Hijackers are getting access to Xbox Live gaming accounts, credit cards and PayPal accounts with repeated calls to support staff, who are easy prey for social engineering stunts.
Going against Microsofts own privacy policy, Xbox Live telephone support personnel are giving away gamer tags based on made-up information. One gamer who requested anonymity shared with eWEEK a taped telephone conversation in which he called the Xbox Live phone support number on March 21 and wound up getting a valid gamer tag based on simply making up a name and the state in which he supposedly lives.
An excerpt of the conversation:
Gamer: “Im trying to link my gamer tag to Xbox Live so I can log in on the Internet and check my stats and stuff. For whatever reason, its saying my account information isnt right. Im trying to figure it out.”
On the recorded conversation, an Xbox Live support staffer asks for his tag, and the gamer gives her the legitimate tag of one of his friends who was on the conference call to Xbox Live with him. She tries the tag and informs him that “it wont come up.” After verifying the tag spelling, the support staffer asks if the gamer has a credit card associated with the account.
“I dont know it off the top of my head,” the gamer says.
The support staffer then asks the gamer to spell his last name. The gamer gives her a fictitious last name.
“OK, here we go,” she says. “What state do you live in?”
“Ohio,” he says—another fiction.
“In Wintersville?” she asks.
“Yes,” he answers.
“OK, [the gamer tag is] Purplehat,” she says.
At this point, the would-be hijacker would still need a credit card to access the account, but the gamer who recorded the support call said that given the information the support staffer had already provided, he was confident he could achieve enough information to break in after another few calls.
His experience backs up the modus operandi posted by the online gaming clan Infamous. It was posted here, but the site has been unavailable since the afternoon of March 21, after stories about the scam began to break. A screenshot of the hijacking recipe is below.
The gamers telephone conversation supports Infamous online description of its hacking method: “Its easy, you call 1800myxbox, pretend to be that person, make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah, you might get one little piece of information per call, but then you keep calling and keep calling every time getting a little bit more information every time. Once you have enough information you can get the Password on the windows live ID Reset, they may tell you they cant, but its bull [obscenity], people at bungie CAN and WILL reset your password. Believe me. :)”
Microsoft issued a statement March 21 that suggested that the cause of compromised security is gamers themselves, who Microsoft officials said are likely being coerced into giving away personal information.
“Despite some recent reports and speculation, we want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of Bungie.net or our LIVE network,” the statement said. “There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account. We think this is a good time to remind our members that they should never give out any of their personal information.”
The statement went on to say that, to Microsofts knowledge, there has been no compromise of the Xbox Live network, nor has credit card or other personal information been exposed. The statement then suggests that gamers follow Microsofts conduct guidelines regarding giving out personal information.
Gamers have complained in Xbox Live forums not only of their accounts being hijacked but also of their credit cards and PayPal accounts getting maxed out.
Microsoft had not supplied a response by the time this story was posted.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.