Edited by Harlsoco on 12/14/10 8:40 AM (PST)
Here the full header:
From firstname.lastname@example.org Tue Dec 14 14:19:08 2010
X-Apparently-To: via 18.104.22.168; Tue, 14 Dec 2010 06:18:49 -0800
Received-SPF: none (mta1002.mail.sk1.yahoo.com: domain of <removed> does not designate permitted sender hosts)
Authentication-Results: mta1002.mail.sk1.yahoo.com from=blizzard.com; domainkeys=neutral (no sig); from=blizzard.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO zrvwjn.com) (22.214.171.124)
by mta1002.mail.sk1.yahoo.com with SMTP; Tue, 14 Dec 2010 06:18:49 -0800
From: "email@example.com" <firstname.lastname@example.org>
Subject: Battle.net Account - Account security
Date: Tue, 14 Dec 2010 22:19:08 +0800
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
Here the message:
This is an automated notification regarding your Battle.net account. Some or all of your contact information was recently modified through the Account Management website.
*** If you made recent account changes, please disregard this automatic notification.
Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play. In order to guarantee the legitimacy of your account, we need you follow these steps:
Step 1: Secure Your Computer
In the event that your computer has been infected with malicious software such as a keylogger or trojan, simply changing your password may not deter future attacks without first ensuring that your computer is free from these programs. Please visit our Account Security website to learn how to secure your computer from unauthorized access.
Step 2: Restore access to Your account
We now provide a secure website for you to verify whether you have taken the appropriate steps to secure the account, your computer, and your email address. Please follow this site to restore the access to your account: <removed>
If you cannot sign into Account Management using the link above, or if unauthorized changes continue to happen, please contact Blizzard Billing & Account Services for further assistance.
The Battle.net Account Team
Edited by Harlsoco on 12/14/10 8:41 AM (PST)
Received-SPF: none (mta1002.mail.sk1.yahoo.com: domain of <removed> does not designate permitted sender hosts)Bolded part for clarification. FAKE.
Yes, the email is indeed a phishing attempt, Alanthor. Thank you for posting the email headers as well!
You are more than welcome to forward this email, along with the header information if you have not done so already to our Hacks team: email@example.com.
Did you click on any of the links in the email, by chance?
Edited by Equenoxil on 12/14/10 8:47 AM (PST)
I know I'm not the one you're asking, but I wanted to ask. My friend clicked on one of the links (Since he also got the email in question) but the Firefox warning page of 'This page isn't safe' popped up with a link to continue. He didn't. Would he still be safe since he didn't go to the actual page?
Usually, if you hover over links in emails, the site it will send you to if you click the link is displayed. In these fake emails, the displayed URL (site) will not be a battle.net address, thus showing you it's a scam email.
The way I tell my less tech-savvy friends to keep from getting hacked, is that if you get an email that appears to be from Blizzard, open a web browser, go to worldofwarcraft.com and check your account settings. If something seems amiss there, you have a problem, if not, you were getting phished.
No I didn't click on any of this links. :)
Edited by Tormas on 12/14/10 11:28 AM (PST)
I too got a chain of 3 e-mails that lead up to this one. The first one was about the real news website hacks with their commenting system. The second was an informational one spoofed as Blizzard saying I'd been reset, and the third one you see as posted by the OP saying what to go do.
Worth reporting that I could forward the first 2 to the hacks@blizzard e-mail but for some reason the 3rd one would just auto send without me being able to designate who or put something in the body (it was strange).
So just to those out there who think this is more legit because its in multiple parts it is NOT. Still phishing and you probably should verify on your account manually (NOT clicking the links in the e-mail), reset your password on your own (NOT clicking the links in the e-mail) just for good measure, and report what you can to Blizz (NOT clicking on any of the links in the e-mail).
If you did click on any of the links in the e-mail report it immediately.
I was recently also hit with a similar email. In addition to that, someone attempted to reset my account password, though they appear to be unsuccessful.
