New Wave of Attacks Exploit Skype Support Team to Hijack Users’ Accounts
A Skype user by the handle Ximer had his account stolen six times in a single day by a group of cyber-crooks. According to a post by the victim on the Skype Community forum, the attackers repeatedly conned the Skype support team into handing them control over Ximer’s account.
To restore access to a lost account, the Skype support team asks the user to provide three to five contacts on Skype, one e-mail address associated with Skype and the user’s first / last name. This allows anyone with minimum knowledge of the attacker to abuse the feature and request support control of the account.
“Due to my account being stolen (not hacked) through skype support (because Skype support didn’t verify if the person owned the account or not, just wanted those 3 points mentioned above) my account was used to scam people out hundreds of dollars along with damaging my reputation for my product’s security due to thinking I had low security on my skype account or email address, when in reality, it was Skype Support’s fault my account was stolen, multiple times, and had nothing to do with End-users (me in this case),” Ximer wrote.
It appears Ximer’s account was snatched by a spammer who used the account, which in turn, made him look bad to his customers he was in touch with on Skype.
Skype is not the only company to have implemented a possibly defective account recovery mechanism. A couple of weeks ago, Apple was in a similar position because of improper validation of password reset checks.