So in the first two installments of “Catch of the Day”, I’ve had a very easy time of picking apart phishing emails that were so badly written that they would have a difficult time fooling an evangelical birther who has overdosed on a cocktail of quaaludes and Jagermeister while inhaling concentrated ganja fumes. This time, I’d like to show you an example of a phishing email that is quite well-done.
Let’s begin at the beginning, shall we?
From: Diablo III – [email protected]
Well, this is enough to let you know that the email is fake. “email.net” isn’t “blizzard.com”, and that’s really all you need to know in order to figure out that this isn’t a legitimate email. What makes this email well done comes later…
Greetings,Due to an unusual change in your access pattern, the Battle.net account under this email address has been locked. This can be caused by logging in from a new location, but it may also signal an attempt to compromise your account.
Ok, so they don’t use a name, but at least they don’t do anything stupid like “Greetings, CUSTOMER” or “Dear, [email protected]”. The scammer also isn’t trying to accuse the recipient of selling accounts or anything else that could easily be proven false. They imply that your account may be compromised by a third party and that is the most plausible assertion that could get a victim’s attention. Well done, so far.
If you have registered for Battle.net SMS Protect, you can unlock your account by selecting “Can’t log in,” then selecting “I’m currently locked out of my account,” and following the steps provided. If you have not registered for Battle.net SMS Protect, or if you feel that your account’s security is at risk, please follow the steps below.
Hey! Here are some things you can do to protect yourself that don’t involve logging on to some skeevy Asian website that looks just like Blizzard but isn’t. Again, well done.
Step 1: Verify Your Account OwnershipClick on the link below to verify your e-mail address of the Battle.net account:https://www.battle.net/account/d3/login-support.html
A-HA! Here’s the link. If you’re a naturally suspicious sort, like me, you decide to take a look at the source of the message to see where the link really goes. SURPRISE! The email is fully MIME-encoded and you can’t see where the link really goes. Again, very well done. The only way I could tell that this wasn’t a legitimate link was to hover over the link and check my browser’s status bar. Sure enough, the link really goes to us.diablo.com.zh-joa.in . As you might guess, that is not a site owned by Blizzard. Be honest, how many of you actually look at your browser’s status bar when you hover over a link?
Step 2: Secure Your ComputerEnsure that your computer is free from any malicious programs, as a password change alone may not deter future attacks. Visit our Account Security website to learn how to protect your computer from unauthorized access.
Step 3: Secure Your Email AccountChoose a new password for your email account and review your email for any filters or rules you did not create. For more information on securing your email account, visit our Account and Computer Security page.Step 4: Choose a New PasswordChange your password to resume using this Battle.net account, as your former password no longer grants access to any login-protected Battle.net account service or game. Visit our Password Reset page to begin the password change process.Once you’ve regained access to your account, you can add additional security with Battle.net SMS Protect, a free service that allows you to unlock your Battle.net account on your own with a few simple steps. For more information, see the SMS Protect FAQ.
Look, ma! The rest of this is well spelled, has decent grammar, and is exactly the kind of thing that Blizzard would send to someone whose account has been compromised. They didn’t overdo it with the bad links. Of course, this would be more convincing if they had links to Battle.net’s actual “Account and Computer Security page” or “Password Reset page”, but I’ll give an “A” for effort.
And this link actually points to the real Battle.net support page. Very impressive! I also like the fact that the email isn’t “signed” by “Game Master Dunarthra” or some other easy-to-debunk customer service representative.
These are the kinds of emails that have a better-than-average chance of fooling someone out of their Battle.net account. Be careful out there.