Guild Wars 2

Hello peers,

I received a letter in my inbox from a player named “En Goldstein” who told me that my account was queued to be shutdown due to “Currency transactions or abnormal login”

I laughed at this, because I have no need for “currency transactions” of the illegitimate type since I can well afford the black lion gem store. There are no “abnormal logins” because Anet requires two factor authentication from any IP address not previously on record. The thing that tickled me the most though, was that I was advised to go to a website to “lift the restrictions” —- by going to a link that ends in .pw (Which for those not aware of how websites work… “.pw” is a domain, not a page.

Basically the link read something like [link redacted by mod]

Here is another problem with that, for those who are not cyber security professionals like myself. http:// <—- that is Hyper Text Transfer Protocol….which is not what Arena Net uses (Or any legitimate company that hands account information) uses. For that you will always see “https://” (Hyper Text Transfer Protocol Secure) and if you don’t….WATCH OUT!!!! YOU’RE NOT USING THE INTERNET SECURELY.

Finally, what angered me was that he signed this letter “GM En Goldstein.”

Anet, I am not in the business of reporting players…but as a cyber security professional I am obliged to inform you and my peers of this phishing fraud. For most players, this isn’t an issue. The letter I got stated “This is from a player not a GM” and chrome informed me that the page was a phishing scam…but hey, i’m a white hat…so I checked the page out anyway.

The attack is relatively lame…So lame in fact that I didn’t even need ScriptSafe because they were using straightforward HTML with 0 background scripts. It’s just a basic form, and once you click “Verify” you should understand that your information is being stashed on a server somewhere in China. In fact…..I have the information on WHO this site belongs to. I would not normally think Mr. Lao Wang would be stupid enough to register a website with his real name….yet I also did not think somebody would be stupid enough to use a low-level phishing attack via a non clickable link in a gw player’s inbox.

Domain Name: 76C1S-J9NE5J4.PW
Domain ID: D8514730-CNIC
WHOIS Server: whois.todaynic.com
Referral URL: [link redacted by mod]
Updated Date: 2015-06-18T01:50:21.0Z
Creation Date: 2015-06-18T02:50:20.0Z
Registry Expiry Date: 2016-06-18T23:59:59.0Z
Sponsoring Registrar: ERANET INTERNATIONAL LIMITED
Sponsoring Registrar IANA ID: 697
Domain Status: clientTransferProhibited [link redacted by mod]TransferProhibited
Domain Status: serverTransferProhibited [link redacted by mod]TransferProhibited
Domain Status: addPeriod [link redacted by mod]
Registrant ID: TOD-44358654
Registrant Name: lao wang
Registrant Organization: lao wang
Registrant Street: fangguorewoquaiguoreqingaoyunhui
Registrant City: xian
Registrant State/Province: Shaxi
Registrant Postal Code: 710000
Registrant Country: CN
Registrant Phone: +86.1104587548
Registrant Phone Ext:
Registrant Fax: +86.1104587548
Registrant Fax Ext:
Registrant Email:
Admin ID: TOD-44358655
Admin Name: lao wang
Admin Organization: lao wang
Admin Street: fangguorewoquaiguoreqingaoyunhui
Admin City: xian
Admin State/Province: Shaxi
Admin Postal Code: 710000
Admin Country: CN
Admin Phone: +86.1104587548
Admin Phone Ext:
Admin Fax: +86.1104587548
Admin Fax Ext:
Admin Email:
Tech ID: TOD-44358656
Tech Name: lao wang
Tech Organization: lao wang
Tech Street: fangguorewoquaiguoreqingaoyunhui
Tech City: xian
Tech State/Province: Shaxi
Tech Postal Code: 710000
Tech Country: CN
Tech Phone: +86.1104587548
Tech Phone Ext:
Tech Fax: +86.1104587548
Tech Fax Ext:
Tech Email:
Name Server: F1G1NS1.DNSPOD.NET
Name Server: F1G1NS2.DNSPOD.NET
DNSSEC: unsigned
Billing ID: TOD-44358657
Billing Name: lao wang
Billing Organization: lao wang
Billing Street: fangguorewoquaiguoreqingaoyunhui
Billing City: xian
Billing State/Province: Shaxi
Billing Postal Code: 710000
Billing Country: CN
Billing Phone: +86.1104587548
Billing Phone Ext:
Billing Fax: +86.1104587548
Billing Fax Ext:
Billing Email:

1. Don’t share links you know are scammy.

2. It’s a well-known scam. https://forum-en.gw2archive.eu/forum/game/gw2/Alert-In-Game-Mail-Scams/first

3. Report the mail and delete.

1. The link in the post is not the actual scam link…I tried to replicate it, and ended up mashing my face on the keyboard near the end.

2. Glad Anet knows about it, I didn’t get the memo in my mailbox…only the letter.

3. Done, however…for the non tech-savy people at home; they can now better identify phishing scams both inside and outside of the game.

Thanks for posting, exa.

This scam has been around for a while and the critical thing people need to know is that the email wasn’t sent from a GM, as it states on the bottom of the email.

Plus, ANet doesn’t warn people — if they catch you doing something drastically against the rules, they suspend you or ban you and that’s the only notification they give.

ArenaNet has already taken measures to warn players against such scams, by adding the warning text: “This message was sent to you by another player” at the bottom of every in-game message sent by another player.
Also, any message sent by actual ArenaNet staff in-game will display the ArenaNet logo next to their name.

If you receive such a mail, click the “report” button on the message. This will notify ArenaNet of this fraudster’s activity and trigger an investigation into his/her account.

At least 3 stickies about this and it has been on the forum and happening for quite some. Very old news as well as at the bottom (as others have said) it clearly states not from anet. Report delete and move on.
It funny though, some people visit the link anyway.

Doesn’t take a rocket scientist to understand it’s a scam. What annoys me is that the OP included the link in the post.

I just got a similar one today and reported it. Different name and threat though. GM Rave Bowman. All Players must beware. Thank you for posting this i’m glad im not the only one this happened to.