March 22nd, 2007

Microsoft: XBox Live account theft was social engineering attack

Posted by Ryan Naraine @ 6:46 am

Categories: Browsers, Data theft, Hackers, Microsoft, Privacy, Responsible disclosure, Vulnerability research

Tags: Xbox Live, Microsoft Corp., Microsoft Xbox, Attack, Ryan Naraine

Just a quick follow-up to my story from earlier this week about XBox Live accounts being hijacked in what was believed to be a breach at Microsoft's Bungie.net.

First, the official reaction from the Xbox team:

Despite some recent reports and speculation, I want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of the Xbox Live Network or Bungie.net.  There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account.  This is a good time to remind our members that they should never give out any of their personal information.

Microsoft's stance that this is a social engineering attack directly against users isn't sitting well with Kevin Finisterre, the security researcher who blew the whistle on the issue of hijacked accounts.  

How is that that you audited ALL of Xbox Live and Bungie.net in one day but in seven days ya can't get back to me about one gamer tag? 

Finisterre, one of the hackers behind the MOAB (Month of Apple Bugs) project, says he has taped (audio) evidence that Microsoft employees are being pretexted.  Rob Lemos at SecurityFocus has a detailed story on Finisterre's plight and the issue of social engineering plaguing XBox Live.

Finisterre has published audio clips of his telephone calls (.m4a) with XBox Live support where the company admits that nothing can be done to stop the account hijacking.

The group that claimed responsibility for the hijacked account claims it's very easy to trick Microsoft's telephone support staff into giving out personal information on users that could be used to get passwords reset.

On the "Infamous Clan" Web site, which is now offline, the group writes:

Now you may be wondering how we get your information? Its easy, you call 18004myxbox, pretend to be that person, make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah," the group boasts on its site.

"You might get one little piece of information per call but then you keep calling and keep calling every time getting a little bit more information every time.

"Once you have enough information you can get the Password on the windows live ID Reset, they may tell you they can't, but its bullshit. People at Bungie CAN and WILL reset your password."