Time for some gibberish (for most of us, but not for some).
This is the full header of a recent Phishing email I received.
From wowaccountadmin@blizzard.com Thu Apr 15 07:49:15 2010
X-Apparently-To: me@yahoo.com via 67.195.8.205; Thu, 15 Apr 2010 00:49:33 -0700
Return-Path: sylve@hotmail.fr
X-YahooFilteredBulk: 65.55.111.76
X-Originating-IP: [65.55.111.76]
Authentication-Results: mta1059.mail.sp2.yahoo.com from=hotmail.fr; domainkeys=neutral (no sig); from=blizzard.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO blu0-omc2-s1.blu0.hotmail.com) (65.55.111.76)
by mta1059.mail.sp2.yahoo.com with SMTP; Thu, 15 Apr 2010 00:49:33 -0700
Received: from BLU0-SMTP93 ([65.55.111.71]) by blu0-omc2-s1.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 15 Apr 2010 00:49:12 -0700
X-Originating-IP: [222.94.32.217]
X-Originating-Email: [sylve@hotmail.fr]
Message-ID: BLU0-SMTP9322D8F095F0D27C44F50ECF0F0@phx.gbl
Return-Path: sylve@hotmail.fr
Received: from vlpxfrcn ([222.94.32.217]) by BLU0-SMTP93.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 15 Apr 2010 00:49:10 -0700
Sender: sylve@hotmail.fr
From: "wowaccountadmin@blizzard.com" wowaccountadmin@blizzard.com
To: me@yahoo.com
Subject: World Of Warcraft-Account Instructions
Date: Thu, 15 Apr 2010 15:49:15 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0E74_01A76424.11700BC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 15 Apr 2010 07:49:11.0296 (UTC) FILETIME=[22DEE000:01CADC70]
Content-Length: 5211
At first glance it looks like the email came from wowaccountadmin@blizzard.com but then you notice the Return Path has a different email address, from France. Sourges to be precise (I found the guy on Facebook via his email). But did Sylvain Borreda really send this email? Or did someone hack his email account?
The earliest and most reliable record of the email entering cyberspace is the bolded line, Received: from vlpxfrcn ([222.94.32.217]). Googling this IP brings up a couple of pages, almost all being reverse IP Lookup pages...except for one, a non-existent page at: http://nj.livingchina.cn (A Chinese website. How cliché.)
If you're following along at home and you clicked the actual link on your Google search page you'll see that the specific page at livingchina.cn no longer exists/cannot be found, etc.
But back on the Google search results page we can see that along with the IP there is additional identifying information. There's a phone number and an email address, and if we now Google gftaiyq@163.com we discover the apparently true identity of Mr. 222.94.32.217 aka Guofang Tao, a Real Estate broker in Nanjing, China. (Go figure.) But is Guofang Tao really our Phisher? He is Chinese, but that doesn't automatically make him a Chinese Gold Farmer/Phisherman. He's like a Tootsie Roll Pop: the world may never know, because this is as far as my Internet sleuthing skills can take us.
Subscribe to:
Post Comments (Atom)
Posts
6 comments:
Does this re-enforce or dismiss your conspiracy theory about an insider at Blizzard?
At the moment, neither. The problem with my conspiracy theory (with most, if not all conspiracy theories) is it's exceptionally hard to prove. It's like my password, being one I had not used for anything but WoW, still getting keylogged/cracked (or perhaps just being reset via Battle.net) and yet there was no sign of a keylogger on my computer. Did I really have a keylogger? Did someone social engineer their way into my Account? Or did they just buy the information from someone in Blizzard?
Proof will be if my brand new email account starts to receive Phishing emails, because nobody has that email address except for Blizzard. So if a Phisher does email me then Blizzard's security is not as tight as we'd like it to be.
http://sorcererofthespiral.blogspot.com
... Dude, that's crafty.
*takes notes*
write and ask blizzard if they'll cough up the IP of the computer used that was logged into your account when you weren't?
has the brand new account received *ANY* phishing yet? WoW or not?
No phishing emails in the new account yet. No spam, no junk mail, nothing from anyone. Which is how it should be.
Post a Comment