Hacker News new | past | comments | ask | show | jobs | submit login
Skype account hijack technique may affect all users (skype.com)
265 points by dewey on Apr 28, 2013 | hide | past | web | favorite | 66 comments

It's interesting to see a social engineering proof of concept released in this way.

When my company conducts social engineering assessments, whether physical or remote, it always surprises the client to see how high their rates of failure are. We rarely hit below 40% of users willing to change their passwords for us on the phone, and usually more than half of the employees we email an arbitrary URL will enter their password on a cloned webmail portal.

Most security advisories we see are for software vulnerabilities, but it's interesting that "Ximer," the user who posted the linked forum advisory, seemed to map out exactly the information needed to conduct this attack.

Hopefully Skype takes swift action to require more identity verification so this attack doesn't become pervasive... but at the same time, it should be no surprise that "social engineering works."

> it should be no surprise that "social engineering works."

Is it really social engineering if the employees followed the Microsoft policy, however crappy it might be? I always thought social engineering is making someone break the policy by psychological tricks.

> Is it really social engineering if the employees followed the Microsoft policy

I'd say that the attack vector is still social engineering; the difference here is that the result is not based in policy failure.

Normally we recommend that clients require their employees to attend security awareness training, in order for them to understand social engineering risks and remind them to follow the correct policies that are put in place.

In this instance, however, there is no policy being broken. My summation of the issue would be that it is a policy failure being exploited by a social engineering attack vector.

If it's exploiting human factor vulnerability as opposed to software/hardware vulnerability, it is social engineering. It's like saying "this is not a vulnerability because our software does not have a buffer overflow - it just allows anybody who enters admin/admin as login/password to have full access". It's only worse if policies are so broken that you don't even have to violate them to get unauthorized access.

Am I reading this wrong, or does this guy run a DDoS service?

"Security Researcher, Hacker, Software Developer, http://www.hfempire.net - Cheap DDoS Tool, up to 35+ GBPS Attacks, Bypass DDoS Protection!"


Your assessment appears to be valid.


    *Boot Time:*
    *Concurrent Attacks:*
    *Discount Code:*
    *Total Price:   $10.99 USD*
A case of poetic justice if I've ever seen one.

I love it how every computer criminal now calls himself "security researcher". Muggers should start calling themselves "personal security researchers" and burglars should be "house security researchers".

Careful. This sentiment has also been used in the other direction, to suggest that people who inspect software for vulnerabilities, including software they've downloaded and run or purchased on hardware, are themselves epsilon from criminals.

There is a world of difference between downloading and testing for bugs and selling "cheap DDoS, bypass DDoS protection". One does not need to be extra careful to see one apart from the other, former is research, latter is lowlife criminal.

One person could do both, but usually people that excel at one rarely also excel at another. There are some "mad scientists", but usually if a person is selling DDoS his "research" benefits only one person - himself, and harms all the rest.

I'm just leery of attempts to redefine "security researcher" into deviance, since that's been a problem for my field for about 20 years now.

I think the legit researchers should be the first ones to take an effort to disassociate themselves from the types like this one. And not only by passively reminding "other types exist too" but by actively excluding criminals from their midst and being intolerant to such behavior. Offtopic for this discussion, I presume, but if we already ventured there...

At some point, it just becomes a matter of which color hat the person feels like wearing at the time.

Is it like saying if you rob somebody yesterday and don't rob anybody today, you're not a criminal anymore - you just wore a "criminal hat" yesterday? I don't think it works this way.

He does, and his service does as it claims.

I manage a school network and despite our ISP provided "DDOS Protected" IPs a single student with a spare $12 was able to keep us down for a week using that service.

Screw that guy.

Yeah. What an asshole. Almost makes me want to hijack his Skype account.

on the one hand. Ouch.

but on the other, I have to salute that clever little anarchist bastard you have over there.

Paying couple of bucks to a criminal to wreak havoc on school network is not really "clever". Not more "clever" than giving some drug addict money to beat up a teacher that was too strict, on his opinion or pooping in a bag, leaving it on a teacher's porch, lighting it on fire and ringing the bell..

This is plain and simple vandalism, and should be treated as such, not congratulating the delinquent-in-making on being clever. If he wanted to be clever, he could build some useful software for the school and opensource it so other schools could use it too. That would be clever, this one is just malicious.

Hmm. All good points.

Wouldn't it be wonderful of kids were actually just responsible adults, only smaller?

Why did that sound so horrible all of a sudden?

