Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

I guess someone try to steal my account.

Forum Avatar
Greenstone
#0 - July 14, 2010, 10:27 a.m.
Blizzard Post
I have been receiving email like for a while, I changed the name of the email account in the below post to all ZZZZZ's since the e-mail is my trash yahoo account and isn't related to blizzard at all basically I shouldn't be receiving any mail there from blizzard.

The links listed in the e-mail do not lead to battle.net but to a different link, so I will not put the links in this post.

Please be aware of this scam and if possible blizzard I would like you take action against this individual.

From Blizzard Entertainment Sat Jul 10 16:38:25 2010
X-Apparently-To: [email protected] via 66.196.97.82; Sat, 10 Jul 2010 09:41:35 -0700
Return-Path: <[email protected]>
X-YahooFilteredBulk: 205.188.249.130
Received-SPF: pass (mta1017.mail.ac4.yahoo.com: domain of [email protected] designates 205.188.249.130 as permitted sender)
X-YMailISG: XH381wscZAr_H4_cPYOE7WWrFRaR5EC8Ux62zQiKrPqIAKTC L6pIZ2GWNOqXoLn_cMhbtkXb48gpTAJxmsjXhMdH7i0DLXBXBb2rs1KTvlIU WmQcNOSAC6h2upvMYEgtAUFINJw9NaTTlQ9W4pisXOTbo57_HsvDz2fAa.lE 9Di.wzIuBQTc0YbeXxp3FXJtDDe0OjUFPzaPXsO.RYZZFkOS6FoGgftoO0MN nF6CDXhCQDMk.FrBpxbIi1nWVa1TyDVwH3sJYO.u0YBD6gKY3f2MzjNbbuI_ Qy6pzox.7Ol34w4rZk2r9ua5aQerB0VdKKHbdMcjmmU0jhcOMmkIsDqXFB8L KNyXdAwtWkVTnKli.Xx8sDCyAVcKO9naGiFoa1Qd4MEkVo0NHQLPeWU0Ic8H a.U7uWcGS1DP51FWz3HbkEnhqcGiK_PTdl4PPdAVyWotBn.J7891LB61SjDI Ya153fVozBijJ5RBH_2GB.YAKo64DIQF1EcHy.A1YSeihLYXRFg6xOHS2930 RUg7GDhmnP6p9pwasWZdqqRRvizcRCKsyT8utf5EStIE6uZMmNPIJbYJ7vw-
X-Originating-IP: [205.188.249.130]
Authentication-Results: mta1017.mail.ac4.yahoo.com from=blizzard.com; domainkeys=neutral (no sig); from=blizzard.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO omr-d32.mx.aol.com) (205.188.249.130) by mta1017.mail.ac4.yahoo.com with SMTP; Sat, 10 Jul 2010 09:41:35 -0700
Received: from oms-ma01.r1000.mx.aol.com (oms-ma01.r1000.mx.aol.com [64.12.140.129]) by omr-d32.mx.aol.com (8.14.1/8.14.1) with ESMTP id o6AGfTTd007211 for <[email protected]>; Sat, 10 Jul 2010 12:41:29 -0400
Received: from mtaout-mb01.r1000.mx.aol.com (mtaout-mb01.r1000.mx.aol.com [172.29.41.65]) by oms-ma01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id 29DFB38000082 for <[email protected]>; Sat, 10 Jul 2010 12:41:29 -0400 (EDT)
Received: from iatzpmoym (unknown [78.47.29.82]) by mtaout-mb01.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPA id 33725E00009C for <[email protected]>; Sat, 10 Jul 2010 12:40:50 -0400 (EDT)
Message-ID: <AF121A875AD8A8650576205037AFB6E3@iatzpmoym>
From:
"Blizzard Entertainment" <[email protected]>
Add sender to Contacts
To: <[email protected]>
Subject: Battle.net Account - Contact Information Updated
Date: Sun, 11 Jul 2010 00:38:25 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_08E7_01F3D1C1.1D406B50"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
x-aol-global-disposition: S
X-SPAM-FLAG: YES
X-AOL-SCOLL-SCORE: 1:2:475178528:93952408
X-AOL-SCOLL-URL_COUNT: 3
x-aol-sid: 3039ac1d29414c38a2926d1c
X-AOL-IP: 78.47.29.82
Content-Length: 5271
Compact Headers
Hello ZZZZZZZZ,

This is an automated notification regarding your Battle.net account. Some or all of your contact information was recently modified through Battle.net Account Management. If you recently made changes to your account information, please disregard this automatic notification.

