Managed to trace a WoW scammer

Nothxkbi · Nov 6, 2010

You know those usual emails you receive such as "Your account has been compromised, please login to confirm blah blah"

Well, I managed to trace one of these little buggers and he's not Chinese. Would I be in trouble if I posted his personal information here?

Necuno · Nov 6, 2010

Nothxkbi said:
You know those usual emails you receive such as "Your account has been compromised, please login to confirm blah blah"

Well, I managed to trace one of these little buggers and he's not Chinese. Would I be in trouble if I posted his personal information here?

and now you want us to congratulate and stroke your ego ? :erm:

Nothxkbi · Nov 6, 2010

Pr⊕phet said:
and now you want us to congratulate and stroke your ego ? :erm:

Nope. It wasn't difficult. Most people are under the impression it's the Chinese, much like I was. It seems that there are many different countries involved and email addresses are sold off to various scammers via anon groups, perhaps dark areas of the internet where there is a mass exchange of information for cash.

I think it's partially beneficial and educational to realise that a large network is involved. I'm trying to give a little insight into the scamming world and how it seems to operate, at least from my perspective.

Voicy · Nov 6, 2010

Name and shame!

I wouldn't be surprised if a lot of accounts are screwed over by Curse, the addon manager.

Necuno · Nov 6, 2010

Nothxkbi said:
Nope. It wasn't difficult. Most people are under the impression it's the Chinese, much like I was. It seems that there are many different countries involved and email addresses are sold off to various scammers via anon groups, perhaps dark areas of the internet where there is a mass exchange of information for cash.

I think it's partially beneficial and educational to realise that a large network is involved. I'm trying to give a little insight into the scamming world and how it seems to operate, at least from my perspective.

lol association to think it's only chinese

. that's the same as saying only nigerians does money scams...

Nothxkbi · Nov 6, 2010

Voicy said:
Name and shame!

I wouldn't be surprised if a lot of accounts are screwed over by Curse, the addon manager.

Information is big cash. A list of a few hundred wow players seems to sell for thousands of dollars. The list passes on from one bidder to the next, each giving it a crack at your account for real money!

I did a 6 month stint in the debt recovery business some years back. It was the same system. Lists of thousands of debtors were passed from one agency to the next based on the highest bidder. They give the whole list a crack in order to gain some revenue and when they were satisfied, they sold the list to other debt recovery agencies. A debtor would be receiving post for the next 5 years about R500 he owed to Mr Price. You just another email address.

Pr⊕phet said:
lol association to think it's only chinese . that's the same as saying only nigerians does money scams...

That was my impression yes. It was however very, very wrong.

Murdoc · Nov 7, 2010

Im interested in what country and how you did it?

O do tell

freeek · Nov 8, 2010

awaiting this information as well, name and shame!

ps plus how you did it.

Nothxkbi · Nov 8, 2010

Hi sorry guys not been ignoring you. I'll link the info later and how I found him. Just got home from work now!

Kaine · Nov 9, 2010

well? we are waiting....

Surv0 · Nov 9, 2010

yup still waiting... name and shame already

Nothxkbi · Nov 9, 2010

I'm not entirely convinced the forum allows for posting of personal information but I will link the two email addresses the scam emails sourced from.

Greetings!
Recently, the problem of account invasion is getting worse and worse which cause enormous players’equipments and virtual
currency stolen. This severely damages the benefits of mass players, also causes our company lose a lot of customers.
Our company has to adopt some measures to safeguard our common benefits in order to strengthen the safety of mass
players'accounts, and firmly resist the account to be stolen again.Through our company's research and investigation to
[email protected] customers, we will make the following decisions: we launch a package of updated code strengthen
system and dynamic code protection card which can effectively prevent the accounts invaded. We will send this package of code
protection system to players free of charge.
Please open this connection:
http://www.battle.net/login.asp?ref...t/beta-profile.xml&app=bam&rhtml=y&rhtml=true
If your account passes the check successfully, we will send this package of dynamic code protection card to you in the form
of e-mail.
In 3 days after you receiving the e-mail, if you don't submit your information, we have right to freeze your account, every
player is obligated to protect the safety of the account. You must work together with us to be determined to crack down all
the behaviors of destroying games.
If you had already authenticator your account, please disregard this automatic notification.
Regards,
The World of Warcraft Support Team
Blizzard Entertainment