I think you hidden your point a little too well. If you tried to say that kids are not adults, I agree, but that makes telling them when they are wrong even more important, instead of encouraging them to be "clever" in such ways. When they make a mistake, it should be recognized as such, not treated as "yet another wonderful expression of their creativity and free spirit".

Kids are going to make trouble. Sure trouble is trouble, and we can sit here and decry how horrible it is, but it's their nature.

Kids need structure, they won't follow it. Sure that's a waste, and we can sit here and decry how short sighted it is, but it's their nature.

Some kids are more rambunctious than others. Sure that needs to be addressed, and we can sit here and decry how difficult that kid is making it on everyone, but it's their nature.

Does there ever come a point where we can just appreciate nature? I don't have to deal with the little shit, so I'm fine just watching the flowers bloom.

Make him sysadmin. That was the only way me and my classmates were reigned in while in high school.

>Make him sysadmin.

Thereby incentivizing this behavior? I think not. Next thing you know, he'll imagegrab each and every mail account belonging to a female student.

Someone hacked my Skype account back last summer and took at a subscription to Guatemala.

Skype picked it up and locked me out of my account but after that were quite frankly F All use: wouldn't refund the money, wouldn't give me any details as to where my account had been accessed from (citing privacy concerns!!!)

Furthermore they even left the fraudulent subscription in place until I cancelled it.

Don't leave money in a Skype account or hook it up to a credit card

Similar story: Last summer I realized that one guy from India was using my Skype account with me at the same time. He was making a lot of phone calls to his girlfriend, and Skype was charging my bank account all the time. I noticed once he forgot removing the history before he logs out.

Ditto: Logged in to find a bunch of calls to Pakistan

Not sure I trust this. A thread on a forum, where the first 20 posts are just two (sockpuppet?) users talking to each other in full support of each other.

And then he keeps saying "scammers have stolen hundreds of dollars from friends of mine through Skype." And "I've lost the trust of my customers". And the guy runs a DDOS service as his business.

If you hire someone to do DDOS for you, do you trust him?

If this is true, I'm glad it reached the front page of HN. Given all the popular services out there which we use with just enough trust to put our privacy in jeopardy, I'm glad a hole is being exposed in such a big service. Hopefully Skype changes their verification practices.

Skype is switching to use Microsoft Accounts, which have security questions and 2-factor auth. This vulnerability is only for people who haven't switched yet.

Haven't switched? You say that like Skype is actually forcing or even suggesting users switch. I just logged into my account. Aside from a 'Microsoft Accounts' button on the login screen, there isn't a single thing about MS Accounts let alone "you need to change your account!"

So, I'm going to wager this vulnerability affects about 99.99% of the users.

I've no idea if it's more like 10% of 90%, but I'm sure a lot lower than 99.99%.

People who used both Skype and MSN (Live Messenger) were shifted from MSN to Skype and now use their Microsoft account to connect to both lists of contacts in Skype. So it's not just for the geeky few who have set this up.

Second thought: last I checked, I could log-in to Skype with both my old username and my Microsoft account, but my Skype username didn't allow me to view MSN contacts. So if that's still the case, then I guess this would affect 100% of people, even those who have made the switch.

I thought it was just merging the accounts? I login with my skype name, and can talk with all my MSN contacts there. All the 'switch' does is add your MSN contacts, and give you a second way to log in. As far as I can tell, this affects everybody.

> You say that like Skype is actually forcing or even suggesting users switch.

Actually, a while ago, while logging into Skype, I got a clear invitation to switch to a Microsoft account.

I ignored it at the time, but I'm reconsidering in light of the mentioned attack.

Edit: There doesn't seem to be any switching possible; you can only merge a Microsoft account with a Skype account.

A lot of people don't want MS accounts. And for good reasons.

Now they have good reason not to want either.

How many years has microsoft owned skype now?

Just over 2 years, they bought it May 10 2011.


TL;DR: Social engineering attacks work. I was able to reset my Ameritrade account password by giving the support person the name of one of the stocks in my portfolio (along with some other basic identifying info).

> TL;DR: Social engineering attacks work.

They work against the service company you mean. This is not a normal vector. The company is supposed to be smart enough to not divulge their customer's accounts through social engineering.

> supposed to be smart enough

You should ask Kevin Mitnick about that :)

TD Waterhouse works the same way. I was actually surprised at how little information was asked of me when I phoned in.

Did you phone in on a landline from a place reasonably connected to your previously reported identity, such as your home?

