Thread Tools Display Modes
12-09-09, 11:57 AM   #1
swaldman
Guest
Posts: n/a
WowInterface.com email database has been compromised

Apologies for posting this on a forum - I couldn't find any other way of contacting the people who run wowinterface.

I've just received a fairly standard phishing email, with one notable point - it was sent to an email address that I have only ever used with WoWInterface. This suggests to me that somehow, spammers have gained access to the wowinterface email database.

Please would you investigate?

Email below, with some info anonymised. Note that it was sent as base64-encoded text, which means I can't easily paste the source in here - instead you get what gmail renders, plus the headers.

-----

Code:
Delivered-To: [email protected]
Received: by 10.204.118.145 with SMTP id v17cs348724bkq;
        Wed, 9 Dec 2009 08:43:34 -0800 (PST)
Received: by 10.115.38.32 with SMTP id q32mr18748121waj.8.1260377011997;
        Wed, 09 Dec 2009 08:43:31 -0800 (PST)
Return-Path: <[email protected]>
Received: from mail2-162.sinamail.sina.******* (mail2-162.sinamail.sina.******* [60.28.2.162])
        by mx.google.com with ESMTP id 13si18622189pzk.127.2009.12.09.08.43.30;
        Wed, 09 Dec 2009 08:43:31 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 60.28.2.162 as permitted sender) client-ip=60.28.2.162;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 60.28.2.162 as permitted sender) [email protected]
Received: from unknown (HELO login.mail.sina.*******) ([10.29.11.24])
  by mail2-160.sinamail.sina.******* with ESMTP; 10 Dec 2009 00:43:29 +0800
Received: by login.mail.sina.******* (Postfix, from userid 80)
	id 44F5E358C47; Thu, 10 Dec 2009 00:43:29 +0800 (CST)
Received: [email protected]([220.249.132.224]) by mail.sina.******* via HTTP;
 Thu, 10 Dec 2009 00:43:29 +0800 (CST)
Date: Thu, 10 Dec 2009 00:43:29 +0800 
From: Blizzard Entertainment <[email protected]>
To: [email protected]
Subject: =?GBK?B?QmF0dGxlLm5ldCBBY2NvdW50IKhDIFBhc3N3b3JkIENoYW5nZSBOb3RpY2U=?=
MIME-Version: 1.0
X-Priority: 0
X-MessageID: 1260377009.2617.44142
X-OriginaIP: 10.28.11.24
X-Mailer: Sina WebMail 4.0
Content-Type: multipart/alternative;
	 boundary="=-sinamail_alt_5fa618964e32e7282284018b85d011ad"
Message-Id: <[email protected].*******>

Hello

This is an automated notification regarding the recent change(s) made to your Battle.net account

Your password has recently been modified through the Account Management website.

*** If you made this password change, please disregard this notification.

However, if you did NOT make any changes to your password, we recommend you contact Blizzard Billing & Account Services for assistance keeping your account as secure as possible.

For more information, click here for answers to Frequently Asked Questions or to contact the Blizzard Billing & Account Services team.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives typically must lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Sincerely,
The Battle.net Account Team
Online Privacy Policy
  Reply With Quote
12-09-09, 12:04 PM   #2
Dolby
PPAP
 
Dolby's Avatar
WoWInterface Admin
Join Date: Feb 2004
Posts: 2,339
Our database is not accessible from a public ip. Its only on a vlan that our httpd servers can access. Looking at the logs I do not see anything that would suggest a compromise to our data.

Checking some other error logs and will let you know if I find anything.

Last edited by Dolby : 12-09-09 at 12:09 PM.
  Reply With Quote
12-09-09, 12:12 PM   #3
swaldman
Guest
Posts: n/a
Originally Posted by Dolby View Post
Our database is not accessible from a public ip. Its only on a vlan that our httpd servers can access. Looking at the logs I do not see anything that would suggest a compromise to our data.

Checking some other error logs and will let you know if I find anything.
The only thing which would suggest a compromise is, I'm afraid, something that you have to take my word on. I use unique email addresses when registering with websites, and only use them for those sites. This spam was sent to the one used for wowinterface. There are other means by which it could have been obtained (problem on my machine, problem with gmail, dubious relay somewhere along the line, etc), but all seem less likely, because I have *only* received it to the wowinterface address and not to other unique addresses, and because it is WoW-related.

