Microsoft: XBox Live account theft was social engineering attack

Summary:Just a quick follow-up to my story from earlier this week about XBox Live accounts being hijacked in what was believed to be a breach at Microsoft's Bungie.net.

Just a quick follow-up to my story from earlier this week about XBox Live accounts being hijacked in what was believed to be a breach at Microsoft's Bungie.net.

First, the official reaction from the Xbox team:

Despite some recent reports and speculation, I want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of the Xbox Live Network or Bungie.net.  There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account.  This is a good time to remind our members that they should never give out any of their personal information.

Microsoft's stance that this is a social engineering attack directly against users isn't sitting well with Kevin Finisterre, the security researcher who blew the whistle on the issue of hijacked accounts.  

How is that that you audited ALL of Xbox Live and Bungie.net in one day but in seven days ya can't get back to me about one gamer tag? 

Finisterre, one of the hackers behind the MOAB (Month of Apple Bugs) project, says he has taped (audio) evidence that Microsoft employees are being pretexted.  Rob Lemos at SecurityFocus has a detailed story on Finisterre's plight and the issue of social engineering plaguing XBox Live.

Finisterre has published audio clips of his telephone calls (.m4a) with XBox Live support where the company admits that nothing can be done to stop the account hijacking.

The group that claimed responsibility for the hijacked account claims it's very easy to trick Microsoft's telephone support staff into giving out personal information on users that could be used to get passwords reset.

On the "Infamous Clan" Web site, which is now offline, the group writes:

Now you may be wondering how we get your information? Its easy, you call 18004myxbox, pretend to be that person, make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah," the group boasts on its site.

"You might get one little piece of information per call but then you keep calling and keep calling every time getting a little bit more information every time.

"Once you have enough information you can get the Password on the windows live ID Reset, they may tell you they can't, but its bullshit. People at Bungie CAN and WILL reset your password."

How to steal and XBox Live account

Topics: Microsoft, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.