Beware of Blood Elves selling mounts

A friend of mine recently got hit by a pretty devious phishing scam targeting wealthy (in-game) players looking to make legitimate purchases. My friend, we'll call him Cobra, was in a major city when an offer in the Trade Channel caught his eye. A player, we'll call him Bubbles, was offering a Spectral WoW Tiger Mount for 5000 gold. Since this mount is only available as a code on a rare loot card, Cobra contacted Bubbles to inquire. Purchasing codes for in-game items with in-game cash is perfectly legitimate, according to Blizzard, so Cobra did not worry about going against the TOS with this transaction.

Bubbles, a level 78 Blood Elf Mage, seemed legitimate. For one thing, he was not a throwaway low level character. Also, he didn't want to take the cash then, but just see it in a trade window to make sure Cobra was in possession of it. So Cobra gave Bubbles his email address only and waited for the email that included the code and a link to where to input the information.


Cobra was in-game on one computer and clicked on the link on a separate computer. The link went to a page that looked exactly like the non-Battle.Net account page. He logged in and it took him to a page that looked exactly like the official Blizzard code entry page that he had used when he entered his Polar Bear mount code from last year's BlizzCon. After three tries of trying to register the code he had received, he noticed that his other computer had disconnected from WoW.

When he tried to login again, he was told that his account was now associated with a Battle.Net account and that his username and password were no longer valid. It just so happens that all of this was done during a break at work, and Cobra works with his guild leader, who we will call TSU. Cobra walked over to TSU's desk and asked him to logon and see if he was logged in. Sure enough, he was. So TSU immediately demoted Cobra's character.

Unfortunately, TSU did not get a screenshot, but here is what happened next.

Hacker: What did you do that for?!?
TSU: You're a hacker.
Hacker: How do you know?
TSU: Because the real player is looking over my shoulder.
Hacker: O HAI!

Cobra was able to get in touch with Blizzard support and get his account back within 20 to 30 minutes after it was compromised. About 10K gold from various characters and all of his gems were gone. Also, some of his other items were on the Auction House. His gear was still intact and he was able to raid that same evening, so the damage was far less than others who have been hacked.

But wait! There's more! As I write this, Cobra's account got hacked again. Not only did the phishing site take his old account info, it downloaded a keylogger to steal the new account info. They logged into his character and started the scam all over again by spamming Trade Channel with the same Spectral Tiger Mount offer.

Using a server-known, high-level character (hacked from a previous transaction) for the initial communication and asking to only see the cash is an excellent way to both look legitimate and only get targets who have enough money to be worth further effort. Trusting a link in an email rather than going to the site directly was Cobra's biggest mistake and ultimately how his account was compromised. Having an Authenticator would have helped in this situation, but this kind of scam circumvents most other basic account security measures.

In general, if you want to conduct account related business (for any account, not just WoW), get to the website yourself and use trusted links only. And, please, don't buy gold. If these hackers didn't have a market to sell their ill-gotten goods, then they wouldn't waste their time devising these scams in the first place.

Be careful out there!