Thursday 3 June 2010

How not to write a fishing email

Recently my inbox has been full to the bursting with phishing scam emails, some of which I read for amusement. Sadly they are all not very good and don't really convince me that I have got into the Friends and Family Alpha, or my account is under investigation.

Clearly the people writing these are in fact utter morons, so here are some handy tips they can use to improve their efforts. They also could serve as reverse-tips you can use to detect such fishing scams.

Do not send to the wrong email address
I have several email addresses, only one of which is associated with my WoW account, that also being the Battle Net login. Please actually send your fishes to the email address Blizzard use to communicate with me, any email to any other addresses are clearly fake. If you get emails from Blizzard in an account they know nothing about, they are fake.

Use proper English
Blizzard is a large corporation who employs many hundreds of people. So when they send out any official communication, it is most likely to be written using a template which has been proof read by many people, checked for spelling and grammar errors. It really looks bad when a company communicates with you using bad language (no, not cussing. Although that doesn't go down well either).

"We have the evidence to prove that your account involved in the controversial game currency transaction"

Damn it I shouldn't have bought that Lovely Black Dress but its not that controversial really.

"As you may not be aware of,this conflicts with Blizzard's EULA under section 4 Paragraph B which can be found here:"

Space after a comma! Did you not pay attention during typing class?

"It will not affect your game uptime.If you are unable to successfully verify your password . using the automated system,"

Also, space after a full stop, and no full stops in the middle. Of sentences.

"Battle.net-Account investigation!?‏"

It may be important, but is an exclamation mark and a question mark really warranted!?!one!eleven

"This is an automated notification sent from our account security system. You logined your account successfully at 3:14 on May 30th form the 203.11.151.* range. As other users report and after investigation, we foud that the account published spam information in the game world of warcraft.This harassing other users seriously . This action has violated the GAME RULES. As too many customer complaints, the IP range above has been blacklisted. "

I certainly did not logined to my account then, or using that IP address. Also other users may well report things, but you didn't tell me what. This harassing other users seriously... what? Annoys you?

"When you receive this letter to mean that your account will be disabled within 48 hours. this time disable your account is permanent."

Remember to use a capital letter in the first letter of the first word after a full stop.

If there are spelling or grammar errors in the email, it's probably not from Blizzard.

Send the mail from Blizzard.com
So given Blizzard are inviting me to Alpha/warning me/banning me, I would expect the email addressed from Blizzard.com to actually come from Blizzard.com. Luckily apart from detecting fishing, Google Mail will show you where an email was mailed from, by clicking the "Show Details" link on an email.

"from: BLIZZARD "
"subject: Battle.net Final Warning"
"mailed-by: hotmail.com"

I didn't realise Blizzard used hotmail these days. Can't they afford their own email servers? Worse is in Google Mail you can click on the little arrow to the right of the email and select "Show Original" and see:

Message-ID:
Return-Path: kamuel_2@hotmail.com
Received: from whq ([119.114.45.120]) by BLU0-SMTP93.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Sat, 22 May 2010 11:06:48 -0700
From: "wowaccountadmin@blizzard.com"

Not only can they not spell "reply" but also it seems kamuel_2 at hotmail.com is the actual sender of the email, not blizzard as claimed.

Sadly hotmail won't let you show the original message source, but both gmail and hotmail seem pretty good at flagging up suspicious emails which don't come from where they claim to.

The Beta hasn't started yet
An email titled "Cataclysm Beta Test Invitation!" which turns out to be an opt in invitation, really isn't a Beta Test invitation. However also remember the point about good English:

"The disaster of the beta test, come on! Azeroth world turmoil coming, and you certainly do not want to be forgotten in the cold winds of Northrend , unable to enjoy the pleasant sun Corzine on the island."

Just... I don't even know where to start with this one. Soon you might be receiving invitations to the actual beta, at which point it's worth checking it has actually started.

Link to the actual Account Management page
The URL to the European account management page is http://eu.battle.net/account/ or https://www.wow-europe.com/account/. For the US it is http://us.battle.net/account/ or http://www.worldofwarcraft.com/account. Any time a link in an email shows one URL but links to another (as shown in the status bar of a web browser at the bottom) gets me all suspicious.

I'm pretty sure http://www.worldofwarcraft-accounts-report.com/account/support/login-support.xml is not the right address, as worldofwarcraft-accounts-report.com is not actually battle.net or worldofwarcraft.com. Really you fishers need to link directly to the actual WoW account management pages, or just tell people to go login using the links off the official websites where their account violation messages will be waiting for them. Oh wait. They won't will they.

This one will be hard for the spammers to work around. Google mail shows a warning if links don't go to the place their text says, and also disables the links. In any case, if you are told you need to log into anywhere to verify an account, ignore links in the emails and go straight to the appropriate web site and log in there.

Anyway I hope none of the spammers read these tips as their emails might get better. Stay safe out there people.

8 comments:

Skraps said...

Oddly I recently received an email from Blizzard, that threw up all sorts of red flags for me.

It basically said we are going to be starting the Cata Beta soon, make sure your opt-in preferences are set at the battlenet account settings page. It had no links, no malicious code or anything, actually came from blizzard.com. It just said something like you know how to get there, go do it.

I guess I am so suspicious now, that when a real and honest email comes I figure it must be fake.

Rakhman said...

@Skraps yeah exactly, that one was really suspect. I didn't follow any of the instructions on it as I don't want my account stolen.

In an unrelated note, a guildie has got a beta invitation, so I hope I get in soon.

Anonymous said...

It's phishing :P

Rakhman said...

@Anonymous cheers Wombat :)

Marie said...

I recently got an email that I've been ignoring. It claimed to come from Blizzard, had excellent spelling/grammar/punctuation and was regarding "changes to parental controls". The thing that made me highly suspicious was that it claimed that I no longer had to provide a password, but could just use this email link as the 'password'. So convenient! It sounds like it would conveniently steal my account info.

I should really double check it and the official parental controls page. I wonder if I can remember my password...

Oh, and the official closed beta really has begun now. Fun times.

Anonymous said...

BTW Hotmail may not show you the full email text on their website, but you can see it if you use Windows Live Mail.

Aaron of Minneapolis said...

You can also see the full source of a Hotmail message if you use a POP client (like Thunderbird or Outlook) instead of the website.

Also, Mozilla Thunderbird pops up a scam warning in messages with links that use a redirect or don't go where their text says.

Rakhman said...

Excellent tips.

It seems if you get into the Beta, your Battle net account page (where it lists all the games you have) will have a shiny new Cataclysm icon.

So if you get an email saying you are in the Beta, just ignore it and go to battle.net, log in and check which games you have.

© 2008, 2009 FlameShock. All Rights Reserved.