Gone Phishing for Xbox LIVE Customers
Technorati Tag: Security Breach
Date Reported:
9/13/07
Organization:
Microsoft
Contractor/Consultant:
Xbox LIVE
Victims:
Xbox LIVE and Microsoft Passport customers
Number Affected:
Unknown
Types of Data:
Name, address, login, password, email address, birth date, gender, marital status, account number, billing statement, payment method and other Passport account details.
Breach Description:
Xbox LIVE customers are receiving phishing emails directed at obtaining Passport account login information
Reference URL:
Phishers target Xbox Live users
http://forums.xbox.com/ShowPost.aspx?PostID=15174146
Report Credit:
canada.com
Response:
From the online resources above:
"Phishing groups are targeting Xbox Live users, in an attempt to steal account and credit card information, according to Xbox forum members."
[Comfyllama] I have not received the phish in any of my email accounts yet, so I am not sure what information is requested on the phishing landing page yet. Thankfully, credit card information is not displayed in your Passport accounts so the phisher will not get a card number or CVV code. They could get this information if the landing page requests it and people comply however.
The text of the email:
Subject: Changes To Your Xbox Live Account
From: Xbox Support []
"When users got to the site they were asked to log in using their Xbox Live username and password, which provided the criminals acces to users' Passport infromation, which contains credit card, Hotmail, MSNBC, MSN, Xbox 360's Xbox Live, the .NET Messenger Service, Zune, MSN Expedia and Hoyts information."
"We will reimburse any customer whose account has been compromised in this fashion. If they have lost content such as Xbox Live Arcade games, we will provide the customer with replacement content at no charge." - Microsoft
[Comfyllama] This is what it says in the article referenced above, but I have found NO offfical Microsoft response. Take this for what it's worth until you get the word straight from Microsoft.
"This was not a failure of software technology. We want to reassure our customers that there has been no security breach of the Xbox LIVE network or of Bungie.net."
[Comfyllama] Not a failure of software technology, but a failure in consumer awareness and training. Users who fell for this (assuming there are some) should know better by now!
"Customers who have any concerns about their account should visit www.xbox.com/support, click on the link titled “Troubleshooting Access to your Xbox Live Account,” and perform the steps outlined there."
Commentary:
There is not a whole lot that Microsoft can do when customers fall for phishing scams beyond educating and communicating as much as possible. People will do what people will do. I would expect an "official" announcement soon and the most probable place would be at www.xbox.com/en-US/live/.
I am an avid Xbox LIVE user and I would not be surprised to get the email sometime soon. Users that are well versed in phishing scams and email best practices should be fine. Some good tips for you at www.antiphishing.org/consumer_recs.htm.
Past Breaches:
None
Date Reported:
9/13/07Organization:
Microsoft
Contractor/Consultant:
Xbox LIVE
Victims:
Xbox LIVE and Microsoft Passport customers
Number Affected:
Unknown
Types of Data:
Name, address, login, password, email address, birth date, gender, marital status, account number, billing statement, payment method and other Passport account details.
Breach Description:
Xbox LIVE customers are receiving phishing emails directed at obtaining Passport account login information
Reference URL:
Phishers target Xbox Live users
http://forums.xbox.com/ShowPost.aspx?PostID=15174146
Report Credit:
canada.com
Response:
From the online resources above:
"Phishing groups are targeting Xbox Live users, in an attempt to steal account and credit card information, according to Xbox forum members."
[Comfyllama] I have not received the phish in any of my email accounts yet, so I am not sure what information is requested on the phishing landing page yet. Thankfully, credit card information is not displayed in your Passport accounts so the phisher will not get a card number or CVV code. They could get this information if the landing page requests it and people comply however.
The text of the email:
Subject: Changes To Your Xbox Live Account
From: Xbox Support []
Dear Xbox Live User,
We have made many changes to everyone's Xbox Live account, and we would like you to check out the new features! You can check out the new features by click on the link below to login and check them out!
Please check out your new features to your Xbox Live account!
https://www.xbox.com/signin/"
"When users got to the site they were asked to log in using their Xbox Live username and password, which provided the criminals acces to users' Passport infromation, which contains credit card, Hotmail, MSNBC, MSN, Xbox 360's Xbox Live, the .NET Messenger Service, Zune, MSN Expedia and Hoyts information."
"We will reimburse any customer whose account has been compromised in this fashion. If they have lost content such as Xbox Live Arcade games, we will provide the customer with replacement content at no charge." - Microsoft
[Comfyllama] This is what it says in the article referenced above, but I have found NO offfical Microsoft response. Take this for what it's worth until you get the word straight from Microsoft.
"This was not a failure of software technology. We want to reassure our customers that there has been no security breach of the Xbox LIVE network or of Bungie.net."
[Comfyllama] Not a failure of software technology, but a failure in consumer awareness and training. Users who fell for this (assuming there are some) should know better by now!
"Customers who have any concerns about their account should visit www.xbox.com/support, click on the link titled “Troubleshooting Access to your Xbox Live Account,” and perform the steps outlined there."
Commentary:
There is not a whole lot that Microsoft can do when customers fall for phishing scams beyond educating and communicating as much as possible. People will do what people will do. I would expect an "official" announcement soon and the most probable place would be at www.xbox.com/en-US/live/.
I am an avid Xbox LIVE user and I would not be surprised to get the email sometime soon. Users that are well versed in phishing scams and email best practices should be fine. Some good tips for you at www.antiphishing.org/consumer_recs.htm.
Past Breaches:
None
Posts Atom 1.0
Comments