How to find out who to blame for your account being hacked
... besides yourself, that is.
There's been some AION phishing mails floating around recently, courtessy of AionSource's admins not being that good with computer security, apparently. As some people noticed, this was a rather ridiculous attempt, but I've seen much better ones already - and I'm sure you did as well.
But no worries - you can find out who to blame, too! Well, or at least who to contact about the phishing site on their network. Who knows, they might even take the site down quickly (actually, if whoever is hosting the site is in western Europe or northern America, the chances are pretty good). So, grab your good old Linux machine (if you don't have one, boot any computer with a Linux Live CD and get comfortable with using a terminal) and get to it.
I'll use the domain from the above-mentioned phishing mails, ncsoft-support (dot) com, mostly because it's an easy target. 
For starters, we're going to find out a very basic information: Where is the web site located? For that, you can use a multitude of tools, with the simplest one being "ping" (it works even on Windows!). Just type in: "ping (domainname)" in the terminal, and it should tell you what IP address (in this case, 98.126.22.195) it's trying to reach, if the IP adress is reachable, and how long it takes, in miliseconds. Personally, I prefer the much more informative "dig", which allows you to really dig into a domain's name service information (pardon the pun).
With the IP address, we can try to find out who it belongs to. The command line tool for this is called simply "whois", and typing "whois 98.126.22.195" prints out something like this:
[Querying whois.arin.net]
[Redirected to rwhois.vpls.net:4321]
[Querying rwhois.vpls.net]
[rwhois.vpls.net]
%rwhois V-1.5:003eff:00 rwhois.vpls.net (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-WANTWEB-98.126.22.192/27
network:Auth-Area:98.126.0.0/16
network:Network-Name:WANTWEB-98.126.22.192-27
network:IP-Network:98.126.22.192/27
network:IP-Network-Block:98.126.22.192 - 98.126.22.223
network:Organization;I:want_web
network:Admin-Contact;I:VPLS
network:Tech-Contact;I:hostmaster@vpls.net
network:Abuse-Contact;I:abuse@vpls.net
network:Created:20080912
network:Updated:20080912
network:Updated-By:hostmaster@vpls.net
%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok
We're kind of lucky here, since the e-mail address to contact is already listed: abuse@vpls.net. But whois can do more. In particular, typing "whois vpls.net" can give you information about who the company hosting the site is, which can get you an idea how likely it is they will take it down when informed. In this case, its output is ...
Registrant:
VPLS, Inc.
1744 W. Katella Avenue
Suite 200
Orange, California 92867
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: VPLS.NET
Created on: 23-Jan-02
Expires on: 23-Jan-13
Last Updated on: 19-Dec-07
Administrative Contact:
Engineering, Systems support@krypt.com
VPLS, Inc.
1744 W. Katella Avenue
Suite 200
Orange, California 92867
United States
+1.7149939997 Fax -- +1.7142427461
(...)
I skipped a few records which weren't all that interesting, or redundant.
As it happens, the web site was hosted on a Californian company's machine. Consequently, it's been taken down already - but beware, the phishers won't give up so easily. It might re-appear on another machine soon.
As I side note, I'm pretty sure there are web-based "whois" sites somewhere, but if you are interested in doing any computer or network security work ... better get used to the command line. 
.