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MztTQ0w9NA==
X-Message-Status: n
X-SID-PRA: [email protected]
X-SID-Result: Pass
X-AUTH-Result: PASS
X-Message-Info: H83ySVbTRY2oAOtd8GXGR5xL2JpVr+E93TPsO3+Ox7rbRLudJ3BAxoI0d+jPGx65okMbPHb+afp1kDRBu9EG5MQxQVo6pRm8xTaV4GntSLA=
Received: from blu0-omc4-s2.blu0.hotmail.com ([65.55.111.141]) by bay0-hmmc1-f12.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 5 Nov 2010 02:48:59 -0700
Received: from BLU0-SMTP32 ([65.55.111.135]) by blu0-omc4-s2.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 5 Nov 2010 02:48:55 -0700
X-Originating-IP: [222.247.141.219]
X-Originating-Email: [[email protected]]
Message-ID: <[email protected]>
Return-Path: [email protected]
Received: from tdeu ([222.247.141.219]) by BLU0-SMTP32.phx.gbl over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 5 Nov 2010 02:48:52 -0700
From: Blizzard Entertainment <Blizzard Entertainment>
To: <[email protected]>
Subject: World of Warcraft Account code protection
Date: Fri, 5 Nov 2010 17:48:45 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0F72_01D342B9.1F6BEF00"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 05 Nov 2010 09:48:52.0500 (UTC) FILETIME=[A778A540:01CB7CCE]
Sender: [email protected]

Just one more thing, when I hovered over my own email address which they linked in the message (which I edited ofc) it linked to a [email protected]. Anway use google, fb or whatever other social site you want but I'm not really going to go into it. These guys tried to scam me so just be aware.

h0ll0w · Nov 9, 2010

Thats an email header ?

Nothxkbi · Nov 9, 2010

h0ll0w said:
Thats an email header ?

Yeah...

semaphore · Nov 9, 2010

lol remind me never to hire you for tracing, thats hardly earth shattering find. Nor does it stipulate where this guy is from, and a google search for that email address doesnt reveal anything spectacular. Hotmail account, theres your problem firstly

Nothxkbi · Nov 9, 2010

Did you even search for these guys on FB?

semaphore · Nov 9, 2010

Nothxkbi said:
Did you even search for these guys on FB?

Sorry i don't subscribe to **** like FB

And did you ever ponder to think that it could be that this guy's hotmail account could have been hijacked ?

bullzeye.za · Nov 9, 2010

Not Chinese?

Explain hop 19

Tracing route to 222.247.141.219 over a maximum of 30 hops

6 47 ms 6 ms 5 ms if-1-5.bb1.JSO-Johannesburg.as6453.net [216.6.55.49]
7 27 ms 27 ms 28 ms if-2-2-0.har1.KLT-CapeTown.as6453.net [41.206.164.1]
8 158 ms 157 ms 158 ms 195.219.214.33
9 364 ms 219 ms 223 ms if-11-0-0-1776.mcore3.LDN-London.as6453.net [195.219.195.93]
10 * 196 ms 212 ms Vlan62.icore1.LDN-London.as6453.net [195.219.83.1]
11 186 ms 184 ms 184 ms xe-10-2-2.edge3.London1.level3.net [4.68.63.105]
12 185 ms 186 ms 184 ms ae-34-52.ebr2.London1.Level3.net [4.69.139.97]
13 261 ms 269 ms 267 ms ae-43-43.ebr1.NewYork1.Level3.net [4.69.137.74]
14 261 ms 254 ms 267 ms ae-71-71.csw2.NewYork1.Level3.net [4.69.134.70]
15 260 ms 260 ms 261 ms ae-72-72.ebr2.NewYork1.Level3.net [4.69.148.37]
16 331 ms 323 ms 324 ms ae-2-2.ebr4.SanJose1.Level3.net [4.69.135.185]
17 329 ms 324 ms 325 ms ae-64-64.csw1.SanJose1.Level3.net [4.69.134.242]
18 352 ms 415 ms 429 ms ae-14-69.car4.SanJose1.Level3.net [4.68.18.6]
19 320 ms 319 ms 322 ms CHINA-TELEC.car4.SanJose1.Level3.net [4.71.114.102]
20 487 ms 487 ms 486 ms 202.97.51.213
21 486 ms 487 ms 485 ms 202.97.60.49
22 490 ms 484 ms 487 ms 202.97.33.229
23 495 ms 497 ms 492 ms 202.97.45.230
24 494 ms * 501 ms 61.137.2.170
25 497 ms 548 ms 496 ms 222.247.28.42
26 2975 ms 3037 ms 3143 ms 222.247.141.219