You can log in to Account Management at the following link to review your account settings:
http://www.battle.net/account

If you cannot sign into Account Management using the link above, or if unauthorized changes continue to occur, click here for answers to Frequently Asked Questions or contact the Blizzard Billing & Account Services team.

Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,

The Battle.net Support Team
Blizzard Entertainment
Online Privacy Policy


Below is the whois/tracert/owner of the hostname they were sending me to:
(Again I did not include any links in this post to avoid someone doing something silly.)

IP address: 222.217.106.6
Host name: <removed>

Alias:
<removed>
222.217.106.6 is from China(CN) in region Southern and Eastern Asia


TraceRoute to 222.217.106.6 [<removed>t]
Hop (ms) (ms) (ms) IP Address Host name
1 53 45 42 72.249.128.105 -
2 67 39 25 8.9.232.73 xe-5-3-0.edge3.dallas1.level3.net
3 132 119 79 66.192.241.218 peer-02-ge-1-0-0.lsag.twtelecom.net
4 82 56 50 4.69.132.77 ae-3-3.ebr2.losangeles1.level3.net
5 57 56 216 202.97.51.165 -
6 71 278 246 202.97.60.41 -
7 227 60 61 4.68.18.198 ae-44-99.car4.sanjose1.level3.net
8 61 52 233 202.97.43.226 -
9 234 241 273 218.65.144.2 -
10 249 296 289 218.65.144.94 -
11 280 211 242 202.97.33.233 -
12 225 228 225 202.97.43.226 -
13 244 261 251 222.217.106.6 6.106.217.222.broad.gl.gx.dynamic.163data.c!%##*#%##@!!!@#@@#!*@!%###

Trace complete


Retrieving DNS records for <removed>t...

DNS servers
<removed>

Answer records
<removed> NS <removed> 3600s
net-login.net A 222.217.106.6 3600s
net-login.net SOA
server: <removed>
email: [email protected]
serial: 2004121301
refresh: 3600
retry: 1800
expire: 604800
minimum ttl: 7200
3600s
net-login.net NS ns.xinn!%##*#%##@!!!@#@@#!*@!%### 3600s

Authority records

Additional records
ns.xinn!%##*#%##@!!!@#@@#!*@!%### A 61.155.152.84 3600s
<removed> A 202.10.73.8 3600s
ns.xinn!%##*#%##@!!!@#@@#!*@!%### A 121.14.70.4 3600s
ns.xinnetdns.com A 61.155.152.86 3600s
ns.xinn!%##*#%##@!!!@#@@#!*@!%### A 202.10.73.5 3600s
ns.xinnetdns.com A 121.14.70.6 3600s


Whois query for net-login.net...

Query error: Timed out

Network IP address lookup:


Whois query for 222.217.106.6...

Results returned from whois.arin.net:


OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 222.0.0.0 - 222.255.255.255
CIDR: 222.0.0.0/8
NetName: APNIC8
NetHandle: NET-222-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
RegDate: 2003-02-13
Updated: 2009-10-08

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2010-07-13 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
#
# Attention! Changes are coming to ARIN's Whois service on June 26.
# See https://www.arin.net/features/whois for details on the improvements.


Results returned from whois.apnic.net:

% [whois.apnic.net node-3]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 222.216.0.0 - 222.218.255.255
netname: CHINANET-GX
descr: CHINANET Guangxi province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: CR766-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GX
mnt-routes: MAINT-CHINANET-GX
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [email protected] 20040324
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: [email protected]!%##*#%##@!!!@#@@#!*@!%###.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: [email protected] 20070416
mnt-by: MAINT-CHINANET
source: APNIC


Please do your best to track and shutdown these guys.

Forum Avatar
Orlyia
#1 - July 14, 2010, 10:30 a.m.
Blizzard Post
Sadly, as you have just proven by beautifully extensive documentation - they are usually outside the reach of normal methods.

And yes, this is a phish.
Forum Avatar
Orlyia
#12 - July 14, 2010, 10:58 a.m.
Blizzard Post
It's actually best that not be there to protect the curious from themselves :0

If I missed any, feel free.