I'm a little concerned, to be honest, but at least they weren't successful.
I do have to admit my surprise at the fact Gmail did not flag this as spam or as a suspicious email. Every single Blizz phishing email I have gotten over the years it has flagged as one or the other (or both). To be honest I was down right impressed at its accuracy of flagging them, and letting legit Blizz emails through. The fact this one made it by that actually almost caught me off guard, but as a former IT Security specialist I am never too careful! (and this was a polite reminder why!)
83 Draenei Death Knight
Yeah, I got the same email chain. First Gawker Network asking for password resets, then from noreply@Blizzard. I didn't click the link they gave, but I did go to my account and changed my password. I also ran several different scans to make sure. Still paranoid, will do scans again when i get home.
Received: from mx2.blizzard.com ([126.96.36.199]) by BAY0-MC4-F33.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 13 Dec 2010 21:06:40 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=blizzard.com; firstname.lastname@example.org; q=dns/txt;
s=mail; t=1292303200; x=1323839200;
Received: from irvex203.corp.blizzard.net ([10.130.14.23])
by mx2.blizzard.com with ESMTP; 13 Dec 2010 21:06:40 -0800
Received: from IRVEX012.corp.blizzard.net (10.130.0.217) by
IRVEX203.corp.blizzard.net (10.130.14.23) with Microsoft SMTP Server (TLS) id
188.8.131.52; Mon, 13 Dec 2010 21:06:40 -0800
Received: from yourjvrgp4jtdb (10.44.1.61) by Smtp.blizzard.com (10.130.0.214)
with Microsoft SMTP Server id 184.108.40.206; Mon, 13 Dec 2010 21:06:40 -0800
Thread-Topic: Account Security Alert: Password Reset
Subject: Account Security Alert: Password Reset
Date: Mon, 13 Dec 2010 21:04:37 -0800
Content-Type: text/plain; charset="utf-8"
X-Mailer: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
X-OriginalArrivalTime: 14 Dec 2010 05:06:40.0607 (UTC) FILETIME=[B1630EF0:01CB9B4C]
We’ve recently been informed that several Gawker Media websites have been compromised. These websites include Gawker, Gizmodo, Kotaku, Lifehacker, Jezebel, io9, Jalopnik, Deadspin, and Fleshbot. To help minimize the effects of this compromise and help keep your Battle.net account safe and secure, we’ve reset your account password. To complete the password reset, please log into Battle.net Account Management (https://us.battle.net/account/management) and follow the provided instructions.
If you are a registered commenter for any of these sites and used your Battle.net email address to sign up with Gawker Media, we also recommend that you update your Battle.net address as soon as possible via Account Management. If you are unable to complete this step or the password reset on your own and believe your account may be compromised, please contact our customer support staff by using the Account Recovery form (https://us.battle.net/account/support/account-recovery.html) and be sure to check out our Account Security Awareness guide (http://us.battle.net/en/security/) for additional security tips and suggestions.
For more information about this situation, please visit Gawker Media’s official announcement (http://gawker.com/5713056/gawker-security-breach-were-here-to-help) or Lifehacker’s comprehensive FAQ (http://lifehacker.com/5712785/faq-compromised-commenting-accounts-on-gawker-media).
Posting email to confirm validity.
22 Night Elf Hunter
Here's my question though--
I tried to log in last night from my hotel in Sapporo, and wow told me that my account had been locked 'due to suspicious activity'. I then got an email from noreply@Blizzard saying I should change my password.
I'm assuming this was legit, since changing my battle.net password with the link allowed me to log in to wow once again. I'm running a full virus scan just in case, but I really don't want to change my passwords a second time after gawker.
I just make it a policy to never, ever click any link in the emails. Legit or not, if for some reason I need to change my password, or I think an email may be real, I manually go to the battle.net page in a new tab and do it myself.
I also got the Gawker Media thing and am curious if that's legit or not, because I fear a number of my friends did click on it.