Likely, that the scammer is using an old unused email account that he/she/they has/have compromised.

Don't go posting people's details unless you know beyond a doubt that they are actually at fault and not just a victim.

semaphore · Nov 9, 2010

bullzeye.za said:
Not Chinese?

Explain hop 19

Tracing route to 222.247.141.219 over a maximum of 30 hops

6 47 ms 6 ms 5 ms if-1-5.bb1.JSO-Johannesburg.as6453.net [216.6.55.49]
7 27 ms 27 ms 28 ms if-2-2-0.har1.KLT-CapeTown.as6453.net [41.206.164.1]
8 158 ms 157 ms 158 ms 195.219.214.33
9 364 ms 219 ms 223 ms if-11-0-0-1776.mcore3.LDN-London.as6453.net [195.219.195.93]
10 * 196 ms 212 ms Vlan62.icore1.LDN-London.as6453.net [195.219.83.1]
11 186 ms 184 ms 184 ms xe-10-2-2.edge3.London1.level3.net [4.68.63.105]
12 185 ms 186 ms 184 ms ae-34-52.ebr2.London1.Level3.net [4.69.139.97]
13 261 ms 269 ms 267 ms ae-43-43.ebr1.NewYork1.Level3.net [4.69.137.74]
14 261 ms 254 ms 267 ms ae-71-71.csw2.NewYork1.Level3.net [4.69.134.70]
15 260 ms 260 ms 261 ms ae-72-72.ebr2.NewYork1.Level3.net [4.69.148.37]
16 331 ms 323 ms 324 ms ae-2-2.ebr4.SanJose1.Level3.net [4.69.135.185]
17 329 ms 324 ms 325 ms ae-64-64.csw1.SanJose1.Level3.net [4.69.134.242]
18 352 ms 415 ms 429 ms ae-14-69.car4.SanJose1.Level3.net [4.68.18.6]
19 320 ms 319 ms 322 ms CHINA-TELEC.car4.SanJose1.Level3.net [4.71.114.102]
20 487 ms 487 ms 486 ms 202.97.51.213
21 486 ms 487 ms 485 ms 202.97.60.49
22 490 ms 484 ms 487 ms 202.97.33.229
23 495 ms 497 ms 492 ms 202.97.45.230
24 494 ms * 501 ms 61.137.2.170
25 497 ms 548 ms 496 ms 222.247.28.42
26 2975 ms 3037 ms 3143 ms 222.247.141.219

Likely, that the scammer is using an old unused email account that he/she/they has/have compromised.

Don't go posting people's details unless you know beyond a doubt that they are actually at fault and not just a victim.

hop 19 is not in china, its level3 san jose, pretty obvious. Could just be the companys router ?

IP : 4.71.114.102 Neighborhood
Host : china-telec.car4.sanjose1.level3.net
Country : United States

Necuno · Nov 9, 2010

semaphore said:
lol remind me never to hire you for tracing, thats hardly earth shattering find. Nor does it stipulate where this guy is from, and a google search for that email address doesnt reveal anything spectacular. Hotmail account, theres your problem firstly

stroke ego++

semaphore said:
Sorry i don't subscribe to **** like FB And did you ever ponder to think that it could be that this guy's hotmail account could have been hijacked ?

makes me think of the olden days and sending mail from shell accounts....

Join the MyBroadband community

Get started

Managed to trace a WoW scammer

Banned

Court Jester

Banned

Honorary Master

Court Jester

Banned

Senior Member

Expert Member

Banned

Expert Member

Executive Member

Banned

Expert Member

Banned

Honorary Master

Banned

Honorary Master

Expert Member

Honorary Master

Court Jester