Targeted attacks via email – phishing for WoW gold

You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…

… but that’s something that’s requires a lot of work to do given the work Blizzard does to prevent it, and which isn’t that effective. It’d be much more effective if you could send messages via email, outside the game, which pretend to come from Blizzard. All you need to do that effectively is a list of email addresses of people who play World of Warcraft.
Cracking Blizzards database would be tricky, as they keep all their email addresses in-house and don’t send them out to third parties. But there’s a healthy ecosystem of third party websites that are used by WoW players, which gather email addresses and which are easier to crack. Some time in early February one of those, curse.com, was compromised and their list of email addresses stolen. I can track this because I gave Curse a tagged email address. Since then that tagged address has received a steady trickle of plausible looking emails claiming to be from Blizzard, suggesting that my login needs to be validated, or my WoW account is about to be suspended, or that someone is trying to break into my account or…
The common factor is that they’re trying to make me go to a fake WoW or Blizzard website and either enter my username, password and (in some cases) the magic cookie produced by my two-factor authentication widget or download some piece of malware disguised as an official WoW update that’ll compromise my machine and (usually) install a keylogger to steal my login that way.
These emails do most of the things we talk about an effective email campaign doing.

  • They’re well branded (as Blizzard)
  • They contain well-crafted content that is relevant and compelling to the recipients.
  • They’re well targeted, all the recipients have a strong interest in the subject – World of Warcraft
  • There’s a strong, ongoing relationship between the recipient and who the sender claims to be
  • And finally, the emails contain a strong call to action – come to our website (and compromise your WoW account)

The key thing that enabled the accurate targeting of their phishing and malware emails was being able to steal a list of addresses that they knew were engaged WoW customers.
And that’s one reason why a list of email addresses of customers of a company is valuable to online criminals and why email senders – both ESPs and companies sending their own email – will increasingly be high value targets for data theft.

Related Posts

Relevance or Permission

One of the discussions that surrounds email marketing is whether relevance trumps permission or permission trumps relevance. I believe this entire discussion is built on a false dichotomy.
Sending relevant email is important. Not only do recipients expect mail to be relevant, but the ISPs often make delivery decisions on how relevant their users find your mail. Marketers that send too much irrelevant mail find themselves struggling to get inbox placement.
Permission makes sending relevant mail all that much easier. Sure, really good marketers can probably collect, purchase, beg, borrow and steal enough information to know that their unsolicited email is relevant. But how many marketers are actually that good?
My experience suggest that most marketers aren’t that good. They don’t segment their permission based lists to send relevant mail. They’re certainly not going to segment their non-permission based lists to send relevant mail.
Macy’s, for instance, decided that I would find their Bloomingdales mail relevant. I didn’t, and unsubscribed from both publications, after registering a complaint with their ESP. Had Macy’s asked about sending me Bloomies mail I wouldn’t have opted-in, but I probably wouldn’t have unsubbed from Macy’s mail, too.
So what’s your stand? Does relevance trump permission? Or does permission trump relevance? How much relevant, unsolicited mail do you get? How much irrelevant permission based mail do you get? And what drives you to unsubscribe from a permission based list?

Read More

Just give it up already

I have a mail system totally separate from my inbox to use when I’m testing signup forms. Some of them are client, some of them are vendors my clients are thinking about using. In any case, it’s mail I’m seriously concerned won’t stop just by me opting out of it.
The server hosting that mail system has been flakey lately, and needs to be hard power cycled to make it come back. We had a major power glitch this morning and so ended up down at the colo and power cycled that box while we were there.
This box was last working February 4th. It’s been off the internet for almost 2 months now. It wasn’t answering on port 25. It was dead. No mail here. And, yet, a bunch of legitimate email marketers are still attempting to send those addresses mail.
Really. Dead for 2 months and the senders keep trying to mail to those addresses. The server came back about 2 1/2 hours ago. I already have 6 emails from two different senders.
Seriously. If you can’t deliver a mail to someone for TWO MONTHS just give it up already. I am sad that even companies that get the best advice I can give them still can’t get the simple things right.
And, really, don’t argue “but it came back! Clearly we should keep trying!” Yes, it came back. But in all the years I’ve had this disposable email system I have not opened a single image. I’ve not purchased a single thing. I’ve never shown any sign of life on any of those addresses. The mailserver has been down for months at a time. There is no value to continuing to send mail to those addresses. And, yet, people still do it.
Why? WHY!?

Read More

Conversational foreplay

How do you approach the first contact with a potential customer or prospect? Do you just jump right in and start making your pitch or do you actually take the time to introduce yourself and your company?
Most good sales reps spend a little time socializing with prospects before they launch into the sales process, particularly when they are cold calling the target. This courtesy doesn’t seem to apply when cold emailing a prospect, though.
I can only imagine how Al might have reacted differently if Douglas Karr had sent a personal contact and introduced himself instead of sending out bulk mail. I know for a fact I would have reacted very differently to the email sent to my LinkedIn account address had it been even vaguely personalized and interested in me.
We even have ESPs getting into the sending cold email game. A reasonably well know ESP added me to their mailing list and sent me an advertisement for a free service they’re providing at Marketing Sherpa this year. I was grumbling about spam to a group of friends, one of whom happens to be their delivery guy. He asked for a copy and spent time chasing down how they got the address.
Evidently I sent mail to the privacy manager who left the company over 2 years ago. That puts me in the “prospect” database. Well, OK, maybe. But there are some many better ways to reactivate a prospect than just adding me to their newsletter. Would it really have taken so much work to send me a personal note from the sales person? It doesn’t have to be very long, just introducing the sales person and telling me they’d seen my inquiry about product and asking if they could talk to me about their offerings.
Had this ESP spent a little time to cultivate me, my response would have been totally different. I could have referred customers to them and given them the name of the sales person that was so helpful and respectful of me and my time. That’s not what they did. In a fit of insouciance they just grabbed a 2+ year old email address and added it to their mailing list. They didn’t bother to tell me why or introduce it to me gently.
Seriously, folks, email is about relationships. Adding someone to a mailing list without their knowledge or permission is a really, really bad way to start a relationship. Show a little respect to your prospects. Send welcome messages, even an automated one, before adding just discovered prospect addresses to mailing lists.

Read More