Thanks for checking, anyway. If you would like the actual (encoded) text of the email with the actual email address, I'll be happy to send it on by email - but not on a forum.
  Reply With Quote
12-09-09, 12:20 PM   #4
Dolby
PPAP
 
Dolby's Avatar
WoWInterface Admin
Join Date: Feb 2004
Posts: 2,339
Sure, please send it to [email protected]

Do you use a shared host? It's possible one of their clients was able to get a list of email addresses on the server.

Any large queries I'm emailed about. However I'm still sifting threw the logs.
  Reply With Quote
12-09-09, 12:57 PM   #5
Seerah
Fishing Trainer
 
Seerah's Avatar
WoWInterface Super Mod
Featured
Join Date: Oct 2006
Posts: 10,860
For future reference (for both you and any others reading this), since Dolby forgot to mention it, there is a link in the footer of the site, on the bottom-right, which says "Contact WoWInterface".
__________________
"You'd be surprised how many people violate this simple principle every day of their lives and try to fit square pegs into round holes, ignoring the clear reality that Things Are As They Are." -Benjamin Hoff, The Tao of Pooh

  Reply With Quote
12-09-09, 04:32 PM   #6
swaldman
Guest
Posts: n/a
Originally Posted by Dolby View Post
Sure, please send it to [email protected]
Done.

Originally Posted by Dolby View Post
Do you use a shared host? It's possible one of their clients was able to get a list of email addresses on the server.
It's my own domain, run via google apps (so gmail), on which I'm the only user.

I'm no expert, so it's entirely possible that something else is up - but I thought I'd alert you to the possiblity. Sorry if it's a wild goose chase :-)
  Reply With Quote
12-10-09, 11:01 AM   #7
Bluspacecow
Giver of walls of text :)
 
Bluspacecow's Avatar
AddOn Author - Click to view addons
Join Date: Dec 2006
Posts: 770
Is it possible that email was public before you turned off displaying it in your public profile for wowinterface ?
__________________
tuba_man on Apple test labs : "I imagine a brushed-aluminum room with a floor made of keyboards, each one plugged into a different test box somewhere. Someone is tasked with tossing a box full of cats (all wearing turtlenecks) into this room. If none of the systems catch fire within 30 minutes, testing is complete. Someone else must remove the cats. All have iPods." (http://community.livejournal.com/tec...t/2018070.html)
  Reply With Quote
12-10-09, 01:51 PM   #8
swaldman
Guest
Posts: n/a
Originally Posted by Bluspacecow View Post
Is it possible that email was public before you turned off displaying it in your public profile for wowinterface ?
Hmm. Maybe. I forgot I even had a public profile... most likely I would have created the account and then immediately turned off display of the email address, but if the default is to show it then it would have been visible for a few minutes!
  Reply With Quote
12-10-09, 04:35 PM   #9
BWarner
A Black Drake
 
BWarner's Avatar
Join Date: May 2008
Posts: 87
By "shared host", I think Dolby meant cloud hosting, or rather, running multiple people off the same server. Typically, if you get cheap hosting and don't much care about anything server-side, then that's what you're on. However, since you're using GMail for your email service, Google is remotely handling the email, not your server, so your server wouldn't have that data (except potentially the ones you registered the domain and/or hosting with, and maybe one or two default ones).
__________________


The Warrior Formerly Known As Aerowyn.

http://AeroWow.com/
  Reply With Quote
12-19-09, 12:55 AM   #10
Ihadurca
An Aku'mai Servant
 
Ihadurca's Avatar
Join Date: Sep 2009
Posts: 37
Originally Posted by swaldman View Post
I use unique email addresses when registering with websites, and only use them for those sites. This spam was sent to the one used for wowinterface.
That is a lot of email addresses then. O.o And I thought I was bad w/ my multiple emails for categories, you got me beat w/ emails for each website. ^_^

Also keep in mind, they don't have to "find" your email address somewhere to send it to you. They have automated scripts that randomly put letters and numbers together to make email addresses and send them out. For example. A few months ago I created a new email address. Not yet sure what I wanted to do with it yet, so I just haven't done anything with it yet. I have never registered it with anyone for anything.... and my spam box was flooded with in a week. LOL Crazy.

