Security breach? Unauthorized WOW purchase...

It's been two expansions ago since I played WOW, so imagine my surprise when I check my e-mail today and it says I pre-purchased the new digital expansion for $70. A subsequent e-mail says the purchase didn't go through, probably because the credit card number was out of date. The e-mails appear legitimate; no weird hyperlink addresses or anything. Nobody in my household could have done this.

I did log in to Battle.net just now and it didn't show anything in my order history, but I'm not sure it would.

I was playing StarCraft 2 within the last few weeks and had to log on to Battle.net to install and play it.

So... now I have some suspicions/fears, but figured I'd ask around and see if someone more knowledgeable about this kind of thing can tell me what's going on and what I need to do about it. Thanks...

Check the sender of the message. It may say it is from Blizzard Entertainment but if you hover over the sender it should pop up who the actual sender is.

It is more than likely one of those blizzard.com.co.ts or batt1e.net or some such.

Hovering over the sender yields "[email protected]" and "[email protected]".

Hovering over the hyperlinks, they all appear to go to legitimate web addresses (eg www.blizzard.com, www.battle.net, us.battle.net). I didn't click on them.

No grammatical or spelling errors.

One e-mail refers to me by my correct first and last name.

One e-mail references the last 4 digits of a credit card number that I thought was an old one, but in a quick perusal of my old credit card numbers, it didn't show up. It still could be correct though; I wasn't 100% thorough.

I'm not skilled at this type of thing, but looking at the e-mail headers showed nothing suspicious to me.

Soo.... could this still be a phishing attempt? I thought it was unlikely. If not, what then though?

Well, you might want to call them. Someone might have guessed your old password, and was trying to use your account to buy themselves a copy of the expansion.

Yeah. What worries me is the prospect of how someone "guessed" my password and what that means about my other passwords.

gewy wrote:

Yeah. What worries me is the prospect of how someone "guessed" my password and what that means about my other passwords.

That happened to me. The person reactivated my account and raided the guild bank vault before I was notified and called Blizzard to cut them off and remove all credit card info from the account. I then reversed the charges as fraudulent. Blizzard eventually forgave the negative balance, though that took months.

Talk to Blizzard, change your password and put an authenticator on your acct. The last part is the easiest.

With the amt of password hacking going on these days it's surprising we all aren't hacked more often...

Also, with ANYTHING Blizzard-related, if it isn't messaged to you on Battle.net I don't trust it. Do a search on their forums and you're likely to come across someone posting the exact same email and asking if it's a phishing scam.

One last thing, if you click a link in the email see what address it actually takes you to. It may look legit, but the site they take you too will likely have something funky in the URL.

Thanks guys. I changed the password. I'll skip the authenticator since I don't even play WOW anymore and if someone cleans out my character's bank, I doubt they'll be too impressed with the WOTLK era non-raid stuff I have there.

I did search for this same email though and found no evidence that other people are getting it in a phishing effort.

I guess my big concern really is that I have some kind of keylogger or something. It's my real life bank account I'm worried about. I could care less about Battle.net.

Blizzard confirmed. Someone got my account password somehow. A second attempted purchase was made today. I guess my attempt to change the PW didn't take. This time it did.

Looks like they are trying different credit card numbers. Maybe using it to test out a list of stolen ones?

to fool keyloggers, I alway type in my passwords out of order.

So, for instance if my password was password, I would type

ord, click to the front, and then type passw

or

sswo then click the front and type pa and then click the end and type rd

If you use the stolen password elsewhere then I'd likely change those also.

Hmm... I was expecting someone to say I needed to reformat my hard drive. Like with nuking xenomorphs... it's the only way to be sure.

Well, once you know you've had malware running on the computer, the only way you can be sure it's clean is to do a full wipe and reinstall. Unless you're qualified to do a full forensic examination of your OS install from another, known-clean machine, the best you can ever get to with cleaning attempts is "probably clean", as opposed to the "definitely clean" you get from a reinstall. (and hell, even that's not absolute anymore, in the era of ACPI viruses.)

But, without any evidence of a local compromise, it's probably just someone brute-forcing passwords.

I can't believe we've gotten this far without anyone recommending LastPass!

get thee to it, if you use a smartphone pay for the sub and start generating actual secure passwords. Start with your banking and email and work your way through your sites as you have the energy. Battle.net and Steam should be high on the priority list, they are popular hacking targets.

OK, thanks for the suggestions. I am going to choose to believe this was just a brute force password crack. Why? Because I'm lazy. Maybe I'll live to regret it.

I'll get LastPass and regularly check my various accounts for suspicious activities (which I do anyway).