API tools faq
paste
_St0rm

Battle.net phishers part 2

_St0rm
Feb 15th, 2012
624
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.69 KB | None | 0 0
raw download clone embed print report
  1. Battle.net phishers part 2.
  2.  
  3. twitter.com/_St0rm
  4. pastebin.com/u/_St0rm
  5.  
  6. So I recieved an email from blizzard.
  7.  
  8. tldr: it was fake. My name is not Zhang, the link was broken, and I don't play wow.
  9.  
  10. After finding the raw output of the email, which is here: http://pastebin.com/F5RJkPwU
  11.  
  12. I found 3 main hostname/ips
  13. Here are my results:
  14. -------------------------------------------------------------------------------------------------------------------------------------------
  15. # Raw output from email
  16.  
  17. Received-SPF: pass (google.com: domain of [email protected] designates 121.254.166.47 as permitted sender) client-ip=121.254.166.47;
  18.  
  19. Received: from kw1-web-24-blade06.wowadmin.net (kw1-web-24-blade06.wowadmin.net [10.52.55.86])
  20.  
  21. Message-ID: <458130787.1329229976062.JavaMail.tomcat@kw1-admin-smtp-vip.wowadmin.net>
  22. -------------------------------------------------------------------------------------------------------------------------------------------
  23. # Looking up 121.254.166.47
  24.  
  25. IP: 121.254.166.47
  26. Hostname: ext-smtp11.kr.battle.net
  27. Timezone: Asia/Seoul
  28. Country: Korea
  29. Continent: Asia
  30. -------------------------------------------------------------------------------------------------------------------------------------------
  31. # Browser changes
  32.  
  33. if you ping kr.battle.net, you get: 121.254.166.38
  34. If you go directly to 121.254.166.38 in your URL, you get
  35. "Forbidden"
  36.  
  37. If you go to 121.254.166.47 you get:
  38. "121.254.166.47 took too long to respond."
  39.  
  40. -------------------------------------------------------------------------------------------------------------------------------------------
  41. # Doing a whois of 121.254.166.47
  42.  
  43.  
  44. KRNIC is not an ISP but a National Internet Registry similar to APNIC.
  45.  
  46. [ Network Information ]
  47. IPv4 Address : 121.254.128.0 - 121.254.255.255 (/17)
  48. Service Name : KIDC
  49. Organization Name : LG DACOM KIDC
  50. Organization ID : ORG137200
  51. Address : KIDC, 261-1, Nonhyun-dong, Kangnam-gu
  52. Zip Code : 135-010
  53. Registration Date : 20060602
  54.  
  55. [ Admin Contact Information ]
  56. Name : IP Administrator
  57. Phone : +82-2-2086-2924
  58. E-Mail : [email protected]
  59.  
  60. [ Tech Contact Information ]
  61. Name : IP manager
  62. Phone : +82-2-2086-2924
  63. E-Mail : [email protected]
  64.  
  65. [ Network Abuse Contact Information ]
  66. Name : Network Abuse
  67. Phone : +82-2-2086-2878
  68. E-Mail : [email protected]
  69.  
  70. -------------------------------------------------------------------------------------------------------------------------------------------
  71. # Kidc
  72.  
  73. So, 121.254.166.47 is ext-smtp11.kr.battle.net being hosted on kidc.net
  74. kidc.net is a Korean isp.
  75.  
  76. Either possibly hijacked, or it is legitly owned.
  77. It's the korean battlenet server.
  78.  
  79. So no real luck here, trying different ip from raw output.
  80. -------------------------------------------------------------------------------------------------------------------------------------------
  81. # Next IP to analyse.
  82.  
  83. Received: from kw1-web-24-blade06.wowadmin.net (kw1-web-24-blade06.wowadmin.net [10.52.55.86])
  84.  
  85. When you go to wowadmin.net or www.wowadmin.net you get a DNS failure.
  86. -------------------------------------------------------------------------------------------------------------------------------------------
  87. # Whois wowadmin.net
  88.  
  89.  
  90. ..So it's owned by godaddy.com. Let's see if battle.net is owned by godaddy.com...
  91. Yup. It's also owned by godaddy.com
  92.  
  93.  
  94. Registrant:
  95. Blizzard Entertainment
  96. P.O. Box 18979
  97. Irvine, California 92623
  98. United States
  99.  
  100. Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  101. Domain Name: WOWADMIN.NET
  102. Created on: 12-Aug-03
  103. Expires on: 31-Jan-13
  104. Last Updated on: 29-Dec-11
  105.  
  106. Administrative Contact:
  107. Entertainment, Blizzard [email protected]
  108. P.O. Box 18979
  109. Irvine, California 92623
  110. United States
  111. +1.9499551382
  112.  
  113. Technical Contact:
  114. Entertainment, Blizzard [email protected]
  115. P.O. Box 18979
  116. Irvine, California 92623
  117. United States
  118. +1.9499551382
  119.  
  120. Domain servers in listed order:
  121. NS-WEST.CERF.NET
  122. NS-EAST.CERF.NET
  123.  
  124.  
  125. Registry Status: clientDeleteProhibited
  126. Registry Status: clientRenewProhibited
  127. Registry Status: clientTransferProhibited
  128. Registry Status: clientUpdateProhibited
  129.  
  130. Comparing battle.net and wowadmin.net, battle contains lots more content.
  131. Possibly thinking wowadmin.net is fake.
  132. -------------------------------------------------------------------------------------------------------------------------------------------
  133. # Google can be your friend.
  134.  
  135. # Googling Irvine, California 92623
  136.  
  137. You get blizzard address.
  138.  
  139. Example: http://orangecounty.citysearch.com/profile/572289/irvine_ca/blizzard_entertainment.html
  140.  
  141. # Googling wowadmin.net
  142.  
  143. BINGO - http://www.lancope.com/images/uploads/blog/6a010536b4f156970c011571f55525970b-700wi-lrg.jpg
  144.  
  145. Not just me who's been recieving spam!
  146.  
  147. So it seems to me that someone created wowadmin.net, somehow has a list of email address's that could be connected to wow.
  148. Or could be a potential MMORPG gamer.
  149.  
  150. So I guess it's time to find more about wowadmin.net hmm??
  151. -------------------------------------------------------------------------------------------------------------------------------------------
  152. # Last raw ip
  153.  
  154. Message-ID: <458130787.1329229976062.JavaMail.tomcat@kw1-admin-smtp-vip.wowadmin.net>
  155.  
  156. So still on wowadmin.net
  157. With a hefty ammount of sub domains. Time to start finding more about em.
  158. -------------------------------------------------------------------------------------------------------------------------------------------
  159. End of part 2.
  160. -------------------------------------------------------------------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!