Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsBeware of Blood Elves selling mounts
by Robin Torres 
Jun 4th 2009 at 7:00PM
A friend of mine recently got hit by a pretty devious phishing scam targeting wealthy (in-game) players looking to make legitimate purchases. My friend, we'll call him Cobra, was in a major city when an offer in the Trade Channel caught his eye. A player, we'll call him Bubbles, was offering a Spectral Tiger Mount for 5000 gold. Since this mount is only available as a code on a rare loot card, Cobra contacted Bubbles to inquire. Purchasing codes for in-game items with in-game cash is perfectly legitimate, according to Blizzard, so Cobra did not worry about going against the TOS with this transaction.
Bubbles, a level 78 Blood Elf Mage, seemed legitimate. For one thing, he was not a throwaway low level character. Also, he didn't want to take the cash then, but just see it in a trade window to make sure Cobra was in possession of it. So Cobra gave Bubbles his email address only and waited for the email that included the code and a link to where to input the information.
Bubbles, a level 78 Blood Elf Mage, seemed legitimate. For one thing, he was not a throwaway low level character. Also, he didn't want to take the cash then, but just see it in a trade window to make sure Cobra was in possession of it. So Cobra gave Bubbles his email address only and waited for the email that included the code and a link to where to input the information.
Cobra was in-game on one computer and clicked on the link on a separate computer. The link went to a page that looked exactly like the non-Battle.Net account page. He logged in and it took him to a page that looked exactly like the official Blizzard code entry page that he had used when he entered his Polar Bear mount code from last year's BlizzCon. After three tries of trying to register the code he had received, he noticed that his other computer had disconnected from WoW.
When he tried to login again, he was told that his account was now associated with a Battle.Net account and that his username and password were no longer valid. It just so happens that all of this was done during a break at work, and Cobra works with his guild leader, who we will call TSU. Cobra walked over to TSU's desk and asked him to logon and see if he was logged in. Sure enough, he was. So TSU immediately demoted Cobra's character.
Unfortunately, TSU did not get a screenshot, but here is what happened next.
Hacker: What did you do that for?!?
TSU: You're a hacker.
Hacker: How do you know?
TSU: Because the real player is looking over my shoulder.
Hacker: O HAI!
Cobra was able to get in touch with Blizzard support and get his account back within 20 to 30 minutes after it was compromised. About 10K gold from various characters and all of his gems were gone. Also, some of his other items were on the Auction House. His gear was still intact and he was able to raid that same evening, so the damage was far less than others who have been hacked.
But wait! There's more! As I write this, Cobra's account got hacked again. Not only did the phishing site take his old account info, it downloaded a keylogger to steal the new account info. They logged into his character and started the scam all over again by spamming Trade Channel with the same Spectral Tiger Mount offer.
Using a server-known, high-level character (hacked from a previous transaction) for the initial communication and asking to only see the cash is an excellent way to both look legitimate and only get targets who have enough money to be worth further effort. Trusting a link in an email rather than going to the site directly was Cobra's biggest mistake and ultimately how his account was compromised. Having an Authenticator would have helped in this situation, but this kind of scam circumvents most other basic account security measures.
In general, if you want to conduct account related business (for any account, not just WoW), get to the website yourself and use trusted links only. And, please, don't buy gold. If these hackers didn't have a market to sell their ill-gotten goods, then they wouldn't waste their time devising these scams in the first place.
Be careful out there!
Please remember that account safety and computer security is your responsibility! While WoW.com has provided you with resources to additional information, do your homework and make sure you know what you're doing before installing any antivirus or other software.Filed under: Mounts, Account Security
Reader Comments (Page 5 of 7)
Dashifen Jun 5th 2009 1:03PM
RE: theRaptor
This is actually true. If you have the Microsoft .NET Framework Assistant in your Add-Ons list, then some of the vulnerabilities that are problematic for IE are now problematic for Firefox. You can find good removal instructions here: http://www.dedoimedo.com/computers/ms-dotnet-firefox.html. I must admit, I haven't done them yet, I simply disabled the extension.
Leviathon Jun 4th 2009 8:41PM
This entire news post can be summarized with 'look at the domain address before clicking or putting your info in'.
Kittahsmash Jun 4th 2009 8:54PM
I had almost this exact same thing happen to me earlier this year. The only difference, was in the email, there was a picture of said Spectral Tiger card unscratched, along with a card with my toon name on it, thus proving 'ownership'. So I gave the person selling it the gold, and they then proceeded to log off and on a couple of times from the top of the Org bank. They said 'connection problems lol' afterwards, and then logged off again, this time permanently. A week later, a GM reimbursed me for the gold. I tracked down the owner of the account, and it turns out that the toon used to spam trade chat for the card, hadn't been played in 5 months, and the owner was on a COMPLETELY DIFFERENT account. So yeah.. long story short, if you see someone advertising a Spectral Tiger anywhere except ebay, it's most likely a scam.
