New Skype Vulnerability Discovered
A new phishing attack demonstrated by the folks over at Secure Science allows hackers to gain access to a user's Skype client and then pose as a financial institution or proxy outbond calls. The technique is called "SkypeSkrayping” and is similar to a phishing attacking only a bit more interactive:
According to the report, attackers would only have to do the following:
[SkypeSkrayper: Hello, I apologize for the disruption, but this is a friendly reminder that Skype is having a special today. We are offering $25.00 extra credit in your SkypeOut account if you do "X". We will never ask you for your username or password over Skype Instant Messaging.
Victim: OK!]
That "X" can detail many things but only requires the user to have logged into their web-based Skype account within a 30 minute time frame and then possibly view another site, which can optionally be trusted or not depending on the security of that site.
This specific 30 minutes of time enables an opportunity for the attacker to do something clever like this:
[SkypeSkrayper2: Hello, were you just contacted by someone promising 25.00 extra credit. This is the Skype Fraud Detection (SFD) department; we believe that your computer may be infected. We need you to go to this site to check for and eliminate the infection (X-Fake-Security-Site). As this is Skype-specific, anti-virus software cannot eliminate this threat. Note: the SFD will never request your Skype password.
Victim: OK!]
Then, according to the report, using either an inline frame (“iframe”) or image (“img”) tag, attackers could
- add a Specific Call Forwarding Number
- grant attacker ability to receive the victim's incoming call
- obtain a Skype-To-Go Number
- grant an attacker the ability to access victim's voicemail, speed dial, and outbound calling via Spoofed Caller-ID
My contacts at Skype tell me the company's gurus are hunkered down working on resolving the problem.