Hey, Pernaman, how's it going?
I checked the reason why SiteCheck is triggering all
http://us.battle.net/hearthstone/en/ links and it's due to its anomaly check.
Since malware doesn't have to follow any code styles, there are cases where the malicious code is appended to the header file before the <!DOCTYPE html> bracket (speaking of HTML5 guidelines).
On
http://us.battle.net/hearthstone/en/ there's a script tag before the
<script>
var expansion = "mean-streets-of-gadgetzan"
</script>
<!DOCTYPE html>
This script is causing SiteCheck to trigger the url as potentialy malicious.
It would be great if battle.net guys had this fixed (moving the script tag into the <html> part), I'll try to contact them to report this issue.
If not possible, we'll whitelist it.
Thank you for the report.
Fioravante Souza
Sucuri Malware Research Lead