GFI Software’s senior threat researcher Christopher Boyd has found a false Old Republic log-in page that is good forgery of the genuine page, “save for the fact that the genuine login screen says ‘Email address or trial account display name’ – the fake misses the trial account reference altogether,” comments Boyd.
However, on this page, the log-in attempt brings up a fairly standard phishing phrase: “we found that your account has unusual activity,” and more information needs to be entered for verification. The required information is the user’s secret question/answer interaction – but it just goes on and on asking for answers. Eventually, however, the account is ‘confirmed’, and the phisher wanders off “with more secret question answers than they can shake a very large stick at.”
Boyd’s concern is that this information, combined with the user’s email address, could potentially allow the phisher to reset the password and gain control of other accounts, including social networks and internet banking.
Meanwhile, Trend Micro is warning about in-game mail scams based on the up-coming World of Warcraft: Mists of Pandaria expansion (currently in closed beta testing). Users are being invited to join the beta test and are offered the chance to win a free Dragon Turtle Mount in-game item. But of course the link goes to a false site where the user is invited to hand over his or her account credentials.
Trend notes that Blizzard has “stepped up their security measures,” by publishing a dedicated security page. Not everyone, however, believes that Blizzard is sufficiently careful. In a very public spat last month, a user complained about WOW’s Real ID feature. Real ID allows people who introduce ‘friends’ by email to see their real ID. “I can trick someone into adding me by promising gold via a website and instructing people to add me via an email address in game, or by promising to help people level up. Once they add me, which is a seemingly innocuous act, I can obtain their personally identifiable information and use it to track them and gather info.”
Blizzard pointed out that you can turn Real ID off. “This should be Opt In not Opt Out,” responds the complainant. “You have no idea the danger you are putting people in.”
Given the extent of on-line in-game phishing, he may have a point: any additional information in the hands of scammers can be turned against the online gamer.