But that is a big coincidence w/ your email.
  Reply With Quote
12-19-09, 08:05 AM   #11
Zyonin
Coffee powered Kaldorei
 
Zyonin's Avatar
AddOn Author - Click to view addons
Join Date: May 2006
Posts: 1,443
Originally Posted by Ihadurca View Post
That is a lot of email addresses then. O.o And I thought I was bad w/ my multiple emails for categories, you got me beat w/ emails for each website. ^_^

Also keep in mind, they don't have to "find" your email address somewhere to send it to you. They have automated scripts that randomly put letters and numbers together to make email addresses and send them out. For example. A few months ago I created a new email address. Not yet sure what I wanted to do with it yet, so I just haven't done anything with it yet. I have never registered it with anyone for anything.... and my spam box was flooded with in a week. LOL Crazy.

But that is a big coincidence w/ your email.
Much like when I get WoW phishing spam on a couple of email addresses that I have NEVER used for any WoW site and one email site was never used to sign up for anything. The old brute force approach. Of course I had a couple of chuckles just before pressing the "Delete" button.
__________________
Twitter
  Reply With Quote
12-20-09, 03:10 PM   #12
numein
A Cyclonian
 
numein's Avatar
AddOn Author - Click to view addons
Join Date: Jun 2009
Posts: 43
I created a gmail account for my dad some time ago. He almost never uses it, and even if he does it's only for mailing with some friends/colleges.
So the mail was never public. And the name is fairly long and not generic, so it's not likely to "guess"...

Still, from day 1 i think, the mail is full of spam, and I mean really full (at least 10 spam/day, gets even to 100/day...

In short: a gmail account can get spam w/o ever being public...
  Reply With Quote
12-20-09, 03:36 PM   #13
Petrah
A Pyroguard Emberseer
 
Petrah's Avatar
AddOn Author - Click to view addons
Join Date: Jan 2008
Posts: 2,988
Originally Posted by numein View Post
In short: a gmail account can get spam w/o ever being public...
They all can. Be it free web mail, ISP mail, or private domain created mail.
__________________
♪~ ( ) I My Sonos!
AddOn Authors: If your addon spams the chat box with "Addon v8.3.4.5.3 now loaded!", please add an option to disable it!
  Reply With Quote
12-20-09, 08:11 PM   #14
numein
A Cyclonian
 
numein's Avatar
AddOn Author - Click to view addons
Join Date: Jun 2009
Posts: 43
Originally Posted by Petrah View Post
They all can. Be it free web mail, ISP mail, or private domain created mail.
Ye sure, i just sad gmail cause it was mentioned in the opening post...
  Reply With Quote
12-29-09, 07:49 PM   #15
elfchief
A Defias Bandit
Join Date: Jul 2005
Posts: 2
So...

I'd like to report that I have the same thing happening with me.

I have an email address that's unique to wowinterface... my email system routes anything in the name of myaddress-anyrandomtext directly to me, and I tag my sites that way... so my address here is [email protected]in

A week(ish) ago I got a phishing mail asking for WoW information.

I run my own mail server, nobody shares it but the people that live with me (who don't have administrator access), this email address has never been posted, used to send mail, or otherwise exposed to the real world, other than being used as the account email for wowinterface.

One roommate (who doesn't use the per-site unique addresses) got the same thing to the email address they have registered with wowinterface (though they use it on several sites, so that's not authoritative proof).

I seriously doubt that someone just randomly thought to append -wowinterface to an otherwise working address to get through to me. I think the likelyhood of doing it twice with two different people's addresses is pretty damned unlikely. And my roommate never had an attempt at using a -wowinterface form of their address, just their normal address, so somehow the pharmer knew who was using tagged addresses and who wasn't? Seems incredibly unlikely.

Unless my email address is public. I just looked through all of the account options I could find, though, and couldn't find anything about making one's email address visible (or not).

So, I tend to agree, something might be going on here.

And no, unless you use a common name as an email address (e.g. "john@wherever"), a private domain can't get spam if the email address is never used anywhere. Especially not something like mine, where the -wowinterface (or whatever) part doesn't even exist.

-j
  Reply With Quote
12-29-09, 11:50 PM   #16
Nafe
A Deviate Faerie Dragon
AddOn Author - Click to view addons
Join Date: Jul 2008
Posts: 17
I would like to report a similar email that I just received a few minutes ago.

