Wastrel's "perfect" account Phishing scam

[Wastrel]

I'm bored, and when I get bored I do things just to see if they can be done.

I'm no scammer, I dislike the idea of someone taking my account and don't want to inflict that on someone else. Recently, though, I thought "Could do it? Could I scam an account if I wanted to?"

Naturally this lead to thoughts of "the perfect scam", how to reliably get the information I needed without arousing suspicion, that way the recently bunko'd wouldn't immediately change his info and slam me out again.

I can say these are my conclusions.
Of 58 emails sent out, I received 36 unique returns. of those 36, 28 were viable account information, the other 8 were bogus info. Most of the unique 36 were repeated as the user attempted to log in again from my source email.

I personally logged into each of the 28 accounts (this took forever) and looked at their toon select screens. I did NOT log in their toons or take anything from the accounts, this was a mental exercise, nothing more.

Enough of the preface, this is the detail.

- - - - - - - - - - - -

What this is: A medium complexity phishing scam.

Why this is unique: This scam uses social engineering to interest the account holder without direct threats or "too good to be true" offers.

What this won't do: It will not give you account-based info like secret question/answer, CD key, or names/addresses.

What this guide won't do: I will not provide templates or HTML. I did this as a mental exercise, if you want to do this you must put in the work as well.

The What: This scam has two parts, the bait and the hook.

The Bait.
Fabricate an HTML email similar to the "blizzard insider" or other promotional Blizzard emails. This will require HTML skills or an editor, some Photoshop work, and a good understanding of what the email should look like in the end.
The email should be an announcement, played out as most real emails are, the biggest headline being "Sign up for the Blizzard Account and receive "Flapper" the in-game non-combat pet."(I used a model-pic of a proto-drake whelp recolored bright green with Photoshop).

This email should contain a well written paragraph or two on the Blizzard Account system, saying how the Blizzard Account will be used just like your WoW account is now, and how you can sign up multiple accounts to one Blizzard account. Throw in some stuff about how your blizzard account will also be used for Diablo III and Starcraft II, and how Blizzard account holders will be eligible for special deals and pricing that will be announced later. Hit up the real Blizzard account pages for real information on this.

Make sure to include a masked URL to a PHP-enabled site you control, as well as various links to other real blizzard services and opt-out links.

Email this to your email-list (I used a list compiled from guild websites) using a spoofed header ([Only registered and activated users can see links. ])
If you do this right the user will click the email link and head to your Hook.

The Hook

This is a PHP/SQL enabled webpage you design to look EXACTLY like the standard account admin sign-in page.
There are templates available for the lazy*, but I made my own. The page contains all the legit links for Blizzard sites, so if your mark chooses to click them they work as suspected.

* This thread ([Only registered and activated users can see links. ]) contains a nice phisher page setup, though I'm not sure what changes would need be made to allow the next step to proceed as planned, if any.

For multiple Phishing resources see this link: [Only registered and activated users can see links. ]

The Login box serves must do two things. One, it writes the user-name and Password into your database for easy retrieval (or sends an email, of you didn't write your own), the second, and this is the important bit, it links to the REAL account admin login page.

That's right, they enter their user-name and pass, then get linked to the regular login, where they will be prompted again to log in.
The second time works normally and they log in thinking "well, second time's the charm"

Once they're on the real WoW pages they can sign up for a blizzard account as normal, never the wiser.

The kicker here is, the system is already live and in place, but most WoW users don't have Blizzard accounts yet. By offering an in-game reward you entice the user to go sign up for the free service and lose his account info on the way.


Why it Works

If done correctly you have a legit-looking HTML email extolling the virtues of a real service that you then really link to. The mark often knows about this service, but many haven't bothered signing up because it's a bit of a hassle outside of what they already have.

The bait is plausible and reliable based on what Blizzard has done in the past. they often give out non-tactical game items in promotions.

The Hook is also plausible, as they authorize and pass through your page to land exactly where they suspected they would. They need to log in again, but who hasn't had site problems that required the same? Once logged in there's the service they were looking for, right there where it needs to be.

The Phishing page isn't overly complex, and it's not on the user's browser long enough for most to notice the address isn't quite right. Often Phishing pages linger too long, looking for too much information. This gives too much time for the mark to notice they aren't where they think they are.

Done correctly this should give long-term access to the account, I can still log into the ones I have, and I've had them for weeks.


There you go, MMOwned, Wastrel's perfect Phishing scam. This is 100% written by me, as are all Wastrel's guides.
Repost as you wish, but leave all links and text intact and always give credit to your original author.

[rubindd]

Mmm, i like it.

Think you should straighten it out a little cause its hard to skip through it and find what i need to find. Not exactly unique though.

[EddyEvil]

I like this.

[dhlord64]

Thats nice!

[lama362]

Gj mate, nice guide