In a pattern that is becoming more common, hackers are hijacking XBox Live accounts, then tricking them out with expansion modules and other add-ons before trying to resell them to unwitting third parties.
Recent XBox Live account hijacks are most likely the product of phishing and identity theft scams that happened outside of XBox Live, and that are aimed at reselling and profiting from the stolen accounts, according to Stephen Toulouse, Director of Xbox LIVE Policy and Enforcement.
In an interview with Threatpost, Toulouse said that Microsoft hasn’t found any evidence of a compromise of the XBox Live infrastructure, nor has it seen evidence of a flaw in FIFA 11 or FIFA 12, the games by Electronic Arts that media reports have linked to fraudulent in-game purchases. However, he said that the takeovers and illegal purchases fit a pattern of crime in which XBox Live accounts are taken over, tricked out with hot games and expansion packs and other features, then resold online.
The fraudulent activity affects a tiny sliver of Microsoft’s 35 million active XBox users – much less than one percent, Toulouse said. However, with such a large user base, even a small percent represents a lot of customers. Microsoft is continuing to investigate the incidents and takes any suspicious activity seriously, he said.
Toulouse said he does not know how the XBox live accounts in question were hacked, but suspects that the compromises typically follow phishing attacks, in a variety of forms.
“They may send out a blast e-mail or create a Web site that promises them in on an exclusive beta for some blockbuster game,” Toulouse told Threatpost. “The gamer looks at that and doesn’t think of their gamer tag as an identity, so they might be induced to enter their password.”
In other cases, hackers take advantage of XBox live users reusing passwords with other online accounts that have been compromised, Toulouse said. Gamers can be tricked into giving up passwords using social engineering tricks online, or even within the XBox Live environment. In some cases, even XBox Live support staff are also the targets of phishing scams by those who want to get access to valuable accounts, he said..
Once in control of the account, Toulouse said attackers find popular or “hot” games then load up the account with content for that game using available Live credits or credit card accounts on file, then try to resell it. That would explain the focus on fraudulent purchases within FIFA 12, he said.
“We’ve seen the exact same situation in Call of Duty. Its not specific to the title,” he said. Rather the attacks are opportunistic – taking advantage of hype around a new game on XBox Live and a passionate fan base, but then switching to a different target when the opportunity arises.
Toulouse said Microsoft hasn’t seen evidence of organized efforts to hijack and flip XBox Live accounts. Microsoft has done well, so far, to simply ban accounts that appear to have been hijacked and resold. Microsoft’s Terms of Service prevent the resale of XBox Live accounts. Still, he acknowledges that even a small number of incidents can fuel suspicion that XBox Live has been hacked, or that one of the platform’s games is leaking information on users.
“Its a challenge sometimes – we strive for transparency, but we don’t want to aid the attackers. So we have to balance how much information we want to be able to give the customer to help them understand that we’re on (the problem), versus information that allows the attacker to know they’re on to us.