How cybercriminals victimize WoW players

How attackers hunt for Battle.net accounts in World of Warcraft, aiming to get valuable content.

How attackers hunt for Battle.net accounts in World of Warcraft, aiming to get valuable content

A Battle.net account is something attackers find valuable. They can use it to get access to purchased games as well as characters and in-game currency and items. If a player has properly configured their account, however, then contacting technical support will likely help them regain control and restore stolen virtual wealth.

Nevertheless, attackers can still cause you a lot of inconvenience, so it’s better to act now to avoid being hacked later. So that you too can avoid this unpleasant situation, I’m going to tell you what I learned from an attempt to hijack my Battle.net account using in-game phishing in World of Warcraft Classic.

The “Bizzard” account theft scheme

Phishing used to be a fairly common problem in the original version of WoW. However, I had almost never run into it in the recently released World of Warcraft Classic — that is, until some warrior named “Bizzard” messaged me: “[Blizzard Entertainment] GM: Violation: Economic exploit. Please visit: [www.blizzardwarcraft.com]. Otherwise, we will suspend your account.”

In-game phishing message in World of Warcraft Classic

In-game phishing message in World of Warcraft Classic

To say that there was something fishy about this message would be an understatement. For starters, it’s hard to believe that a real game master at Blizzard Entertainment would respond to such violations as “economic exploits” using a character name that was similar but not identical to the name of the company and inform a player that they had to visit a particular site. Moreover, just for the record, I absolutely did not violate anything.

I usually just ignore such messages, but this time I got curious and decided to investigate how this particular scheme worked. First, I checked the link using whois services because I recognized that the domain was not one of the domains belonging to Blizzard (such as blizzard.com, battle.net, or worldofwarcraft.com). Also calling the site’s legitimacy into question was the lack of any security certificate whatsoever.

As I suspected, the blizzardwarcraft.com domain that the mighty Bizzard wanted me to visit had been registered for less than a week. Moreover, the attackers did not even try very hard to cover their tracks: The domain was registered by someone from the Chinese province of Anhui through the Hong Kong registrar Hongkong Domain Name Information Management Co., Ltd.

Comparing the fake Blizzard website with a real thing

Comparing the fake Blizzard website with a real thing

Nevertheless, the phishing site looks convincing. Its appearance is quite similar to legitimate login page eu.battle.net. The Security Check label, which is formatted using the wrong font and color, does spoil the impression a bit. And the Facebook and Google login options don’t work, as you might already suspect. However, almost all other links on this fraudulent page lead to real Blizzard sites. That said, their nationality is not consistent: Some are European, others American.

I decided to continue my investigation to see exactly how the attacker would pursue hijacking my account. Right on the fake page, I clicked the “Create a free Blizzard Account” link (which was fine; the link led to the genuine Blizzard site), and signed up for a new account. Having thus prepared myself for my experiment, I proceeded to hand over my newly created account and password to the attackers.

After I entered my credentials on the fake page, the creators of the site asked me to help them secure my new account by performing a quick check. To do that, of course, I had to enter a verification code sent by e-mail. This code came from Blizzard’s real address.

I had anticipated that step, and as soon as I entered my credentials on the fake page, the attackers immediately entered them on the real site. But they also needed to enter a verification code. Blizzard sent that code to my mail, but the attackers needed to get it from me. Of course, I played along and entered the code on the fake page.

In addition, for some reason, they asked me to answer a secret question on the final page. The truth is, when I registered, I did not set up any secret questions. No worries there, though: I was ready to give them an answer.

“Security check” on fake Blizzard website

I was then informed that I had successfully passed the verification. As you might expect, at the same time someone else logged in to my new account (the IP address placed them in the German city of Brandenburg, but it’s unlikely the attacker was actually connecting from there; they were probably using a proxy server, VPN, or other means of virtually masking their true location).

First someone logged in through the Battle.net application, and then they went through the Web interface. I assume that happened because the hackers did not find any World of Warcraft characters in my Battle.net account and decided to double-check the account using the Web version.

Recent login activity shown at real Blizzard website

Recent login activity shown at real Blizzard website

After about two and a half hours, Blizzard sent me a notification that my password had been reset because of suspicious activity. Apparently, Battle.net’s internal defenses determined that someone else had gained access to my account, and they sprang into action to protect me from the intruders. As you can see, Blizzard does a pretty good job of keeping its users safe.

How to avoid falling victim to phishing attacks in World of Warcraft

The attack I experienced is unlikely to be the last phishing attempt in World of Warcraft Classic. To minimize damage from the actions of intruders, as well as to make the game more secure not only for yourself, but also for others, keep a few things in mind:

  • In World of Warcraft, a special icon always appears next to the name of game masters (it looks like “BLIZZ” in blue). If you do not see the icon, then it’s not a game master you’re talking to.
  • Economic exploits as well as other violations of game rules will always result in your account being blocked. They’re not a legitimate reason for a “security check” of your account.
  • Game officials are unlikely to send you a link to a third-party resource. They already have the tools they need to combat violations. To confirm your account ownership, all they need to do is reset your password and kick out whoever is using the account.
  • If a player contacts you with this type of request, report the inappropriate behavior using battle.net’s form.
  • It is helpful to follow Blizzard’s advice for keeping your account secure. Everything is clearly and correctly laid out there: How to set up a secure password and two-factor authentication, why you need protection software, why application updates are important, and how to use proper password hygiene.

As far as protection software is concerned, we recommend using a security solution that protects you against spyware, detects phishing attempts, and securely stores passwords. Our dedicated Gaming mode lets you achieve that without seriously sacrificing gaming performance on your machine.

Tips