You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…
… but that’s something that’s requires a lot of work to do given the work Blizzard does to prevent it, and which isn’t that effective. It’d be much more effective if you could send messages via email, outside the game, which pretend to come from Blizzard. All you need to do that effectively is a list of email addresses of people who play World of Warcraft.
Cracking Blizzards database would be tricky, as they keep all their email addresses in-house and don’t send them out to third parties. But there’s a healthy ecosystem of third party websites that are used by WoW players, which gather email addresses and which are easier to crack. Some time in early February one of those, curse.com, was compromised and their list of email addresses stolen. I can track this because I gave Curse a tagged email address. Since then that tagged address has received a steady trickle of plausible looking emails claiming to be from Blizzard, suggesting that my login needs to be validated, or my WoW account is about to be suspended, or that someone is trying to break into my account or…
The common factor is that they’re trying to make me go to a fake WoW or Blizzard website and either enter my username, password and (in some cases) the magic cookie produced by my two-factor authentication widget or download some piece of malware disguised as an official WoW update that’ll compromise my machine and (usually) install a keylogger to steal my login that way.
These emails do most of the things we talk about an effective email campaign doing.
- They’re well branded (as Blizzard)
- They contain well-crafted content that is relevant and compelling to the recipients.
- They’re well targeted, all the recipients have a strong interest in the subject – World of Warcraft
- There’s a strong, ongoing relationship between the recipient and who the sender claims to be
- And finally, the emails contain a strong call to action – come to our website (and compromise your WoW account)
The key thing that enabled the accurate targeting of their phishing and malware emails was being able to steal a list of addresses that they knew were engaged WoW customers.
And that’s one reason why a list of email addresses of customers of a company is valuable to online criminals and why email senders – both ESPs and companies sending their own email – will increasingly be high value targets for data theft.
RSS - Posts
This sheds a great deal of light on an issue that touches home, and shows the frustration felt with sites that store but do not adequately protect your email address and/or PII. I’m already sharing this article with friends and relatives that play WoW.
These days phishing has become so common-place and sophisticated that it takes great scrutiny to determine if the source is trustworthy, at a level unfamiliar to the general public. It’s better to be safe than sorry, get know who your real safe senders are -exactly- and avoid unknown senders even if they are similar. I also suggest creating a separate email account for entertainment websites and never trust a link in an email.
Thanks again for the helpful article!
My account hasn’t been active in several years, and so the several of these I get every week stand out a lot. Some of the WoW phishes have been really sophisticated.
At this point, every single site that I signed up for in the context of World of Warcraft has been compromised (I use tagged accounts as well, and keep track of the sites using a password manager). Many of these community sites are particularly at risk because they started out as hobby sites and then saw explosive growth, which never leaves enough time to deploy good security measures.
Blizzard’s authenticator deserves highlighting – it raises the bar for the attackers by a lot. It’s interesting that some online games now has better security than many financial services sites.
[…] we’ve mentioned before there’s a black market in stolen World of Warcraft accounts. They’re typically worth […]