A new way to phishing: Your Windows Live ID account sends out spam

Kaspersky Lab experts warn against a new phishing attack. Cybercriminals use the Windows Live ID as a bait to steal personal information from user profiles in services such as Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messenger and OneDrive.

Users receive messages with a warning that their Windows Live ID accounts are used to send unsolicited e-mails and can be blocked. To avoid this, click the link and update the data according to the new service requirements. It sounds like the typical content of a phishing email - victims are expected to click a link that will probably open a fake login page where users voluntarily "pass" their logins, passwords and other confidential information to attackers.

This time, however, it is different - experts from Kaspersky Lab were surprised when it turned out that the link in a cybercriminal message directed to the official Windows Live site, and there were no attempts to obtain data from users. What is the trick? / H2> After clicking the link from the e-mail and successfully logging in to your account on the official live.com site, the user receives an unusual notification from the service. The message informs that the application has requested permission to automatically log in to the account, view the profile and contact list, and to access the list of user's personal email addresses. Cybercriminals have managed to use this technique by using bugs in the open authentication protocol - OAuth.

Users who click "Yes" do not give attackers their login details, but give them access to personal information, such as email addresses, nicknames, and even real names of their friends. Cybercriminals can also have insights into other data, such as lists of meetings and important events in which the victim of the attack intends to participate. All this information can be used to carry out further scams and impersonate other people.

"We have known about gaps in OAuth security for some time - at the beginning of 2014 a student from Singapore presented a method allowing to steal user data after logging in to a given service. For the first time, however, we see the use of this technique in phishing e-mails sent by cybercriminals. The fraudster can use this procedure to create full user profiles, including information on what they do, who they meet, who belongs to their friends, etc. These profiles can then be used for criminal purposes, "said Andrei Kostin, senior analyst content, Kaspersky Lab.

Recommendations for users and application developers

Kaspersky Lab experts have prepared some tips that will allow users to protect themselves against phishing attacks using the Live ID:

  1. Do not click links that appear in e-mails or private messages on social networks.
  2. Do not give unknown applications access to your personal data.
  3. Make sure you understand the permissions you give to each application.
  4. If you find that an app is sending spam or dangerous links on your behalf, please report it to the social network administrator or online service involved. Thanks to this, the administrator will be able to quickly block the dangerous application.
  5. Use antivirus software with built-in protection against phishing and make sure it is always up-to-date.

Developers of online applications using the OAuth protocol should use the following recommendations:

  1. Avoid using open redirects on your pages.
  2. Create a white list of trusted addresses and use it for redirections via the OAuth protocol. Fraudsters can implement hidden redirects to malicious sites, using applications that will be able to attack and change their "redirect_uri" parameter.

source: Kaspersky Lab

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.