Targeted attacks via email – phishing for WoW gold

You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…

… but that’s something that’s requires a lot of work to do given the work Blizzard does to prevent it, and which isn’t that effective. It’d be much more effective if you could send messages via email, outside the game, which pretend to come from Blizzard. All you need to do that effectively is a list of email addresses of people who play World of Warcraft.
Cracking Blizzards database would be tricky, as they keep all their email addresses in-house and don’t send them out to third parties. But there’s a healthy ecosystem of third party websites that are used by WoW players, which gather email addresses and which are easier to crack. Some time in early February one of those, curse.com, was compromised and their list of email addresses stolen. I can track this because I gave Curse a tagged email address. Since then that tagged address has received a steady trickle of plausible looking emails claiming to be from Blizzard, suggesting that my login needs to be validated, or my WoW account is about to be suspended, or that someone is trying to break into my account or…
The common factor is that they’re trying to make me go to a fake WoW or Blizzard website and either enter my username, password and (in some cases) the magic cookie produced by my two-factor authentication widget or download some piece of malware disguised as an official WoW update that’ll compromise my machine and (usually) install a keylogger to steal my login that way.
These emails do most of the things we talk about an effective email campaign doing.

  • They’re well branded (as Blizzard)
  • They contain well-crafted content that is relevant and compelling to the recipients.
  • They’re well targeted, all the recipients have a strong interest in the subject – World of Warcraft
  • There’s a strong, ongoing relationship between the recipient and who the sender claims to be
  • And finally, the emails contain a strong call to action – come to our website (and compromise your WoW account)

The key thing that enabled the accurate targeting of their phishing and malware emails was being able to steal a list of addresses that they knew were engaged WoW customers.
And that’s one reason why a list of email addresses of customers of a company is valuable to online criminals and why email senders – both ESPs and companies sending their own email – will increasingly be high value targets for data theft.

Related Posts

Relevance or Permission

One of the discussions that surrounds email marketing is whether relevance trumps permission or permission trumps relevance. I believe this entire discussion is built on a false dichotomy.
Sending relevant email is important. Not only do recipients expect mail to be relevant, but the ISPs often make delivery decisions on how relevant their users find your mail. Marketers that send too much irrelevant mail find themselves struggling to get inbox placement.
Permission makes sending relevant mail all that much easier. Sure, really good marketers can probably collect, purchase, beg, borrow and steal enough information to know that their unsolicited email is relevant. But how many marketers are actually that good?
My experience suggest that most marketers aren’t that good. They don’t segment their permission based lists to send relevant mail. They’re certainly not going to segment their non-permission based lists to send relevant mail.
Macy’s, for instance, decided that I would find their Bloomingdales mail relevant. I didn’t, and unsubscribed from both publications, after registering a complaint with their ESP. Had Macy’s asked about sending me Bloomies mail I wouldn’t have opted-in, but I probably wouldn’t have unsubbed from Macy’s mail, too.
So what’s your stand? Does relevance trump permission? Or does permission trump relevance? How much relevant, unsolicited mail do you get? How much irrelevant permission based mail do you get? And what drives you to unsubscribe from a permission based list?

Read More

Change is required

I get a lot of calls from senders who tell me that they have not changed what they were doing, but all of a sudden their mail isn’t performing the way it used to. Sometimes it’s simply less effective marketing, but more often than not the issue is mail being blocked or filtered to the bulk folder.
What worked today won’t work tomorrow. Spammers are forever evolving new techniques to get past spam filters. ISPs are forever evolving new techniques to stop them.
One of the current driving forces for spam filter development is focused on the individual recipients. Recipient wants and needs are king in the world of ISP mail filtering. Much of that is driven by the underlying business models of the free ISPs. They are selling eyeballs to their advertisers and that relies on keeping as many eyeballs around for as long as possible.
An early version of the recipient driven filtering was “add to your address book” where individual users could over ride ISP delivery decisions by actively adding a From: address to their address book. The ISPs have been refining this over time. For instance, if you reply to an email in some clients, you are prompted to add that address to your address books. If you take an email out of your bulk folder and move it to your inbox then that address is automatically added to your address book.
But the refinements haven’t stopped there. ISPs are now making smart decisions about what emails a particular recipient will want to receive. This raises a number of challenges to senders. How do you send email to ten thousand or a hundred thousand or a million people and make it relevant to all of them?
Smart senders will take the individual delivery challenge in stride. They will change along with the ISPs, to send mail that their recipients want to receive. Change is inevitable and required.

Read More

Email attacks

Ken has an article up today about the ongoing attacks against ESPs and email marketers. In it he says:

Read More