Microsoft: XBox Live account theft was social engineering attack

Microsoft: XBox Live account theft was social engineering attack

Summary: Just a quick follow-up to my story from earlier this week about XBox Live accounts being hijacked in what was believed to be a breach at Microsoft's Bungie.net.

SHARE:
TOPICS: Microsoft, Security
11

Just a quick follow-up to my story from earlier this week about XBox Live accounts being hijacked in what was believed to be a breach at Microsoft's Bungie.net.

First, the official reaction from the Xbox team:

Despite some recent reports and speculation, I want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of the Xbox Live Network or Bungie.net.  There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account.  This is a good time to remind our members that they should never give out any of their personal information.

Microsoft's stance that this is a social engineering attack directly against users isn't sitting well with Kevin Finisterre, the security researcher who blew the whistle on the issue of hijacked accounts.  

How is that that you audited ALL of Xbox Live and Bungie.net in one day but in seven days ya can't get back to me about one gamer tag? 

Finisterre, one of the hackers behind the MOAB (Month of Apple Bugs) project, says he has taped (audio) evidence that Microsoft employees are being pretexted.  Rob Lemos at SecurityFocus has a detailed story on Finisterre's plight and the issue of social engineering plaguing XBox Live.

Finisterre has published audio clips of his telephone calls (.m4a) with XBox Live support where the company admits that nothing can be done to stop the account hijacking.

The group that claimed responsibility for the hijacked account claims it's very easy to trick Microsoft's telephone support staff into giving out personal information on users that could be used to get passwords reset.

On the "Infamous Clan" Web site, which is now offline, the group writes:

Now you may be wondering how we get your information? Its easy, you call 18004myxbox, pretend to be that person, make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah," the group boasts on its site.

"You might get one little piece of information per call but then you keep calling and keep calling every time getting a little bit more information every time.

"Once you have enough information you can get the Password on the windows live ID Reset, they may tell you they can't, but its bullshit. People at Bungie CAN and WILL reset your password."

How to steal and XBox Live account

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • SO WHY ARE YOU POSTING HOW TO DO THIS???

    So the site that is closed down that tells you how to do this is down, but ZDNet puts the information for everyone to have access.

    If the whole security breach was indeed someone calling for the information, then Microsoft needs to re-train their telephone support and do not let them give the information unless they are sure the person they are talking to is the real person.
    shaun.watson
    • It forces them to change

      If it's all hush hush why would Microsoft change a thing?
      voska
  • Fraud

    Since when is outright fraud called 'social engineering'? Aren't we being a little bit too politically correct?
    jimdeli1
    • Social Engineering

      In point of fact, the term "social engineering" is a description of its function. It is not some attempt to soften the connotation of another word.

      From wikipedia:

      Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most (but not all) cases the attacker never comes face-to-face with the victim.

      The term "social engineering" has been in circulation since, at least, the 90s, and those in the know do not find the word to be any less baneful than fraud.
      quietgenie
    • Because it's not fraud

      Social engineering is how they get the info. What they do with that info is commit fraud but it's the social engineering that gets the information to commit fraud.
      voska
    • It's both.

      "Fraud" is the legal charge. "Social Engineering" is a term for mechanism they used to breach security. "Politically Correct" is a phrase people use when they don't understand what other people are talking about, but feel they need to complain.
      gurg13
  • Who uses XBox? I have a Wii and a PS3! (nt)

    NT
    nomorems
    • LOL!

      First, I think you're full of it. Tell you what. Take a photo of yourself in front of your PX3 and Wii giving me a peace sign and send it to marksashton@hotmail.com and I'll send you $20 in the mail. Honest to god I will.

      Second, who uses XBOX? Let's see...how about millions of people. XBOX 360 ius outselling both Wii and PS3 by a decent margin. Since PS3 shipped XBOX 360 has outsold it. It's a better system and much cheaper. PS3 is a collosal failure. Too expensive and not compatible with many PS2 games. Sony is going to lower prices to try to save a sinking ship but my prediction is that Playstation has seen its bets days.

      Now Wii is a differn story. It's a great machine for kids and people who aren't really into games. I hope it will be a big success and think it will. But it will never by as dominant as XBOX is becoming.
      marksashton
      • I beleive nomorems

        that he has PS3 and Wii as

        1. the people he knows who own XBox constently complain how they can't find games for it as well as the issue where it constently locks up or quits working.

        2. His cell phone / PDA are Linux and Palm based as the Windows software doesn't work and all the people he knows who do use it constently complain that it locks up or quits working.

        3. He owns an iPOd, but we'll give him that as it understandable that it was the best on the market at the time he purchased it, but the people he knows who purchased a Zune constently complain that it locks up or quits working.

        4. All his freinds, family, and relatives would constently complain that their Windows OS never worked from day one and they wished there was some alternative to it that they could switch to as Windows was too unproductive, so he switched EVERYONE over to Linux and they now say that they have never been happier

        5. Everyone at his work would constently complain that their Windows OS never worked from day one and they wished there was some alternative to it that they could switch to as Windows was too unproductive, so he switched EVERYONE over to Linux, servers and desktops in no time and everyone there now say that they have never been happier (except for the people in the IT dept who got laid off as it only takes 1 person to administrate the entire network as opposed to the 15 they needeed before when it was Microsoft based.)

        Ya know what? I think I agree with you, I think he's full of it.
        John Zern
  • Misrepresentation

    Misrepresentation is fraud, and someone posing as a person with a legitamate need to know, is an imposter and may be criminally so. Obtaining the information under false pretenses.
    jimdeli1
  • account hacked..money stolen

    I just recently discovered over $600.00 charged to my checkin account threw xbox live. They told me that numerious account were opened under my card number, but they cant do anything for me at all because gaming points were purchased with my number...gamin points are not refundable...stolen or not....i find this to be the biggest wad of crap...i dont care what was bought...it could be toliet paper for all i care...they can plainly see is was theft and fraud...told me that it was plain to see, but in the end are not able to give me back my stolen money. I will fight this....how can they see it as theft and not make it right?? I know the lady i talked to today was understanding and also tryin her best to help...it was her supervisor who said she couldnt... I dont understand how a system could be so flawed and mircosoft is not even tryin to make it right. I understand they're the ones who got my money that someone else spent...but it never was their's to begin with. Its just really a bunch of crap and its sad that im going to half to fight to make a point....i dont care who stole my money or what they got for it....it is my money and microsoft needs to give it back.
    lov2play