When my company conducts social engineering assessments, whether physical or remote, it always surprises the client to see how high their rates of failure are. We rarely hit below 40% of users willing to change their passwords for us on the phone, and usually more than half of the employees we email an arbitrary URL will enter their password on a cloned webmail portal.
Most security advisories we see are for software vulnerabilities, but it's interesting that "Ximer," the user who posted the linked forum advisory, seemed to map out exactly the information needed to conduct this attack.
Hopefully Skype takes swift action to require more identity verification so this attack doesn't become pervasive... but at the same time, it should be no surprise that "social engineering works."
Is it really social engineering if the employees followed the Microsoft policy, however crappy it might be? I always thought social engineering is making someone break the policy by psychological tricks.
I'd say that the attack vector is still social engineering; the difference here is that the result is not based in policy failure.
Normally we recommend that clients require their employees to attend security awareness training, in order for them to understand social engineering risks and remind them to follow the correct policies that are put in place.
In this instance, however, there is no policy being broken. My summation of the issue would be that it is a policy failure being exploited by a social engineering attack vector.
"Security Researcher, Hacker, Software Developer, http://www.hfempire.net - Cheap DDoS Tool, up to 35+ GBPS Attacks, Bypass DDoS Protection!"
*Total Price: $10.99 USD*
One person could do both, but usually people that excel at one rarely also excel at another. There are some "mad scientists", but usually if a person is selling DDoS his "research" benefits only one person - himself, and harms all the rest.
I manage a school network and despite our ISP provided "DDOS Protected" IPs a single student with a spare $12 was able to keep us down for a week using that service.
Screw that guy.
but on the other, I have to salute that clever little anarchist bastard you have over there.
This is plain and simple vandalism, and should be treated as such, not congratulating the delinquent-in-making on being clever. If he wanted to be clever, he could build some useful software for the school and opensource it so other schools could use it too. That would be clever, this one is just malicious.
Wouldn't it be wonderful of kids were actually just responsible adults, only smaller?
Why did that sound so horrible all of a sudden?
Kids need structure, they won't follow it. Sure that's a waste, and we can sit here and decry how short sighted it is, but it's their nature.
Some kids are more rambunctious than others. Sure that needs to be addressed, and we can sit here and decry how difficult that kid is making it on everyone, but it's their nature.
Does there ever come a point where we can just appreciate nature? I don't have to deal with the little shit, so I'm fine just watching the flowers bloom.
Thereby incentivizing this behavior? I think not. Next thing you know, he'll imagegrab each and every mail account belonging to a female student.
Skype picked it up and locked me out of my account but after that were quite frankly F All use: wouldn't refund the money, wouldn't give me any details as to where my account had been accessed from (citing privacy concerns!!!)
Furthermore they even left the fraudulent subscription in place until I cancelled it.
Don't leave money in a Skype account or hook it up to a credit card
And then he keeps saying "scammers have stolen hundreds of dollars from friends of mine through Skype." And "I've lost the trust of my customers". And the guy runs a DDOS service as his business.
If you hire someone to do DDOS for you, do you trust him?
So, I'm going to wager this vulnerability affects about 99.99% of the users.
People who used both Skype and MSN (Live Messenger) were shifted from MSN to Skype and now use their Microsoft account to connect to both lists of contacts in Skype. So it's not just for the geeky few who have set this up.
Second thought: last I checked, I could log-in to Skype with both my old username and my Microsoft account, but my Skype username didn't allow me to view MSN contacts. So if that's still the case, then I guess this would affect 100% of people, even those who have made the switch.
Actually, a while ago, while logging into Skype, I got a clear invitation to switch to a Microsoft account.
I ignored it at the time, but I'm reconsidering in light of the mentioned attack.
Edit: There doesn't seem to be any switching possible; you can only merge a Microsoft account with a Skype account.
They work against the service company you mean. This is not a normal vector. The company is supposed to be smart enough to not divulge their customer's accounts through social engineering.
You should ask Kevin Mitnick about that :)
Source: I work in VoIP, handle hundreds of thousands of 1-800 numbers on my network, as well as a lot of calls to toll-free numbers.
In an unrelated incident, I was talking to T-Mobile when the phone got cut off. They called me back (which was amazing customer service) until the first thing he said was he needed to authenticate I was me. So I was supposed to give him the last four digits of my social. I tried to reason with him why it was a bad idea but ended up thanking him and telling him that I'd call in at a later time.
Here it is in its entirety with updates as of ten minutes ago:
Thanks for bringing this to my attention.
Like you forgot your email address and/or password so you can't recover you skype account via that way?
What I did know was that the person who took over his (my friend's) account didn't have his laptop or PC hacked but the hijacker used Skype support instead and involved, what I'm assuming, the same information that the OP's thread mentions.
Interestingly, there's no link to what the moderator was mentioning here :
The post in question was deleted from this thread as the information was duplicate-posted elsewhere. The post did not directly contribute to the topic.
This thread has been escalated to those to whom I report.
I'm curious to find where that "elsewhere" is. I've never seen a legitimate case of posts being deleted because content was "duplicate-posted elsewhere." At the most, the thread will get locked with a link to wherever "elsewhere" resides.
I can just imagine the Skype forums having that as a high visibility pinned topic ^_^.
Speaking of alternatives, I found Jitsi to be pretty good ( https://jitsi.org/ ) and best of all, it's Open Source. A friend of mine uses Viber although its has had security hiccups lately.
So, what? Is the author expecting Skype to just have some "does this person own the account" crystal ball? What do they want? If it's security questions, I don't consider those much of a solution because the questions tend to be very poor on the ratio of "things I can remember specifically" to "things people can't look up about me".
* poor security question, which is up to the user to choose
* poor account recovery policy which is Microsoft choice, is the same for all users and which the user cannot do anything about