As with a few people above, I know that this was sent directly to the email address I used ONLY for Wowinterface (because I use a unique email for each website...). This is a bit too coincidental to assume it's by chance.

Judging by how log checks showed no success, perhaps there is an exploit used to query the MySQL database (I'm assuming MySQL, for the sake of simplicity) of Wowinterface for a user's email address. Perhaps it's worthwhile to review the PHP code to see if such a leak exists?

When we carry out a routine check when the account, we have evidence to show that your account has been involved in the disputed transactions.
So we have to inform you visit our website(http://www.worldofwarcraft.com) fill out some information to facilitate our investigation.
If you can not tie in with our soon we will have to temporarily lock your account.

Sincerely,
Blizzard, Inc.
Copyright @ 2009 Blizzard, Inc. All rights reserved.
Please note that the link (withheld so no poor soul clicks on it) really points to a different website, www.worldofwarcraft______.com where ______ is withheld .

...

Received: FROM blu0-omc2-s29.blu0.hotmail.com (blu0-omc2-s29.blu0.hotmail.com [65.55.111.104])
By ____________ ID 4B3AE3FB.60720.11556 ;
30 Dec 2009 00:24:11 EST
Received: from BLU0-SMTP18 ([65.55.111.71]) by blu0-omc2-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 29 Dec 2009 21:24:09 -0800
X-Originating-IP: [60.19.232.196]
X-Originating-Email: [[email protected]]
Message-ID: <[email protected]>
Received: from tszmkl ([60.19.232.196]) by BLU0-SMTP18.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 29 Dec 2009 21:24:07 -0800
From: "[email protected]" <[email protected]>
To: <[email protected]>
Subject: World of Warcraft Account Trade Dispute Notice
Date: Wed, 30 Dec 2009 13:24:20 +0800
MIME-Version: 1.0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 30 Dec 2009 05:24:08.0226 (UTC) FILETIME=[4FA64820:01CA8910]
I'm forwarding the email to Dolby.
  Reply With Quote
12-30-09, 12:18 AM   #17
Dolby
PPAP
 
Dolby's Avatar
WoWInterface Admin
Join Date: Feb 2004
Posts: 2,339
The log's are scanned for injection attacks and any malformed url's are listed nightly in my logwatch. I of course mysql_real_escape_string() everything that is remotely entered.

Also nafe you do not have a "@nafe.com" email address in our database.


Since you are long time members its possible when we were compromised a few years ago (we posted news about it when it happened) that they got away with some email addresses. That was on our old server and I do not have the logs for that.

Last edited by Dolby : 12-30-09 at 12:25 AM.
  Reply With Quote
12-30-09, 04:17 PM   #18
Ughmahedhurtz
A Kobold Labourer
Join Date: Aug 2007
Posts: 1
Exclamation "Me too" post...

I'll chime in and mention I just got the same phishing email to my wowinterface.com@<mydomain>.net which, like the OP, I setup for use only with this site. I'm not sure if I was a member during the "old server" compromise mentioned above but it would be worth comparing my registered date to that to see if that holds water. The content of the two spam mails I got is identical to the above. The header info is slightly different as you might expect from forged senders/relays.
  Reply With Quote
12-30-09, 05:14 PM   #19
Polarina
A Theradrim Guardian
AddOn Author - Click to view addons
Join Date: Aug 2007
Posts: 63
I use my e-mail address everywhere and for many years, never received a single spam message similar to those explained by above users. I'll let know if that changes.
  Reply With Quote
12-30-09, 09:44 PM   #20
MoonWitch
A Firelord
AddOn Author - Click to view addons
Join Date: Sep 2007
Posts: 455
I've not received such mail (just to - you know break cycles).

Has anyone at any point considered spam sent at random?

I worked for an ISP and now for an anti-viruscompany and I also have my own hosting, which includes mail, you wouldn't believe the amount of spam we get (we actually almost disable our spamfilters so clients can get through with ludicrous mails).

For those with own mailservers/hosting : do you have a catch-all address? Any mail sent to a non-existing addresses will then be sent to the main account.

Since the spam is directed at wow-account farming, they just try random stuff with names of well known wow-oriented sites.
  Reply With Quote

WoWInterface » Site Forums » Site help, bugs, suggestions/questions » WowInterface.com email database has been compromised

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off