Phishing: not just for attacking banks

I'm interrupting my scheduled series on reputation to bring you a public service message... This week on Security Levity, a reminder to beware of all kinds of phishing attack: not just bad guys pretending to be your bank.

Over the past few days, our spamtraps have picked up a range of attempted phishing messages from fraudsters trying to steal account details of online games. The most targeted game is World of Warcraft (WoW).

Here's an example:

Our automated security systems have indicated that access to your online account was temporarily blocked due to to repeated login failures.

It is most probable that your account was subject to malicious attack through automated brute forcing techniques.

While World Of Warcraft were able to successfully block this attack, we would recommend that you ensure that your password is sufficiently complex to prevent future attacks.

You can click the link below and enter your password on the following page to confirm the reactivation of your account.

[link redacted]

Obviously, the criminals are trying to steal WoW account credentials, probably in order to sell them -- according to our intelligence, they go for $100-$200 for an advanced account.

The link looks like the correct URL for WoW, but with a subtle typo. The phishers are even trying a 'classic' phishing email reply approach, as in this example:

An investigation of your World of Warcraft account has found strong evidence that someone may be trying to gain control of your World of Warcraft Account, by the means of a fake/invalid ID.
...
You can confirm that you are the original owner of the account by replying to this email with:

* First and Last name
* Address
* Zip code
* Phone number Daytime
* Country
* Account e-mail
* CD-key
* Account name
* Account password
* Secret Question and Answer

Natually, the email sender's address is forged and the reply-to header is set to an address not owned by Blizzard Entertainment, Inc.

There's a trend appearing here. We've seen attacks on Facebook users recently and we expect it to expand to other social sites, gaming sites, etc. Sites that have fewer tangible assets tend to have lower security, so we expect phishing to be more likely to succeed here.

Be careful out there. Just because the email's not from your bank, doesn't mean that it might not be from a criminal.

There's more on this subject from my colleague Shara Grifenhagen over at the Commtouch Café.

 
Next week: the final part in my series on sender reputation. If you'd like to catch up on the previous parts, click below:

• Part 1: Background
• Part 2: Growing Up

I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!

 
When he's not poring over his spamtraps, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...