You should never accept the caller id of a phone number that called you as identity verification. It is trivial for anyone with a VoIP line to set caller id to whatever they wish.

Exactly! Or the attacker can use a commercial service like spoofcard.com from any phone.

But the toll free numbers that these kind of services typically operate from have a different system which cannot be spoofed.


If you're calling from VoIP, the only information is what's passed in the SIP headers. Spoofing works, even to toll free numbers.

Source: I work in VoIP, handle hundreds of thousands of 1-800 numbers on my network, as well as a lot of calls to toll-free numbers.

This makes sense why American Express automated prompt keeps telling me that "I can see the number you are calling from matches the number on your record" (or something like that). My first thought was how trivial it is to spoof the system. Apparently, they are more clever than I am.

In an unrelated incident, I was talking to T-Mobile when the phone got cut off. They called me back (which was amazing customer service) until the first thing he said was he needed to authenticate I was me. So I was supposed to give him the last four digits of my social. I tried to reason with him why it was a bad idea but ended up thanking him and telling him that I'd call in at a later time.

I wrote this article (same title as HN post above) 27 Apr 2013 02:40 PDT.

Here it is in its entirety with updates as of ten minutes ago: http://www.zdnet.com/alert-skype-account-hijack-technique-ma...

I think there's a conflict of interest. If you're telling the truth, and they lock you out of your account, then they lose a customer. If an attacker is trying to steal your identity, you suffer much more than Skype.

Thanks for bringing this to my attention.

I can't see any conflict of interests. Skype would lose x>1 customers mistakenly locking out one users who blogs about it. When in doubt you can tell the user the identity verification test didn't go well and ask for extra information about the account, for example checking the IPs.

I'm really curious in what legit situation this kind of "account recovery" would be needed.

Like you forgot your email address and/or password so you can't recover you skype account via that way?

There's plenty of ways people can lose access to the attached email address: signed up with a work email, then left the company; signed up with an ISP email, then switched ISPs; email provider went out of business; Google banned your account. It's useful to have a fallback for those cases.

With little amount of information Skype requires when signing up, I think fallback option is just not feasible. If you left the company or email provider out of business - and you forgot to switch your email AND THEN you forgot your password??! Just sign up for new Skype account...

Are there Skype alternatives which aren't so thoroughly dependent on a third party?

https://jitsi.org let's you do voice and video chat on top of XMPP. It's free software and runs on Win/Linux/Mac

SpeakFreely. It's old but it just works.

Can anyone verify this story?

Something similar happened to a friend of mine 3 months ago, however I didn't have this much detail.

What I did know was that the person who took over his (my friend's) account didn't have his laptop or PC hacked but the hijacker used Skype support instead and involved, what I'm assuming, the same information that the OP's thread mentions.

Interestingly, there's no link to what the moderator was mentioning here :

"Dear All,

The post in question was deleted from this thread as the information was duplicate-posted elsewhere. The post did not directly contribute to the topic.

This thread has been escalated to those to whom I report.



Community Moderator"

I'm curious to find where that "elsewhere" is. I've never seen a legitimate case of posts being deleted because content was "duplicate-posted elsewhere." At the most, the thread will get locked with a link to wherever "elsewhere" resides.

A commenter after that, posting "1 hour ago" like you at the moment, says the information was on Skype alternatives.

I can just imagine the Skype forums having that as a high visibility pinned topic ^_^.

Haha! Good point. This would explain why they're trying to limit it to "elsewhere", presumably off their forums altogether.

Speaking of alternatives, I found Jitsi to be pretty good ( https://jitsi.org/ ) and best of all, it's Open Source. A friend of mine uses Viber although its has had security hiccups lately.

No need to verify, it works. Trust me, trust this stranger from the Internet.

Hell ! Even a bloody e-mail-reset-password is more safe then THIS! Good think I didn't decide to switch from MSN to Skype yet (and drop both) ... but now I decided.

Across the globe, thousands of free software advocates are completely unaffected.

Good thing I don't use Skype.

"because Skype support didn't verify if the person owned the account or not, just wanted those 3 points mentioned above"

So, what? Is the author expecting Skype to just have some "does this person own the account" crystal ball? What do they want? If it's security questions, I don't consider those much of a solution because the questions tend to be very poor on the ratio of "things I can remember specifically" to "things people can't look up about me".

There is a huge difference between:

* poor security question, which is up to the user to choose

* poor account recovery policy which is Microsoft choice, is the same for all users and which the user cannot do anything about

One thing they could do is check if you're still logged in when you call up claiming to need account recovery.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact