfectly legitimate, according to Blizzard, so Cobra did not worry about going against the TOS with this transaction.
Bubbles, a level 78 Blood Elf Mage, seemed legitimate. For one thing, he was not a throwaway low level character. Also, he didn't want to take the cash then, but just see it in a trade window to make sure Cobra was in possession of it. So Cobra gave Bubbles his email address only and waited for the email that included the code and a link to where to input the information.
Bubbles, a level 78 Blood Elf Mage, seemed legitimate. For one thing, he was not a throwaway low level character. Also, he didn't want to take the cash then, but just see it in a trade window to make sure Cobra was in possession of it. So Cobra gave Bubbles his email address only and waited for the email that included the code and a link to where to input the information.
Cobra was in-game on one computer and clicked on the link on a separate computer. The link went to a page that looked exactly like the non-Battle.Net account page. He logged in and it took him to a page that looked exactly like the official Blizzard code entry page that he had used when he entered his Polar Bear mount code from last year's BlizzCon. After three tries of trying to register the code he had received, he noticed that his other computer had disconnected from WoW.
When he tried to login again, he was told that his account was now associated with a Battle.Net account and that his username and password were no longer valid. It just so happens that all of this was done during a break at work, and Cobra works with his guild leader, who we will call TSU. Cobra walked over to TSU's desk and asked him to logon and see if he was logged in. Sure enough, he was. So TSU immediately demoted Cobra's character.
Unfortunately, TSU did not get a screenshot, but here is what happened next.
Hacker: What did you do that for?!?
TSU: You're a hacker.
Hacker: How do you know?
TSU: Because the real player is looking over my shoulder.
Hacker: O HAI!
Cobra was able to get in touch with Blizzard support and get his account back within 20 to 30 minutes after it was compromised. About 10K gold from various characters and all of his gems were gone. Also, some of his other items were on the Auction House. His gear was still intact and he was able to raid that same evening, so the damage was far less than others who have been hacked.
But wait! There's more! As I write this, Cobra's account got hacked again. Not only did the phishing site take his old account info, it downloaded a keylogger to steal the new account info. They logged into his character and started the scam all over again by spamming Trade Channel with the same Spectral Tiger Mount offer.
Using a server-known, high-level character (hacked from a previous transaction) for the initial communication and asking to only see the cash is an excellent way to both look legitimate and only get targets who have enough money to be worth further effort. Trusting a link in an email rather than going to the site directly was Cobra's biggest mistake and ultimately how his account was compromised. Having an Authenticator would have helped in this situation, but this kind of scam circumvents most other basic account security measures.
In general, if you want to conduct account related business (for any account, not just WoW), get to the website yourself and use trusted links only. And, please, don't buy gold. If these hackers didn't have a market to sell their ill-gotten goods, then they wouldn't waste their time devising these scams in the first place.
Be careful out there!
Please remember that account safety and computer security is your responsibility! While WoW.com has provided you with resources to additional information, do your homework and make sure you know what you're doing before installing any antivirus or other software.Filed under: Mounts, Account Security
Reader Comments (Page 4 of 7)
Noid Jun 4th 2009 7:49PM
this happened to me. it was terrible. i had to contact blizzard. i was an idiot to purchase it, no one ever do it. it was the worst week of my life. epic flyer went out the window. boo.
josh Jun 4th 2009 8:05PM
i have to say, blizz can really knock the wind out of the sales of the people who do this by making the most coveted land mount of all of them a bit less rare, have it a lvl 80 elite that drops the mount much like the TLPD, except have it on a 20-48 hr respawn timer in a random zone all over azeroth and outland
and yes i know i spelled sails as sales, i was aiming it at goldseller sales and those who get paid to do this
Fairlane Jun 4th 2009 10:57PM
"blizz can really knock the wind out of the sales"
Well played.
Molagmal Jun 4th 2009 8:09PM
6 euro's and a bit os sending costs, the autenticator, just get one guys, and if you have full guild bank access your are crazy if you don't get one.
best buy for me for 2008
it seriusly sucks that this stuff is still happening and I feel really bad for this guy that it happend to, sucks man.
and to Blizzard, maybe for the next expancion include an autenticator in the box? add 6 euros to the price for all I care atleast saves us the sending costs and the time to get it on the internet.
frdmg Jun 4th 2009 8:16PM
While I will agree that 99% of these are scams...there is still that 1%. I know, because I bought a Spectral Tiger for 6k gold. Every time someone spammed WTS, i told them I would buy, but had to have the code first, then they would get the gold. Most people just ignored me (i.e. scammers) Obviously this takes some trust on the sellers side of things. Then one day, someone said 'ok'. Met him, he whispered me the code..i entered it, and paid him his 6k while sitting on my new mount.
However, I do agree that clicking on websites that you have no idea about, is just plain stupid. Common sense goes a long way. I have played for over 3 years, countless toons, 35k+ gold currently..and never have I been hacked...ever. No authenticator..nothing but common sense alone has prevented it.
Taladan Jun 4th 2009 8:30PM
Well, notice that, at no point, you left the game. That's a good indication that the person is serious about it.
rufwork Jun 4th 2009 8:48PM
Hrm... where did spectral tigers come from again? I suppose there's not exactly a market for scamming tigers by entering codes, huh? That is, once the code is entered, it's gone. You can't resell, correct?
Still, it takes one trusting seller to wait to get 6k g from you there. Lucky. Other posters have a point; Blizz should have some sort of in-game escrow for stuff like this.
frdmg Jun 4th 2009 8:55PM
Once you get the code from a TCG card, you enter the information on a WoW site, giving region and server..the loot code that is generated is now 'bound' to that realm. The WoW site gives you a new code to enter at the vendor. So in response to your question, once I enter the code at the vendor, it is no longer a valid code. I am assuming this is what you are asking.
And yes, it did take a lot of trust from the seller. However, I have made it a priority to be a trusting member of the server. I can only assume he knew this or asked around before agreeing. Another good reason to not be a jack-ass in trade or groups. =)
Dreadskull Jun 4th 2009 8:22PM
WoW players really need to learn to stop buying gold or selling/buying WoW accounts -_- If people weren't so stupid to try and break the ToS with gold buying and whatnot there wouldn't be a reason for phishers and such because it wouldn't provide profit -_-
*sigh*
Taladan Jun 4th 2009 8:28PM
Also, if you consider that a solo run in Mana Tombs will give you 50g-150g (yes, in a *single* run) and you can just run it, get out, sell the trash/soulbound stuff, reset the instance and *run it again*, it doesn't make sense buying gold *at all*!
Agerath Jun 4th 2009 9:56PM
@Taladan:
Why run mana-tombs when you can do strat in 10 minutes (ziggurat bosses, slaughterhouse, rivendare) and make just as much, with the added bonus of a shot at the mount (which continues to elude)?
ArtDecoAutomaton Jun 4th 2009 10:59PM
So any web site I visit can install a keylogger on my box?
jurandr Jun 4th 2009 11:44PM
Yeah. But there are several ways to lower the risks!
*A good firewall
*A good AV system
*Using Firefox with the NoScript extension
^Not enabling scripts on sites you are not familiar with
*Being wary about the sites you visit
If you are infected with a keylogger 'trojan,' then even the strongest password will fall. Personally I run with the ZoneAlarm security suite, and a pretty tough hardware firewall that is pretty tough on files before they enter my network. But all these gadgets won't save me from a virus written by somebody who knows how to circumvent such measures.
As we say in the IT world, as long as a human is operating the machine, there is always a high risk factor. Or something like that.
Don't mistype URLs, and before visiting any link you see on the forums do a once-over to make sure it is a well-respected site and doesn't have an extra(or missing) letter, or the wrong suffix (.com/.net are completely different things).
jurandr Jun 4th 2009 11:51PM
no edit: wow.com needs to upgrade their comment systems.
If you see a url (for example, I would go through the scenario in this article until I got the email with a link), send screenshots of your interactions in game, and the email to hacks@blizzard.com. They'll take precautions to preventing it happening to other players.
mrbreck Jun 4th 2009 8:27PM
I don't get how people don't freaking PAY ATTENTION TO THE URL OF THE LINK BEFORE YOU CLICK IT!!!
I'm sorry, but your friend is a dipshit.
Bubsa Jun 4th 2009 8:33PM
I'll be blunt.
Cobra's a moron.
Jido Jun 4th 2009 8:37PM
Interesting how no one has pointed out what they say about his guy getting his account hacked again AFTER the whole incident because of a key logger... does this mean he actually entered his credentials in a fake site PLUS likely ran some executable file from there? (key loggers don't just appear on your computer you know?...).
I'm not very fond of the idea of using an authenticator, but seems like the best way to protect your account, regardless of how careful you are. Tried getting one from Blizzard's Store and the page wouldn't work properly (got some XML/XSL error yesterday) or they were sold out (today).
And what really has me thinking is that 2 guild members this week got hacked (separate, unrelated incidents), which I had never seen happen before to anyone I knew (in-game at least).
Speaking of scams, also beware of any sort of in or out of game emails or messages prompting you to go to any website. A couple of months ago we had messages sent to our guild from some character named really closely - like had an accent on an i different kind of thing- to one of our officers and saying he had made a video to promote our guild, which was basically a link to an executable file. As far as I know no one fell for it, but we still warned everyone about it.
Robin Torres Jun 4th 2009 8:41PM
Keyloggers can be downloaded just by going to a site. So in a way, keyloggers can just appear on your computer :)
http://www.wow.com/2008/05/01/how-misspelling-might-get-you-keylogged/
Rilgon Jun 4th 2009 9:09PM
Not if you're running a secure webbrowser (i.e. Firefox) and using utilities to prevent injection of unwanted software (i.e. NoScript).
theRaptor Jun 4th 2009 9:19PM
@Rilgon
Firefox isn't secure. It starts to get secure when you have NoScript. But Microsoft handily installed an addon in their last Windows update that adds support for completely safe MS web technologies. And you have to edit registry entries and delete files to remove this "feature".
Most people running Firefox are currently now probably unsafer than someone running a version of IE so old that none of the hacks work on it.