Malwarebytes researcher Chris Boyd spotted a phishing campaign offering World of Warcraft (WoW) players free pets.
Boyd said he's spotted two versions of the campaign, although there could be more, each of them linking to the same phishing URL, according to a March 28 blog post.
One of the emails claimed that a World of Warcraft user's friend has purchased an in-Game Pet: Brightpaw and that the victim needs to enter their Gift Key on the phishing site to download the gift.
An email sent in the second phishing campaign claims to offer a WoW mount mystic rune sabre and links to the same phishing page.
“Keen Warcraft players will notice the email is branded with Battle(dot)net, the name of Blizzard's online gaming service – but this name has just been retired, which may well set off a few alarm bells,” Boyd said in the post.
Once on the page users are instructed to enter their email and password.
“World of Warcraft is very popular with teens, and offers related to free pets, armor, or weapons are always attractive to younger gamers who want to stand out from the crowd,” Boyd told SC Media. “Special editions and limited content make for great bait, and this tends to be one of the most common ways gamers get caught out.”
Boyd said younger gamers tend to fall for these kinds of scams and that the phishing pages often go hand in hand with bogus customer support Twitter accounts.
“In those situations, the fake account jumps into discussions with the real customer support on Twitter, then directs the gamer to a phishing page,” Boyd said. “This is usually a very successful tactic as they don't notice the switch with regard who they're talking to.”
He added that most online gaming companies have security advice pages and that in the case of the WoW phishing attack players are encouraged to protect themselves against these exploits by making use of the game's authenticator and SMS alert system.
Boyd also noted that players are encouraged to look for the green padlock which clearly displays "Blizzard Entertainment, Inc." so gamers aware of this theoretically shouldn't fall for a phish, even if said phish happened to be HTTPS.