Urza Jun 4th 2009 9:29PM
One day people everywhere will learn NOT to link links in emails.
Starfiyre of Shadow Council Jun 4th 2009 9:31PM
Happened on Shadow Council. Or at least tried to.
When it was advertised for 5000 gold on trade, I chimed in on Trade "The Spectral Tiger Mount card goes for upwards of $500.00 real cash on E-Bay. And you expect us to believe you're selling it for just 5000 gold?"
He goes "Maybe I just want the gold now."
I dunno what happened after that, but hopefully anybody on trade saw he was a scammer full of crap.
Spider Jun 4th 2009 9:34PM
While I agree that the large majority of compromises would be avoided if people would take basic precautionary measures and pay attention to the links they click, I find the number of comments saying "Anyone stupid enough to do this deserves to be hacked" more than a little disheartening.
If I take that same logic, I could say that anyone weak enough deserves to be raped or beaten or killed. Or anyone "dumb" enough to not carry a weapon, or wear a chastity belt, or hell stick a bear trap down their pants, also deserves to be raped.
No one deserves to be taken advantage of. Period.
Rilgon Jun 4th 2009 10:26PM
There's a delicate line between "deserved it" and "it was their fault". Do I think Cobra deserved what he got? No, not really. But the fault is 100% his own. A more cynical person might say he deserved it. I just say that I hope he learns from this and is more vigilant about security.
HHUK Jun 4th 2009 9:41PM
Honestly, it's pretty hard nowadays to get scammed like that.
Any experienced player would examine the address of the login, or atleast open up their own login screen rather than click through somebody else's e-mail.
Be vigilant.
Sanguinefrozenboy Jun 4th 2009 10:03PM
My heart goes out to the player who got hacked in a sense, though I have an authenticator, I can understand what it would be like to have it happen.
I wouldn't wish this upon anyone, but in honest truth, some people are just asking for it.
I however, do not feel pity for those that buy gold and have their accounts hacked.
pinutos Jun 24th 2009 4:57PM
Simple way to avoid phishing attacks: use thunderbird/firefox; the actual addresses of obfuscated links appear in the status bar.
Beatphreek Jun 5th 2009 3:49PM
Ummm yeah, it does that in IE too. Even in my yahoo mail account if I hove over a link it tells you where its going.
ShadzKing Jun 11th 2009 2:50PM
Creepy thing is...I know a Belf named Bubbles O_O
Fairlane Jun 4th 2009 11:06PM
I am completely safe from scams such as this: I have 78 gold.
B. Brown Jun 5th 2009 12:59AM
Gold farmers are more than happy to take your 78 gold, delete your characters, and have the account banned or frozen.
Jamison Banks Jun 4th 2009 11:25PM
Just one minor, overlooked factoid that people might wanna reiterate: Authenticators are sold out in the Blizzard Store (and for a while now, too). They're $6.50 with free shipping. But no. Out of stock. We can't get them EVEN IF WE WANTED TO.
WoWInsider, make sure to mention there's nothing more we can do anyways, aside from changing our own password and using common sense (which obviously isn't enough).
jurandr Jun 4th 2009 11:36PM
Hi.
This is the real code redemption site:
http://www.worldofwarcraft.com/misc/promotion.html
no login screens at all.
Jayjay Jun 4th 2009 11:53PM
AND...if looks (or sounds) too good to be true, it probably is.
Scritch Jun 5th 2009 12:08AM
This has happened alot on our server (The Scryers). Whenever I see it, I contact the interested scammer as if I was actually interested, and ask legitimate questions etc...basically just wasting the guy's time. If he places me on ignore, I do the whole routine over again on every character I have.
They tend to give up attempting their scam when 21 characters take 30 minutes of their time each...
Beware of this...they've taken a liking to snagging the high lvl toons of prominent people on servers, running their scam fast and furious and then bailing. I was lucky enough to save a large guild from being robbed blind because I caught onto one of the hackers through my 'waste scammer time' tactic.
Maybe people are selling those codes sometimes...but 99% of the time, it's fraud. So don't do it!
Kendall213 Jun 5th 2009 12:11AM
Your friend did in-fact break the ToS. You are not allowed to buy the out fo game code that you enter into a site. The in-game code is the code they allow you to exchange for gold.
Blizzards policy is in-game for in-game = good
out of game for out of game = good....
When you cross the two = Bad....
mythamute Jun 5th 2009 12:37AM
looks like its time to download the battlenet authenticator app